[Paper] Guarding the Middle: Protecting Intermediate Representations in Federated Split Learning

Source: arXiv

Source: arXiv:2602.17614v1

Overview

Federated Split Learning (FSL) enables edge devices to collaboratively train a shared model without transmitting raw data to a central server.
The U‑shaped variant (UFSL) offloads part of the computation to the server, but it still requires clients to send intermediate (smashed) representations.

Key Findings

• These smashed representations can be reverse‑engineered, exposing private data.
• Existing UFSL implementations lack robust defenses against such reconstruction attacks.

Proposed Solution: KD‑UFSL

A privacy‑preserving enhancement that combines:

KD‑UFSL therefore hardens smashed data against reconstruction attacks while preserving model performance.

Key Contributions

• Attack demonstration: Implements a realistic data‑reconstruction attack on UFSL, quantifying how much private information leaks through smashed tensors.
• KD‑UFSL framework: Introduces a two‑step privacy pipeline:
  1. Micro‑aggregation to achieve k‑anonymity on the intermediate features.
  2. Calibrated differential‑privacy noise addition.
• Empirical evaluation: Tests on four benchmark image datasets (e.g., MNIST, CIFAR‑10) showing up to 50 % higher MSE and 40 % lower SSIM between original and reconstructed images when KD‑UFSL is applied.
• Utility preservation: Demonstrates that the global model’s accuracy drops by less than 2 % compared with vanilla UFSL, proving a practical privacy‑utility trade‑off.
• Scalability analysis: Provides runtime and communication‑overhead measurements, confirming that the added privacy steps incur modest overhead suitable for large‑scale deployments.

Methodology

1. Baseline UFSL setup

   • The client runs the first few layers of a neural network and sends the resulting activation maps (the smashed data) to the server.
   • The server completes the forward pass, computes the loss, and returns gradients to the client.

2. Reconstruction attack

   • An adversarial server treats the smashed data as a noisy observation.
   • It optimizes a decoder network to recover the original input, following the standard attacks described in split‑learning literature.

3. Privacy pipeline (KD‑UFSL)

   • Micro‑aggregation

     • Clients group their smashed vectors into clusters of size k (e.g., k = 5).
     • Each vector is replaced by its cluster centroid, guaranteeing that any single client’s representation is indistinguishable from at least k – 1 others.

   • Differential privacy

     • After aggregation, Laplace or Gaussian noise calibrated to a target privacy budget ε is added to each centroid before transmission.

4. Training loop

   • The server receives the privatized smashed data, performs the usual forward/backward pass, and updates the global model.
   • Clients simply substitute their local forward‑pass output with the privatized version, incurring negligible extra code.

Remarks

• Lightweight design – Clustering can be performed with fast k‑means‑like algorithms, and noise addition is a constant‑time operation.
• Scalability – The approach adds only minimal computational overhead on the client side, making it suitable for resource‑constrained environments.

Results & Findings

• Privacy boost: The reconstructed images become visually unrecognizable, confirming that the combined micro‑aggregation + DP pipeline substantially degrades an attacker’s ability to recover raw inputs.
• Utility cost: Model accuracy drops by < 2 % across all datasets—a trade‑off many production teams consider acceptable for the privacy gain.
• Overhead: The extra computation adds ~3 ms per client per batch and increases network payload by ~5 % (due to noise‑augmented tensors), both well within typical edge‑device constraints.

Practical Implications

• Edge‑AI services (e.g., on‑device vision, health monitoring) can adopt KD‑UFSL to comply with GDPR‑style privacy mandates without redesigning their entire training pipeline.
• Cross‑organization collaborations (banks, hospitals) that already use federated learning can now share intermediate activations safely, opening the door to richer model architectures that were previously avoided due to privacy concerns.
• Framework integration: The method can be wrapped as a plug‑in for popular FL libraries (TensorFlow Federated, PySyft), requiring only a few lines of code to enable micro‑aggregation and DP noise on the client side.
• Regulatory alignment: By providing both k‑anonymity (a well‑understood de‑identification technique) and differential privacy guarantees, KD‑UFSL offers a defensible privacy argument for auditors and compliance teams.

Limitations & Future Work

• Choice of k and ε:
  The privacy‑utility balance hinges on these hyper‑parameters, which may require dataset‑specific tuning. Automated selection strategies are not explored.

• Assumed honest‑but‑curious server:
  The threat model does not cover malicious servers that could collude with compromised clients or launch side‑channel attacks.

• Scalability to very high‑dimensional activations:
  Micro‑aggregation on extremely large feature maps could become a bottleneck. Future work could investigate dimensionality‑reduction techniques before clustering.

• Broader attack surface:
  Only reconstruction attacks are evaluated; robustness against membership‑inference or model‑inversion attacks remains an open question.

Overall, KD‑UFSL offers a pragmatic, low‑overhead path to harden federated split‑learning pipelines, making privacy‑preserving collaborative AI more attainable for real‑world deployments.

Authors

• Obaidullah Zaland
• Sajib Mistry
• Monowar Bhuyan

Paper Information