Xicong Shen,Ying Liu,Fu Li,Chunguang Li

DOI: https://doi.org/10.1109/jiot.2023.3288886

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) has attracted widespread attention in the Internet of Things domain recently. With FL, multiple distributed devices can cooperatively train a global model by transmitting model updates without disclosing the original data. However, the distributed nature of FL makes it vulnerable to data poisoning attacks. In practice, malicious clients can launch the label-flipping attack (LFA) by simply tampering with the labels of local data, thus causing the global model to misclassify the samples of a selected class as the target class. Although some defense mechanisms have been proposed, they rely on specific assumptions about data distribution, and their performance degrades significantly when the data on clients are non-IID. Besides, most existing methods require clients to upload model updates in plaintext so that the server can identify and remove the malicious updates. But, direct transmission of model updates may still reveal private information. Considering these issues, we develop a label-flipping-robust and privacy-preserving FL (LFR-PPFL) algorithm, which is applicable to both independent and identically distributed (IID) and non-IID data. We first propose a detection method based on temporal analysis on cosine similarity to distinguish malicious clients from benign clients. Then, we propose a privacy-preserving computation protocol based on homomorphic encryption to implement this detection method and perform federated aggregation while protecting the privacy of clients. Besides, a detailed theoretical analysis is given to demonstrate the privacy guarantee of the proposed protocol. Experimental results on real-world data sets show that the proposed algorithm can effectively defend against LFAs under various data distributions.

Yan Kang,Jiahuan Luo,Yuanqin He,Xiaojin Zhang,Lixin Fan,Qiang Yang

2024-08-05

Abstract:Federated learning (FL) has emerged as a practical solution to tackle data silo issues without compromising user privacy. One of its variants, vertical federated learning (VFL), has recently gained increasing attention as the VFL matches the enterprises' demands of leveraging more valuable features to build better machine learning models while preserving user privacy. Current works in VFL concentrate on developing a specific protection or attack mechanism for a particular VFL algorithm. In this work, we propose an evaluation framework that formulates the privacy-utility evaluation problem. We then use this framework as a guide to comprehensively evaluate a broad range of protection mechanisms against most of the state-of-the-art privacy attacks for three widely deployed VFL algorithms. These evaluations may help FL practitioners select appropriate protection mechanisms given specific requirements. Our evaluation results demonstrate that: the model inversion and most of the label inference attacks can be thwarted by existing protection mechanisms; the model completion (MC) attack is difficult to be prevented, which calls for more advanced MC-targeted protection mechanisms. Based on our evaluation results, we offer concrete advice on improving the privacy-preserving capability of VFL systems. The code is available at <a class="link-external link-https" href="https://github.com/yankang18/Attack-Defense-VFL" rel="external noopener nofollow">this https URL</a>

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Xiangrui Xu,Pengrui Liu,Yiwen Zhao,Lei Han,Wei Wang,Yongsheng Zhu,Chongzhen Zhang,Bin Wang,Jian Shen,Zhen Han

DOI: https://doi.org/10.1109/jiot.2024.3434627

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Vertical Federated Learning (VFL) shows promise for enabling collaborative learning among Internet-of-Vehicle systems (IoVs) without requiring the sharing of private training data. However, existing work has exposed VFL’s vulnerability to privacy-stealing attacks, where an honest but curious server might reconstruct a client’s raw data from client-uploaded embeddings. In this work, we first elucidate the intrinsic mechanisms of privacy attacks from an information theory perspective, which provides a solid foundation for potential defensive strategies. Based on our findings, we introduce PriVFL, a defense mechanism based on information bottleneck theory. PriVFL is designed to safeguard the privacy of VFL-based IoVs by enabling shared embeddings to extract minimal information from input data, while preserving the information essential to target labels. Specifically, PriVFL restricts the information contained in embeddings by reducing the upper bound of mutual information between the raw samples and embeddings uploaded from local clients. Meanwhile, PriVFL ensures the effectiveness of the model by increasing the mutual information lower bound between embeddings and samples’ labels. Our evaluation includes 5 benchmark datasets and 4 different models. Experimental results demonstrate that PriVFL effectively mitigates privacy attacks while preserving the model’s effectiveness. These findings underscore that PriVFL can significantly enhance the privacy of VFL-based IoVs, thereby bolstering the development of practical IoV applications.

