ML Security PapersHealSplit: Towards Self-Healing through Adversarial Distillation in Split Federated Learning
Published on arXiv
2511.11240
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
HealSplit outperforms ten state-of-the-art defenses across four benchmark datasets under diverse poisoning attack scenarios including multi-vector attacks and non-IID data distributions.
HealSplit
Novel technique introduced
Split Federated Learning (SFL) is an emerging paradigm for privacy-preserving distributed learning. However, it remains vulnerable to sophisticated data poisoning attacks targeting local features, labels, smashed data, and model weights. Existing defenses, primarily adapted from traditional Federated Learning (FL), are less effective under SFL due to limited access to complete model updates. This paper presents HealSplit, the first unified defense framework tailored for SFL, offering end-to-end detection and recovery against five sophisticated types of poisoning attacks. HealSplit comprises three key components: (1) a topology-aware detection module that constructs graphs over smashed data to identify poisoned samples via topological anomaly scoring (TAS); (2) a generative recovery pipeline that synthesizes semantically consistent substitutes for detected anomalies, validated by a consistency validation student; and (3) an adversarial multi-teacher distillation framework trains the student using semantic supervision from a Vanilla Teacher and anomaly-aware signals from an Anomaly-Influence Debiasing (AD) Teacher, guided by the alignment between topological and gradient-based interaction matrices. Extensive experiments on four benchmark datasets demonstrate that HealSplit consistently outperforms ten state-of-the-art defenses, achieving superior robustness and defense effectiveness across diverse attack scenarios.
Key Contributions
- Topology-aware detection module using Personalized PageRank on KNN graphs over smashed data to compute Topological Anomaly Scores (TAS) for identifying poisoned samples
- GAN-based generative recovery pipeline that synthesizes semantically consistent substitutes for detected poisoned smashed data, validated by a consistency student model
- Adversarial multi-teacher distillation framework combining a Vanilla Teacher (clean semantics) and an Anomaly-Influence Debiasing (AD) Teacher (gradient-topological interaction) with momentum-adaptive balancing
🛡️ Threat Analysis
HealSplit directly defends against data poisoning attacks in SFL targeting local features, labels, smashed data, and model weights — classic data poisoning defense with Byzantine-robustness analogues (Krum, Trimmed Mean, FLTrust are baselines), aimed at preventing degradation of global model performance through corrupted training data/updates.