defense 2026

SecureSplit: Mitigating Backdoor Attacks in Split Learning

Zhihao Dou 1, Dongfei Cui 2, Weida Wang 3, Anjun Gao 4, Yueyang Quan 5, Mengyao Ma 6, Viet Vo 7, Guangdong Bai 6, Zhuqing Liu 8,5, Minghong Fang 4

1 Case Western Reserve University

2 Northeast Electric Power University

3 Fudan University

4 University of Louisville

5 University of North Texas

6 The University of Queensland

7 Swinburne University of Technology

8 City University of Hong Kong

0 citations · 46 references · arXiv
α

Published on arXiv

2601.14054

Model Poisoning

OWASP ML Top 10 — ML10

Key Finding

SecureSplit effectively mitigates backdoor attacks across four datasets and five attack scenarios, outperforming seven alternative defenses under challenging conditions.

SecureSplit

Novel technique introduced

Split Learning (SL) offers a framework for collaborative model training that respects data privacy by allowing participants to share the same dataset while maintaining distinct feature sets. However, SL is susceptible to backdoor attacks, in which malicious clients subtly alter their embeddings to insert hidden triggers that compromise the final trained model. To address this vulnerability, we introduce SecureSplit, a defense mechanism tailored to SL. SecureSplit applies a dimensionality transformation strategy to accentuate subtle differences between benign and poisoned embeddings, facilitating their separation. With this enhanced distinction, we develop an adaptive filtering approach that uses a majority-based voting scheme to remove contaminated embeddings while preserving clean ones. Rigorous experiments across four datasets (CIFAR-10, MNIST, CINIC-10, and ImageNette), five backdoor attack scenarios, and seven alternative defenses confirm the effectiveness of SecureSplit under various challenging conditions.

Key Contributions

  • Dimensionality transformation strategy that amplifies subtle differences between benign and backdoor-poisoned embeddings in Split Learning
  • Adaptive filtering mechanism using a majority-based voting scheme to selectively remove contaminated embeddings while preserving clean ones
  • Empirical evaluation across 4 datasets, 5 backdoor attack scenarios, and comparison against 7 alternative defenses

🛡️ Threat Analysis

Model Poisoning

SecureSplit directly defends against backdoor/trojan attacks in Split Learning, where malicious clients alter intermediate embeddings to embed hidden triggers that cause targeted misbehavior in the final trained model.

Details

Domains
visionfederated-learning
Model Types
cnn
Threat Tags
training_timetargetedgrey_box
Datasets
CIFAR-10MNISTCINIC-10ImageNette
Applications
collaborative model trainingsplit learning
Read PDF arXiv DOI

Similar Papers

defense

MARS: A Malignity-Aware Backdoor Defense in Federated Learning

2025 5 cit.
Model Poisoning
92%
defense

ZORRO: Zero-Knowledge Robustness and Privacy for Split Learning (Full Version)

2025 0 cit.
Model Poisoning
86%
defense

Coward: Collision-based Watermark for Proactive Federated Backdoor Detection

2025 0 cit.
Model Poisoning
85%
defense

On Hyperparameters and Backdoor-Resistance in Horizontal Federated Learning

2025 0 cit.
Model Poisoning
85%
defense

FAROS: Robust Federated Learning with Adaptive Scaling against Backdoor Attacks

2026 0 cit.
Model Poisoning
85%
attack

Mingling with the Good to Backdoor Federated Learning

2025 0 cit.
Model Poisoning
79%
attack

On the Out-of-Distribution Backdoor Attack for Federated Learning

2025 0 cit.
Model Poisoning
79%
defense

SafeSplit: A Novel Defense Against Client-Side Backdoor Attacks in Split Learning (Full Version)

2025 0 cit.
Model Poisoning
79%