PlugVFL: Robust and IP-Protecting Vertical Federated Learning against Unexpected Quitting of Parties

We thank the reviewer for the constructive reviews!

We would like to thank the reviewer for the acknowledgement that the issues are clearly relevant in the deployment of VFL and that our method is effective. We thank the reviewer for the positive score of the paper.

We would like to address the concerns raised by the reviewer here.

W1&Q1. Our work is motivated by a realistic setting that the collaborating parties of a VFL system might quit the system due to the termination of the collaboration or network crash. Our paper is the first work to design a pluggable VFL framework that is robust to the unexpected quitting of passive parties in VFL. We establish that for existing VFL techniques, the quitting of passive parties causes two consequences: (1) a substantial performance drop; (2) intellectual property (IP) leakage through the passive party’s feature extractor. As the first paper to improve the robustness against unexpected quitting, we propose Party-wise Dropout and DIMIP to solve both two consequences, respectively. Even though they are different techniques, lacking either one of them cannot guarantee the robustness of VFL against the quitting of passive parties.

W2&Q2. Thanks for the constructive comment. Notably, sometimes the passive party quits temporarily due to the network crash without any warning. The active party still needs to provide decent services after a party quits, but finetuning the head model requires time and causes communication overhead, and the low performance before the completion of the finetuning is unacceptable. We target that the active party can continue providing high-quality services after a party quits without any shut-down period. In addition, even if finetuning is acceptable, our framework can reduce the time and communication cost of finetuning with a higher start accuracy. As suggested by the reviewer, we conduct experiments on CIFAR100, and the results show that finetuning the head model of the vanilla VFL requires more than 15 epochs to achieve an accuracy higher than 34%, while finetuning the head model of our method (p=0.1) only requires 3 epoch to achieve the same accuracy, which reduces the time cost significantly by 5 times.

W3.&Q3. When there are more parties, our drop-out method will reduce the computational cost more compared with the multi-head training. To conduct multi-head training, the active party must compute all the terms in Equation 3, and the number of the terms in Equation 3 will increase rapidly when there are more parties. For the accuracy drop, it depends on the uniqueness and importance of the data provided by the passive party. It is reasonable that if a passive party’s data is more important, then the quitting of this party will cause worse performance degradation.

We thank the reviewer for pointing it out and we will include the discussion in the final version.

W4. We will refine Figure 1 in the final version. The active party will not “actively” provide any information to the passive party, and the feature extractor held by the passive party that was trained collaboratively with the active party’s labels is the only requirement for the passive party to conduct an IP leakage attack.

Q4. It is unusual for the active party to rely more on the passive party than itself (I.e., by setting $p>0.5$). When $p$ is larger than 0.5, the accuracy before the passive party quits will converge to the accuracy of the Standalone accuracy of the passive party (i.e., p=1). However, we do not think it is a common case to set $p$ larger than 0.5.

We answer the reviewer’s questions here:

Q1. Thanks for the constructive suggestion. To prove the generalization of our defense to different label types, we derive a theoretical robustness guarantee for our defense:

Theorem 1. Let $g_{\psi}$ parameterize $q_{\psi}$ in Eq. 5. Suppose the passive party optimizes an auxiliary model $f^m(y|h^2)$ to estimate $p(y|h^2)$. For any $f^m$, we have:

$\frac{1}{N}\sum\limits_{i=1}^N \log f^m(y_i|H^2_i) < \frac{1}{N}\sum\limits_{i=1}^N \log p(y_i) + \epsilon,$

where

$\epsilon = {I_{vCLUB} {g_\psi}}(h^2;y) + KL(p(y|h^2)||g_\psi(y|h^2)).$

Notably, this theorem does not set any constraints or assumptions on the type of label. Specifically, if the task of collaborative inference is classification, we have the following results:

$\frac{1}{N}\sum\limits_{i=1}^N\text{CE}\left[f^m(H^2_i), y_i\right] > CE_{random} - \epsilon,$

where CE denotes the cross-entropy loss, $\text{CE}_{random}$ is the cross-entropy loss of random guessing.

Such a theorem can prove the effectiveness of our defense under all types of labels.

Q2. p=0 serves as a baseline reference, which is equivalent to vanilla VFL. In our final implementation and results shown in Figure 6, p is set as 0.5. As written in Eq. 3, when party 2 quits, we use zero vectors as the features from party 2.

[1] Yang Liu, Yan Kang, Xinwei Zhang, Liping Li, Yong Cheng, Tianjian Chen, Mingyi Hong, and Qiang Yang. A communication efficient collaborative learning framework for distributed features. arXiv preprint arXiv:1912.11187, 2019.

[2] Yang Liu, Tao Fan, Tianjian Chen, Qian Xu, and Qiang Yang. Fate: An industrial grade platform for collaborative learning with data protection. The Journal of Machine Learning Research, 22(1):10320–10325, 2021.