Kaifeng Luo,Zhenfu Cao,Jiachen Shen,Xiaolei Dong

DOI: https://doi.org/10.1007/978-3-031-45933-7_20

2023-01-01

Abstract:Federated learning (FL) is a popular technique that enables multiple parties to train a machine learning model collaboratively without disclosing the raw data to each other. A vertically partitioned federated learning configuration is applicable in a variety of real-world scenarios. In this configuration, a comprehensive feature collection is established only when all parties' datasets are merged and only one party has access to the labels. Existing vertical federated learning strategies for linear models are not very practical, since they involve either a trusted third-party authority (TPA) or heavy communication overheads. To address this issue, this paper proposes SVFL, a secure vertical federated learning framework on linear models, which is based on the Verifiable Inner-Product Computation (VIP) protocol. SVFL enables the secure and private training of linear models, as well as the validation of a malicious server's computation. In addition, it decreases the number of communication rounds to 3 and is resistant to collusion attacks. Experiments are done on a variety of real-world datasets from the UCI ML repository, and the results demonstrate that SVFL achieves comparable accuracy to conventional linear models.

Yong Li,Yipeng Zhou,Alireza Jolfaei,Dongjin Yu,Gaochao Xu,Xi Zheng

DOI: https://doi.org/10.1109/jiot.2020.3022911

IF: 10.6

2021-04-15

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is a promising new technology in the field of IoT intelligence. However, exchanging model-related data in FL may leak the sensitive information of participants. To address this problem, we propose a novel privacy-preserving FL framework based on an innovative chained secure multiparty computing technique, named chain-PPFL. Our scheme mainly leverages two mechanisms: 1) single-masking mechanism that protects information exchanged between participants and 2) chained-communication mechanism that enables masked information to be transferred between participants with a serial chain frame. We conduct extensive simulation-based experiments using two public data sets (MNIST and CIFAR-100) by comparing both training accuracy and leak defence with other state-of-the-art schemes. We set two data sample distributions (IID and NonIID) and three training models (CNN, MLP, and L-BFGS) in our experiments. The experimental results demonstrate that the chain-PPFL scheme can achieve practical privacy preservation (equivalent to differential privacy with $epsilon $ approaching zero) for FL with some cost of communication and without impairing the accuracy and convergence speed of the training model.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yongkang Wang,Di-Hua Zhai,Yuanqing Xia,Danyang Liu

DOI: https://doi.org/10.1109/tii.2023.3329688

IF: 12.3

2024-01-01

IEEE Transactions on Industrial Informatics

Abstract:Robustness and attacks have become prominent concerns in federated learning (FL)-based Internet of Things (IoT). Our focus primarily lies on robustness, as existing robust algorithms are limited by the data distribution and attacker quantity. Personalized FL has emerged as a paradigm to address data heterogeneity, providing personalized local models for participating clients. In this work, we aim to produce personalized models for clients and defend against backdoor attacks on IoT applications by harnessing personalized FL. We propose PerVK , a personalized FL framework that utilizes virtual learning, personalized learning, and knowledge distillation. PerVK effectively reduces data heterogeneity and overcomes the limitations imposed by the number of malicious clients and data distributions. Empirical experiments are conducted on CIFAR-10 and GTSRB datasets, considering various attack scenarios, as well as compared the performance of PerVK with state-of-the-art baselines. The experimental results demonstrate that PerVK successfully defends against backdoor attacks and outperforms existing baselines.

Yunbo Yang,Xiang Chen,Yuhao Pan,Jiachen Shen,Zhenfu Cao,Xiaolei Dong,Xiaoguo Li,Jianfei Sun,Guomin Yang,Robert Deng

DOI: https://doi.org/10.1109/tifs.2024.3477924

IF: 7.231

2024-10-26

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) allows multiple parties, each holding a dataset, to jointly train a model without leaking any information about their own datasets. In this paper, we focus on vertical FL (VFL). In VFL, each party holds a dataset with the same sample space and different feature spaces. All parties should first agree on the training dataset in the ID alignment phase. However, existing works may leak some information about the training dataset and cause privacy leakage. To address this issue, this paper proposes OpenVFL, a vertical federated learning framework with stronger privacy-preserving. We first propose NCLPSI, a new variant of labeled PSI, in which both parties can invoke this protocol to get the encrypted training dataset without leaking any additional information. After that, both parties train the model over the encrypted training dataset. We also formally analyze the security of OpenVFL. In addition, the experimental results show that OpenVFL achieves the best trade-offs between accuracy, performance, and privacy among the most state-of-the-art works.

