VMask: Tunable Label Privacy Protection for Vertical Federated Learning via Layer Masking Article Swipe
Though vertical federated learning (VFL) is generally considered to be privacy-preserving, recent studies have shown that VFL system is vulnerable to label inference attacks originating from various attack surfaces. Among these attacks, the model completion (MC) attack is currently the most powerful one. Existing defense methods against it either sacrifice model accuracy or incur impractical computational overhead. In this paper, we propose VMask, a novel label privacy protection framework designed to defend against MC attack from the perspective of layer masking. Our key insight is to disrupt the strong correlation between input data and intermediate outputs by applying the secret sharing (SS) technique to mask layer parameters in the attacker's model. We devise a strategy for selecting critical layers to mask, reducing the overhead that would arise from naively applying SS to the entire model. Moreover, VMask is the first framework to offer a tunable privacy budget to defenders, allowing for flexible control over the levels of label privacy according to actual requirements. We built a VFL system, implemented VMask on it, and extensively evaluated it using five model architectures and 13 datasets with different modalities, comparing it to 12 other defense methods. The results demonstrate that VMask achieves the best privacy-utility trade-off, successfully thwarting the MC attack (reducing the label inference accuracy to a random guessing level) while preserving model performance (e.g., in Transformer-based model, the averaged drop of VFL model accuracy is only 0.09%). VMask's runtime is up to 60,846 times faster than cryptography-based methods, and it only marginally exceeds that of standard VFL by 1.8 times in a large Transformer-based model, which is generally acceptable.
Related Topics
Concepts
No concepts available.
Metadata
- Type
- article
- Language
- en
- Landing Page
- http://arxiv.org/abs/2507.14629
- https://arxiv.org/pdf/2507.14629
- OA Status
- green
- OpenAlex ID
- https://openalex.org/W4416838703
All OpenAlex metadata
Raw OpenAlex JSON
- OpenAlex ID
-
https://openalex.org/W4416838703Canonical identifier for this work in OpenAlex
- Title
-
VMask: Tunable Label Privacy Protection for Vertical Federated Learning via Layer MaskingWork title
- Type
-
articleOpenAlex work type
- Language
-
enPrimary language
- Publication year
-
2025Year of publication
- Publication date
-
2025-07-19Full publication date if available
- Authors
-
Lan Zhang, Ran Peng, Bo LiList of authors in order
- Landing page
-
https://arxiv.org/abs/2507.14629Publisher landing page
- PDF URL
-
https://arxiv.org/pdf/2507.14629Direct link to full text PDF
- Open access
-
YesWhether a free full text is available
- OA status
-
greenOpen access status per OpenAlex
- OA URL
-
https://arxiv.org/pdf/2507.14629Direct OA link when available
- Cited by
-
0Total citation count in OpenAlex
Full payload
| id | https://openalex.org/W4416838703 |
|---|---|
| doi | |
| ids.openalex | https://openalex.org/W4416838703 |
| fwci | |
| type | article |
| title | VMask: Tunable Label Privacy Protection for Vertical Federated Learning via Layer Masking |
| biblio.issue | |
| biblio.volume | |
| biblio.last_page | |
| biblio.first_page | |
| is_xpac | False |
| apc_list | |
| apc_paid | |
| language | en |
| locations[0].id | pmh:oai:arXiv.org:2507.14629 |
| locations[0].is_oa | True |
| locations[0].source.id | https://openalex.org/S4306400194 |
| locations[0].source.issn | |
| locations[0].source.type | repository |
| locations[0].source.is_oa | True |
| locations[0].source.issn_l | |
| locations[0].source.is_core | False |
| locations[0].source.is_in_doaj | False |