[3] Zou, Tianyuan, Yang Liu, Yan Kang, Wenhan Liu, Yuanqin He, Zhihao Yi, Qiang Yang, and Ya-Qin Zhang. "Defending batch-level label inference and replacement attacks in vertical federated learning." IEEE Transactions on Big Data (2022).

[4] I-Cheng Yeh and Che-hui Lien. The comparisons of data mining techniques for the predictive accuracy of probability of default of credit card clients. Expert systems with applications, 36(2):2473–2480, 2009. 7

We thank the reviewer for the benevolent reviews!

We appreciate the reviewer thinks PlugVFL has strong contributions with good performance and the acknowledgement that we are the first to study the problem.

We will answer the reviewer’s questions and concerns here one by one.

We summarize the reviewer’s concerns into three major points.

1. Experiments are limited to two-party experiments on CIFAR datasets.

Notably, different from HFL, VFL does not have many parties. We follow previous works [1,2,3] to conduct experiments in the two-party scenario, which is widely used in the VFL community.

We appreciate the reviewer’s suggestion about the datasets. We conduct experiments on the UCI_credit_card dataset [4] for the prediction of the default of credit card clients. We follow FATE [2] to assign ten attributes to one party and the rest to the other party. Due to the limited time, we currently can only report the results of the accuracy preservation against unexpected quitting, which are shown below:

It is shown that our framework is also effective in preserving the accuracy against the unexpected quitting on categorical datasets. We will include more results of this dataset in the revision.

2. The accuracy is low compared to the standard CIFAR classification.

Since in the VFL setting, each party only holds a portion of the data. Consequently, the accuracy is the result with only half of the CIFAR image on each party. This also follows the convention of previous works[1,2,3].

3. Fine-tuning the head model as baselines.

Notably, the passive party sometimes quits temporarily due to the network crash without warning. The active party still needs to provide decent services after a party quits, but finetuning the head model requires time and causes communication overhead, and the low performance before the completion of the finetuning is unacceptable. We target that the active party can continue providing high-quality services after a party quits without any shut-down period. In addition, even if finetuning is acceptable, our framework can reduce the time and communication cost of finetuning with a higher start accuracy. We conduct experiments on CIFAR100, and the results show that finetuning the head model of the vanilla VFL requires more than 15 epochs to achieve an accuracy higher than 34% while finetuning the head model of our method (p=0.5) only requires 1 epoch to achieve the same accuracy, which reduces the cost significantly.

Dear reviewer,

The Rebuttal/Discussion phase will end today. Could you please read our rebuttal and provide any feedback? We have made a lot of effort to derive the theoretical and empirical results during the rebuttal. Thanks a lot!

Regards,

Authors

Q1. We thank the reviewer for the constructive suggestions on further baselines, Notably, it is not always feasible for the active party to collect the passive parties’ features and calculate the mean vectors due to privacy concern. However, we still conduct experiments to illustrate the accuracy of using the mean vectors on CIFAR10 and CIFAR100. The results are shown below:

Cifar10:

Accuracy before quitting: 74.62% Accuracy after quitting using zero vectors: 53.04% Accuracy after quitting using mean vectors: 52.19%

Cifar100:

Accuracy before quitting: 44.95% Accuracy after quitting using zero vectors: 26.65% Accuracy after quitting using mean vectors: 25.33%

It is shown that using the mean vectors does not improve the accuracy after quitting, and the accuracy is even lower. We analyze that the reason is the mean vectors contain information of the passive party, but such information does not correspond to the test samples and might confuse the classifier on the active party.

Q2. We appreciate the reviewer’s suggestion about the datasets. We conduct experiments on the UCI_credit_card dataset [4] for the prediction of the default of credit card clients. We follow FATE [2] to assign ten attributes to one party and the rest to the other party. Due to the limited time, we currently can only report the results of the accuracy preservation against unexpected quitting, which are shown below:

It is shown that our framework is also effective in preserving the accuracy against the unexpected quitting on categorical datasets. We will include more results of this dataset in the revision.

[1] Yang Liu, Yan Kang, Xinwei Zhang, Liping Li, Yong Cheng, Tianjian Chen, Mingyi Hong, and Qiang Yang. A communication efficient collaborative learning framework for distributed features. arXiv preprint arXiv:1912.11187, 2019.

[2] Yang Liu, Tao Fan, Tianjian Chen, Qian Xu, and Qiang Yang. Fate: An industrial grade platform for collaborative learning with data protection. The Journal of Machine Learning Research, 22(1):10320–10325, 2021.

[3] Zou, Tianyuan, Yang Liu, Yan Kang, Wenhan Liu, Yuanqin He, Zhihao Yi, Qiang Yang, and Ya-Qin Zhang. "Defending batch-level label inference and replacement attacks in vertical federated learning." IEEE Transactions on Big Data (2022).

[4] I-Cheng Yeh and Che-hui Lien. The comparisons of data mining techniques for the predictive accuracy of probability of default of credit card clients. Expert systems with applications, 36(2):2473–2480, 2009. 7

We thank the reviewer for the accessible reviews!