computer science, theory & methods,engineering, electrical & electronic

Lingjuan Lyu,Han Yu,Xingjun Ma,Chen Chen,Lichao Sun,Jun Zhao,Qiang Yang,Philip S. Yu

DOI: https://doi.org/10.1109/tnnls.2022.3216981

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:As data are increasingly being stored in different silos and societies becoming more aware of data privacy issues, the traditional centralized training of artificial intelligence (AI) models is facing efficiency and privacy challenges. Recently, federated learning (FL) has emerged as an alternative solution and continues to thrive in this new reality. Existing FL protocol designs have been shown to be vulnerable to adversaries within or outside of the system, compromising data privacy and system robustness. Besides training powerful global models, it is of paramount importance to design FL systems that have privacy guarantees and are resistant to different types of adversaries. In this article, we conduct a comprehensive survey on privacy and robustness in FL over the past five years. Through a concise introduction to the concept of FL and a unique taxonomy covering: 1) threat models; 2) privacy attacks and defenses; and 3) poisoning attacks and defenses, we provide an accessible review of this important topic. We highlight the intuitions, key techniques, and fundamental assumptions adopted by various attacks and defenses. Finally, we discuss promising future research directions toward robust and privacy-preserving FL, and their interplays with the multidisciplinary goals of FL.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Derui Zhu,Jinfu Chen,Xuebing Zhou,Weiyi Shang,Ahmed E. Hassan,Jens Grossklags

DOI: https://doi.org/10.1109/tifs.2024.3361813

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Vertical federated learning (VFL) is an increasingly popular, yet understudied, collaborative learning technique. In VFL, features and labels are distributed among different participants allowing for various innovative applications in business domains, e.g., online marketing. When deploying VFL, training data (labels and features) from each participant ought to be protected; however, very few studies have investigated the vulnerability of data protection in the VFL training stage. In this paper, we propose a posterior-difference-based data attack, VFLRecon, reconstructing labels and features to examine this problem. Our experiments show that standard VFL is highly vulnerable to serious privacy threats, with reconstruction achieving up to 92% label accuracy and 0.05 feature MSE, compared to our baseline with 55% label accuracy and 0.19 feature MSE. Even worse, this privacy risk remains during standard operations (e.g., encrypted aggregation) that appear to be safe. We also systematically analyze data leakage risks in the VFL training stage across diverse data modalities (i.e., tabular data and images), different training frameworks (i.e., with or without encryption techniques), and a wide range of training hyperparameters. To mitigate this risk, we design a novel defense mechanism, VFLDefender, dedicated to obfuscating the correlation between bottom model changes and labels (features) during training. The experimental results demonstrate that VFLDefender prevents reconstruction attacks during standard encryption operations (around 17% more effective than standard encryption operations).

computer science, theory & methods,engineering, electrical & electronic

Yuan-Ai Xie,Jiawen Kang,Dusit Niyato,Nguyen Thi Thanh Van,Nguyen Cong Luong,Zhixin Liu,Han Yu

DOI: https://doi.org/10.48550/arXiv.2110.02221

2021-10-05

Abstract:Federated Learning Networks (FLNs) have been envisaged as a promising paradigm to collaboratively train models among mobile devices without exposing their local privacy data. Due to the need for frequent model updates and communications, FLNs are vulnerable to various attacks (e.g., eavesdropping attacks, inference attacks, poisoning attacks, and backdoor attacks). Balancing privacy protection with efficient distributed model training is a key challenge for FLNs. Existing countermeasures incur high computation costs and are only designed for specific attacks on FLNs. In this paper, we bridge this gap by proposing the Covert Communication-based Federated Learning (CCFL) approach. Based on the emerging communication security technique of covert communication which hides the existence of wireless communication activities, CCFL can degrade attackers' capability of extracting useful information from the FLN training protocol, which is a fundamental step for most existing attacks, and thereby holistically enhances the privacy of FLNs. We experimentally evaluate CCFL extensively under real-world settings in which the FL latency is optimized under given security requirements. Numerical results demonstrate the significant effectiveness of the proposed approach in terms of both training efficiency and communication security.

