defense 2025

PRIVEE: Privacy-Preserving Vertical Federated Learning Against Feature Inference Attacks

Sindhuja Madabushi 1, Ahmad Faraz Khan 1, Haider Ali 1, Ananthram Swami 2, Rui Ning 3, Hongyi Wu 4, Jin-Hee Cho 1

1 Virginia Tech

2 US DEVCOM Army Research Laboratory

3 Old Dominion University

4 University of Arizona

0 citations · 43 references · arXiv
α

Published on arXiv

2512.12840

Model Inversion Attack

OWASP ML Top 10 — ML03

Key Finding

PRIVEE achieves a threefold improvement in privacy protection against advanced feature inference attacks while preserving full predictive performance compared to state-of-the-art defenses.

PRIVEE

Novel technique introduced

Vertical Federated Learning (VFL) enables collaborative model training across organizations that share common user samples but hold disjoint feature spaces. Despite its potential, VFL is susceptible to feature inference attacks, in which adversarial parties exploit shared confidence scores (i.e., prediction probabilities) during inference to reconstruct private input features of other participants. To counter this threat, we propose PRIVEE (PRIvacy-preserving Vertical fEderated lEarning), a novel defense mechanism named after the French word privée, meaning "private." PRIVEE obfuscates confidence scores while preserving critical properties such as relative ranking and inter-score distances. Rather than exposing raw scores, PRIVEE shares only the transformed representations, mitigating the risk of reconstruction attacks without degrading model prediction accuracy. Extensive experiments show that PRIVEE achieves a threefold improvement in privacy protection compared to state-of-the-art defenses, while preserving full predictive performance against advanced feature inference attacks.

Key Contributions

  • PRIVEE defense mechanism that obfuscates VFL confidence scores while preserving relative ranking and inter-score distances, preventing feature reconstruction without degrading predictive performance
  • Threefold improvement in privacy protection against feature inference attacks compared to state-of-the-art VFL defenses
  • Addresses inference-time attacks specifically, which are not mitigated by training-time defenses such as differential privacy

🛡️ Threat Analysis

Model Inversion Attack

Feature inference attacks in VFL are data reconstruction attacks: the adversary exploits shared confidence scores (model outputs) at inference time to reconstruct private input features belonging to other VFL participants. PRIVEE defends against this by transforming confidence scores to prevent reconstruction while preserving utility — this is the core ML03 threat of recovering private data from model outputs.

Details

Domains
federated-learningtabular
Model Types
federated
Threat Tags
inference_timeblack_box
Applications
vertical federated learningcollaborative ml in bankingcollaborative ml in healthcare
Read PDF arXiv DOI

Similar Papers

defense

Perfectly-Private Analog Secure Aggregation in Federated Learning

2025 0 cit.
Model Inversion Attack
58%
defense

Federated Learning: An approach with Hybrid Homomorphic Encryption

2025 0 cit.
Model Inversion Attack
58%
defense

FedMPDD: Communication-Efficient Federated Learning with Privacy Preservation Attributes via Projected Directional Derivative

2025 0 cit.
Model Inversion Attack
54%
defense

Harnessing Sparsification in Federated Learning: A Secure, Efficient, and Differentially Private Realization

2025 2 cit.
Model Inversion Attack
54%
defense

Information-Theoretic Decentralized Secure Aggregation with Collusion Resilience

2025 0 cit.
Model Inversion Attack
54%
benchmark

An Investigation of Memorization Risk in Healthcare Foundation Models

2025 1 cit.
Model Inversion Attack
54%
defense

When Secure Aggregation Falls Short: Achieving Long-Term Privacy in Asynchronous Federated Learning for LEO Satellite Networks

2025 0 cit.
Model Inversion Attack
54%
defense

DictPFL: Efficient and Private Federated Learning on Encrypted Gradients

2025 1 cit.
Model Inversion Attack
54%