| locations[0].source.display_name | arXiv (Cornell University) |
| locations[0].source.host_organization | https://openalex.org/I205783295 |
| locations[0].source.host_organization_name | Cornell University |
| locations[0].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[0].license | |
| locations[0].pdf_url | https://arxiv.org/pdf/2507.14629 |
| locations[0].version | submittedVersion |
| locations[0].raw_type | text |
| locations[0].license_id | |
| locations[0].is_accepted | False |
| locations[0].is_published | False |
| locations[0].raw_source_name | |
| locations[0].landing_page_url | http://arxiv.org/abs/2507.14629 |
| indexed_in | arxiv |
| authorships[0].author.id | https://openalex.org/A5100322310 |
| authorships[0].author.orcid | https://orcid.org/0000-0002-7718-6128 |
| authorships[0].author.display_name | Lan Zhang |
| authorships[0].author_position | middle |
| authorships[0].raw_author_name | Zhang, Lan |
| authorships[0].is_corresponding | False |
| authorships[1].author.id | https://openalex.org/A5049217796 |
| authorships[1].author.orcid | https://orcid.org/0000-0002-0184-0103 |
| authorships[1].author.display_name | Ran Peng |
| authorships[1].author_position | middle |
| authorships[1].raw_author_name | Ran, Peng |
| authorships[1].is_corresponding | False |
| authorships[2].author.id | https://openalex.org/A5015400531 |
| authorships[2].author.orcid | https://orcid.org/0000-0002-7294-6888 |
| authorships[2].author.display_name | Bo Li |
| authorships[2].author_position | middle |
| authorships[2].raw_author_name | Li, Bo |
| authorships[2].is_corresponding | False |
| has_content.pdf | False |
| has_content.grobid_xml | False |
| is_paratext | False |
| open_access.is_oa | True |
| open_access.oa_url | https://arxiv.org/pdf/2507.14629 |
| open_access.oa_status | green |
| open_access.any_repository_has_fulltext | False |
| created_date | 2025-10-10T00:00:00 |
| display_name | VMask: Tunable Label Privacy Protection for Vertical Federated Learning via Layer Masking |
| has_fulltext | False |
| is_retracted | False |
| updated_date | 2025-12-01T05:03:55.458094 |
| primary_topic | |
| cited_by_count | 0 |
| locations_count | 1 |
| best_oa_location.id | pmh:oai:arXiv.org:2507.14629 |
| best_oa_location.is_oa | True |
| best_oa_location.source.id | https://openalex.org/S4306400194 |
| best_oa_location.source.issn | |
| best_oa_location.source.type | repository |
| best_oa_location.source.is_oa | True |
| best_oa_location.source.issn_l | |
| best_oa_location.source.is_core | False |
| best_oa_location.source.is_in_doaj | False |
| best_oa_location.source.display_name | arXiv (Cornell University) |
| best_oa_location.source.host_organization | https://openalex.org/I205783295 |
| best_oa_location.source.host_organization_name | Cornell University |
| best_oa_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| best_oa_location.license | |
| best_oa_location.pdf_url | https://arxiv.org/pdf/2507.14629 |
| best_oa_location.version | submittedVersion |
| best_oa_location.raw_type | text |
| best_oa_location.license_id | |
| best_oa_location.is_accepted | False |
| best_oa_location.is_published | False |
| best_oa_location.raw_source_name | |
| best_oa_location.landing_page_url | http://arxiv.org/abs/2507.14629 |
| primary_location.id | pmh:oai:arXiv.org:2507.14629 |
| primary_location.is_oa | True |
| primary_location.source.id | https://openalex.org/S4306400194 |
| primary_location.source.issn | |
| primary_location.source.type | repository |
| primary_location.source.is_oa | True |
| primary_location.source.issn_l | |
| primary_location.source.is_core | False |
| primary_location.source.is_in_doaj | False |
| primary_location.source.display_name | arXiv (Cornell University) |
| primary_location.source.host_organization | https://openalex.org/I205783295 |