Cryptography and Security

Jiaqi Zhao,Hui Zhu,Fengwei Wang,Rongxing Lu,Zhe Liu,Hui Li

DOI: https://doi.org/10.1109/tifs.2022.3176191

IF: 7.231

2022-06-29

IEEE Transactions on Information Forensics and Security

Abstract:Over the past years, the increasingly severe data island problem has spawned an emerging distributed deep learning framework—federated learning, in which the global model can be constructed over multiple participants without directly sharing their raw data. Despite its promising prospect, there are still many security challenges in federated learning, such as privacy preservation and integrity verification. Furthermore, federated learning is usually performed with the assistance of a center, which is prone to cause trust worries and communicational bottlenecks. To tackle these challenges, in this paper, we propose a privacy-preserving and verifiable decentralized federated learning framework, named PVD-FL, which can achieve secure deep learning model training under a decentralized architecture. Specifically, we first design an efficient and verifiable cipher-based matrix multiplication (EVCM) algorithm to execute the most basic calculation in deep learning. Then, by employing EVCM, we design a suite of decentralized algorithms to construct the PVD-FL framework, which ensures the confidentiality of both global model and local update and the verification of every training step. Detailed security analysis shows that PVD-FL can well protect privacy against various inference attacks and guarantee training integrity. In addition, the extensive experiments on real-world datasets also demonstrate that PVD-FL can achieve lossless accuracy and practical performance.

computer science, theory & methods,engineering, electrical & electronic

Xiyao Liu,Shuo Shao,Yue Yang,Kangming Wu,Wenyuan Yang,Hui Fang

DOI: https://doi.org/10.1109/smc52423.2021.9658998

2021-01-01

Abstract:Federated learning (FL) has become an emerging distributed framework to build deep learning models with collaborative efforts from multiple participants. Consequently, copyright protection of FL deep model is urgently required because too many participants have access to the joint-trained model. Recently, Secure FL framework is developed to address data leakage issue when central node is not fully trustable. This encryption process has made existing DL model watermarking schemes impossible to embed watermark at the central node. In this paper, we propose a novel client-side Federated Learning watermarking method to tackle the model verification issue under the Secure FL framework. In specific, we design a backdoor-based watermarking scheme to allow model owners to embed their pre-designed noise patterns into the FL deep model. Thus, our method provides reliable copyright protection while ensuring the data privacy because the central node has no access to the encrypted gradient information. The experimental results have demonstrated the efficiency of our method in terms of both FL model performance and watermarking robustness.

Ruijin Wang,Jinshan Lai,Xiong Li,Donglin He,Muhammad Khurram Khan

DOI: https://doi.org/10.1016/j.jnca.2023.103768

IF: 7.574

2024-01-01

Journal of Network and Computer Applications

Abstract:Federated Learning for the Internet of Things(FL for IoT) contributes to the enhancement of security in smart cities. However, the privacy disclosure attacks within the FL for IoT framework exposes user’s local data . Although differential privacy mechanism (DP) ensures the privacy of IoT data, one crucial issue is DP affects model accuracy and reduces model reliability. Besides, DP cannot provide comprehensive privacy preservation in the IoT environment. To tackle the above problems, we propose reliable federated learning with privacy-preserving for IoT(RPIFL). Our approach comprises three key components. First, we leverage a lightweight network to hide the private data locally, then use the output to perform the next model training. Second, we propose a multi-modal fine-grained model optimization, which significantly improves the accuracy of the IoT model. Third, we implement adaptive differential privacy mechanisms tailored to dynamic privacy requirements, thereby safeguarding the confidentiality of IoT data. To empirically validate our framework, we conducted a simulation experiment on an image classification dataset. Our methodology concurrently ensures privacy protection and achieves superior accuracy compared to the baseline model with an average accuracy increase of 1.1% over the two prevailing federated privacy protection methods, coupled with an average reduction in convergence time of over 9%.