First, we would like to thank the reviewer for the acknowledgement on the significance of the problem we study in VFL and agrees that we successfully and efficiently tackles the problem. Besides, we are encouraged that the reviewer found our paper is well-organized and easy to read.

We would like to address the concerns raised by the reviewer here. We summarize and group the reviewer’s concerns into the following three perspectives:

Scenarios the problem is defined in Concerns W1, W3, W4, W7 can be broadly grouped in this perspective.

Our work is motivated by a realistic setting that the collaborating parties of a VFL system might quit the system due to the termination of the collaboration or network crash. Our paper is the first work to design a pluggable VFL framework that is robust to the unexpected quitting of passive parties in VFL. We establish that for existing VFL techniques, the quitting of passive parties causes two consequences: (1) a substantial performance drop; (2) intellectual property (IP) leakage through the passive party’s feature extractor. As the first paper to improve the robustness against unexpected quitting, we propose Party-wise Dropout and DIMIP to solve both two consequences, respectively. Even though they are different techniques, lacking either one of them cannot guarantee the robustness of VFL against the quitting of passive parties.

Specific response for W1. The AMC attack is employed by the passive party who quits from the collaboration at the inference stage to infer the label of the samples in the inference phase. AMC is very suitable for the passive party to acquire the label information with the feature extractor obtained from the collaboration in the deployment phase.

Specific response for W4. In the VFL scenario, usually it is a collaboration between two big companies, where one of the companies (referred to as the active party) spends money, labor and their own techniques to annotate the data to acquire the label information. Hence, the label information represents the intellectual property of the active party. Unsupervised learning is applicable when the data have enough information infer the label. However, in VFL settings, the data of one party do not contain enough information to train a well performed feature extractor independently, which is also the motivation of VFL. Thus, the feature extractor trained in VFL will contain the label information, which is the important IP of the active party.

Specific response for W3 and W7. We are proposing methods with minimal costs. The multi-head training will introduce extra computational overhead, as discussed in section 5.1 second last paragraph. And training a backup model from scratch will introduce extra costs. For reference purposes, to train a GPT-3 requires $450,000 in 2022, not to mention in VFL scenarios the communication costs are also tremendous.

We will rephrase our statements accordingly.

Multi-party scenarios Concerns W2, W5 can be broadly grouped in this perspective.

Notably, different from HFL, VFL does not have many parties. We follow previous works [1,2,3] to conduct experiments in the two-party scenario, which is widely used in the VFL community.

Specific response for W5. In the implementation, we adopt a mask that randomly mask the features from passive parties, and we do not need to compute all the terms in Equation 3 for each iteration. Hence the computational overhead remains the same for different number of passive parties. The loss function in Equation 3 represents the expectation of the loss function we actually computes.

W6. A small p leads to good joint performance while a large p leads to good robustness against unexpected quit. The selection should depend on the trade-off between joint performance and the trustworthiness of the collaborator. Our focus is to provide the companies in the VFL system a feasible solution to improve the robustness against the unexpected quitting. Estimating the p value for each party will be very interesting in real life, and it is not always about the technics. Sometimes it might also be related to the risk and cost control. For example, if a passive party will pay higher Liquidated Damages for the quitting, we should set a higher $p$ for this passive party, since they can pay more compensation for the loss of service degradation. Even though this is out of the scope of this paper, we will include this discussion in our revised paper.

We thank the reviewer for the time devoted to the review.

Firstly, we would like to thank the reviewer for the acknowledgement of the meaningfulness of the problem we are studying. It is encouraging! However, we politely disagree with the reviewer’s comments that our experiments are not well designed, and we answer the reviewer's questions one by one.

Q1. Figure 3 plots the relationship between test acc before party 2 quits and after party 2 quits. As stated in the title of section 5.1, these two figures are measuring the accuracy drops (also known as the performance preservation ability). Stated in the second sentence in section 5.1, lines demonstrate the trends of the trade-off between accuracy before and accuracy after the quit with different level of defense. The best trade-off is achieved at the top-right corner.

Meanwhile, Figures 4 and 5 measure the defense ability against label leakage, as stated in the title of section 5.2. In the first sentence of section 5.2, we specify the changes in the hyper parameter p=0, while all other hyperparameter remains the same and detailed in the Hyperparameter configurations. paragraph in section 5. As stated in the second sentence in section 5.2, Figures 4 and 5 measure the trade-off between attack accuracy and test accuracy under different level defense. The Evaluation metrics. paragraph specifies our definition of the evaluation metrics.

Figure 6 is results for the joint performance under the best trade-off we observed from previous sections, as stated in section 5.3, the third sentence.

Q2. When training independently, the active party achieves slightly higher accuracy compared with the accuracy of VFL after quitting. However, independent training does not allow the active party to utilize the passive party’s data and suffers from low accuracy before the passive party quits, which degrades the accuracy from 5% to 10%. Notably, it is also usually impractical and impossible to train independently. The company that deploys the system cannot afford the cost to shut down the service and retrain the model. The above discussion can found in last two paragraphs in section 5.1.