Meng Shen,Huan Wang,Bin Zhang,Liehuang Zhu,Ke Xu,Qi Li,Xiaojiang Du

DOI: https://doi.org/10.1109/jiot.2020.3028110

IF: 10.6

2021-02-15

IEEE Internet of Things Journal

Abstract:Federated learning (FL) serves as an enabling technology for intelligent edge computing, where high-quality machine learning (ML) models are collaboratively trained over large amounts of data generated by various Internet of Things devices while preserving data privacy. To further provide data confidentiality, computation auditability, and participant incentives, the blockchain framework has been incorporated into FL. However, it is an open question whether the model updates from participants in blockchain-assisted FL can disclose properties of the private data the participants are unintended to share. In this article, we propose a novel property inference attack that exploits the unintended property leakage in blockchain-assisted FL for intelligent edge computing. More specifically, we present an active attack to learn the property leakage from model updates of participants and to identify a set of participants with a certain property. We also design a dynamic participant selection strategy tailored to the setting of large-scale FL, which accelerates the selection process of target participants and improves attack accuracy. We evaluate the proposed attack through extensive experiments with publicly available data sets. The experimental results demonstrate that the proposed attack is effective and efficient in inferring various properties of training data, while maintaining the high quality of the main tasks in FL.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xi Li,Songhe Wang,Chen Wu,Hao Zhou,Jiaqi Wang

2023-11-01

Abstract:Federated learning (FL) represents a novel paradigm to machine learning, addressing critical issues related to data privacy and security, yet suffering from data insufficiency and imbalance. The emergence of foundation models (FMs) provides a promising solution to the problems with FL. For instance, FMs could serve as teacher models or good starting points for FL. However, the integration of FM in FL presents a new challenge, exposing the FL systems to potential threats. This paper investigates the robustness of FL incorporating FMs by assessing their susceptibility to backdoor attacks. Contrary to classic backdoor attacks against FL, the proposed attack (1) does not require the attacker fully involved in the FL process; (2) poses a significant risk in practical FL scenarios; (3) is able to evade existing robust FL frameworks/ FL backdoor defenses; (4) underscores the researches on the robustness of FL systems integrated with FMs. The effectiveness of the proposed attack is demonstrated by extensive experiments with various well-known models and benchmark datasets encompassing both text and image classification domains.

Distributed, Parallel, and Cluster Computing

Fangcheng Fu,Huanran Xue,Yong Cheng,Yangyu Tao,Bin Cui

DOI: https://doi.org/10.1145/3514221.3526127

2022-01-01

Abstract:Due to the rising concerns on privacy protection, how to build machine learning (ML) models over different data sources with security guarantees is gaining more popularity. Vertical federated learning (VFL) describes such a case where ML models are built upon the private data of different participated parties that own disjoint features for the same set of instances, which fits many real-world collaborative tasks. Nevertheless, we find that existing solutions for VFL either support limited kinds of input features or suffer from potential data leakage during the federated execution. To this end, this paper aims to investigate both the functionality and security of ML modes in the VFL scenario. To be specific, we introduce BlindFL, a novel framework for VFL training and inference. First, to address the functionality of VFL models, we propose the federated source layers to unite the data from different parties. Various kinds of features can be supported efficiently by the federated source layers, including dense, sparse, numerical, and categorical features. Second, we carefully analyze the security during the federated execution and formalize the privacy requirements. Based on the analysis, we devise secure and accurate algorithm protocols, and further prove the security guarantees under the ideal-real simulation paradigm. Extensive experiments show that BlindFL supports diverse datasets and models efficiently whilst achieves robust privacy guarantees.

Jirui Yang,Peng Chen,Zhihui Lu,Qiang Duan,Yubing Bao

2024-06-18

Abstract:Vertical Federated Learning (VFL) facilitates collaborative machine learning without the need for participants to share raw private data. However, recent studies have revealed privacy risks where adversaries might reconstruct sensitive features through data leakage during the learning process. Although data reconstruction methods based on gradient or model information are somewhat effective, they reveal limitations in VFL application scenarios. This is because these traditional methods heavily rely on specific model structures and/or have strict limitations on application scenarios. To address this, our study introduces the Unified InverNet Framework into VFL, which yields a novel and flexible approach (dubbed UIFV) that leverages intermediate feature data to reconstruct original data, instead of relying on gradients or model details. The intermediate feature data is the feature exchanged by different participants during the inference phase of VFL. Experiments on four datasets demonstrate that our methods significantly outperform state-of-the-art techniques in attack precision. Our work exposes severe privacy vulnerabilities within VFL systems that pose real threats to practical VFL applications and thus confirms the necessity of further enhancing privacy protection in the VFL architecture.

Machine Learning,Artificial Intelligence,Cryptography and Security

Shuo Xu,Hui Xia,Peishun Liu,Rui Zhang,Hao Chi,Wei Gao

DOI: https://doi.org/10.1016/j.future.2023.12.030

IF: 7.307

2024-01-01

Future Generation Computer Systems

Abstract:Federated learning (FL) is a critical technology for implementing time-critical computing systems in the Internet of Things (IoT). It allows for continuous updates to machine learning (ML) models across IoT devices. However, the vulnerability of ML models and the complexity of IoT pose significant threats to device data security and privacy, affecting the robustness of time-critical computing systems constructed through FL. Recent research on FL data protection has made progress, but challenges remain in balancing privacy protection with model availability. For example, cryptography-based defense schemes increase time overhead in time-critical computing systems, while differential privacy negatively impacts system performance. This paper proposes the FL properties modification scheme (FLPM) for data preprocessing to resist property inference attacks and data poisoning attacks. FLPM modifies training data properties using algorithms for property separation, selection, and control based on continuous latent variables. While this sacrifices a small amount of classification accuracy, it significantly improves data protection capabilities. Detailed experimental results demonstrate that FLPM successfully separates and controls image property vectors. In the FL classification task, the property modification data achieve a precision of 94.44%. This scheme effectively prevents property inference attacks and data poisoning attacks. FLPM can reduce the AUC score for property inference attacks from 0.94 to 0.56 and reduce the success rate of data poisoning attacks to 5.13%, 7.07%, and 4.60%.

computer science, theory & methods

Duanyi Yao,Songze Li,Xueluan Gong,Sizai Hou,Gaoning Pan

2024-12-06

Abstract:Launching effective malicious attacks in VFL presents unique challenges: 1) Firstly, given the distributed nature of clients' data features and models, each client rigorously guards its privacy and prohibits direct querying, complicating any attempts to steal data; 2) Existing malicious attacks alter the underlying VFL training task, and are hence easily detected by comparing the received gradients with the ones received in honest training. To overcome these challenges, we develop URVFL, a novel attack strategy that evades current detection mechanisms. The key idea is to integrate a discriminator with auxiliary classifier that takes a full advantage of the label information and generates malicious gradients to the victim clients: on one hand, label information helps to better characterize embeddings of samples from distinct classes, yielding an improved reconstruction performance; on the other hand, computing malicious gradients with label information better mimics the honest training, making the malicious gradients indistinguishable from the honest ones, and the attack much more stealthy. Our comprehensive experiments demonstrate that URVFL significantly outperforms existing attacks, and successfully circumvents SOTA detection methods for malicious attacks. Additional ablation studies and evaluations on defenses further underscore the robustness and effectiveness of URVFL. Our code will be available at <a class="link-external link-https" href="https://github.com/duanyiyao/URVFL" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security

Pengyu Qiu,Xuhong Zhang,Shouling Ji,Changjiang Li,Yuwen Pu,Xing Yang,Ting Wang

DOI: https://doi.org/10.1109/tdsc.2024.3358081

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Vertical Federated Learning (VFL) is an emerging paradigm that enables collaborators to build machine learning models together in a distributed fashion. However, the security of the VFL model remains underexplored, particularly regarding the Byzantine Generals Problem (BGP), which is a well-known issue in distributed systems. This paper focuses on revealing the threat of BGP in VFL systems. Specifically, we propose two attacks, the replay attack and the generation attack, to evaluate the vulnerability of VFL when there is only one malicious party. The goal of the adversary is to hijack the VFL model to give desired predictions. Moreover, considering the uneven distribution of importance among parties, we combine data poisoning with the aforementioned attacks to explore whether they can bypass the situation where the adversary has few features. The evaluation results demonstrate the effectiveness of our attacks. For instance, the adversary holding only 10 90 capability is limited and usually at the cost of performance loss of the VFL task. Our work highlights the need for advanced defenses to protect the prediction results of a VFL model and calls for more exploration of VFL&#x27;s security issues.

computer science, information systems, software engineering, hardware & architecture