| primary_location.source.host_organization_name | Cornell University |
| primary_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| primary_location.license | |
| primary_location.pdf_url | https://arxiv.org/pdf/2507.14629 |
| primary_location.version | submittedVersion |
| primary_location.raw_type | text |
| primary_location.license_id | |
| primary_location.is_accepted | False |
| primary_location.is_published | False |
| primary_location.raw_source_name | |
| primary_location.landing_page_url | http://arxiv.org/abs/2507.14629 |
| publication_date | 2025-07-19 |
| publication_year | 2025 |
| referenced_works_count | 0 |
| abstract_inverted_index.a | 63, 113, 143, 165, 214, 260 |
| abstract_inverted_index.12 | 189 |
| abstract_inverted_index.13 | 181 |
| abstract_inverted_index.In | 57 |
| abstract_inverted_index.MC | 73, 206 |
| abstract_inverted_index.SS | 130 |
| abstract_inverted_index.We | 111, 163 |
| abstract_inverted_index.be | 9 |
| abstract_inverted_index.by | 96, 256 |
| abstract_inverted_index.in | 107, 223, 259 |
| abstract_inverted_index.is | 5, 18, 37, 84, 137, 233, 238, 265 |
| abstract_inverted_index.it | 47, 175, 187, 248 |
| abstract_inverted_index.of | 78, 156, 229, 253 |
| abstract_inverted_index.on | 170 |
| abstract_inverted_index.or | 52 |
| abstract_inverted_index.to | 8, 20, 70, 85, 103, 119, 131, 141, 147, 160, 188, 213, 240 |
| abstract_inverted_index.up | 239 |
| abstract_inverted_index.we | 60 |
| abstract_inverted_index.1.8 | 257 |
| abstract_inverted_index.Our | 81 |
| abstract_inverted_index.The | 193 |
| abstract_inverted_index.VFL | 16, 166, 230, 255 |
| abstract_inverted_index.and | 93, 172, 180, 247 |
| abstract_inverted_index.for | 115, 150 |
| abstract_inverted_index.it, | 171 |
| abstract_inverted_index.key | 82 |
| abstract_inverted_index.the | 32, 39, 76, 87, 98, 108, 122, 132, 138, 154, 199, 205, 209, 226 |
| abstract_inverted_index.(MC) | 35 |
| abstract_inverted_index.(SS) | 101 |
| abstract_inverted_index.best | 200 |
| abstract_inverted_index.data | 92 |
| abstract_inverted_index.drop | 228 |
| abstract_inverted_index.five | 177 |
| abstract_inverted_index.from | 25, 75, 127 |
| abstract_inverted_index.have | 13 |
| abstract_inverted_index.mask | 104 |
| abstract_inverted_index.most | 40 |
| abstract_inverted_index.one. | 42 |
| abstract_inverted_index.only | 234, 249 |
| abstract_inverted_index.over | 153 |
| abstract_inverted_index.than | 244 |
| abstract_inverted_index.that | 15, 124, 196, 252 |
| abstract_inverted_index.this | 58 |
| abstract_inverted_index.with | 183 |
| abstract_inverted_index.(VFL) | 4 |
| abstract_inverted_index.Among | 29 |
| abstract_inverted_index.VMask | 136, 169, 197 |
| abstract_inverted_index.arise | 126 |
| abstract_inverted_index.built | 164 |
| abstract_inverted_index.first | 139 |
| abstract_inverted_index.incur | 53 |
| abstract_inverted_index.input | 91 |
| abstract_inverted_index.label | 21, 65, 157, 210 |
| abstract_inverted_index.large | 261 |
| abstract_inverted_index.layer | 79, 105 |
| abstract_inverted_index.mask, | 120 |
| abstract_inverted_index.model | 33, 50, 178, 220, 231 |
| abstract_inverted_index.novel | 64 |
| abstract_inverted_index.offer | 142 |
| abstract_inverted_index.other | 190 |
| abstract_inverted_index.shown | 14 |
| abstract_inverted_index.these | 30 |
| abstract_inverted_index.times | 242, 258 |
| abstract_inverted_index.using | 176 |
| abstract_inverted_index.which | 264 |
| abstract_inverted_index.while | 218 |
| abstract_inverted_index.would | 125 |
| abstract_inverted_index.(e.g., | 222 |
| abstract_inverted_index.60,846 | 241 |
| abstract_inverted_index.Though | 0 |
| abstract_inverted_index.VMask, | 62 |
| abstract_inverted_index.actual | 161 |
| abstract_inverted_index.attack | 27, 36, 74, 207 |
| abstract_inverted_index.budget | 146 |
| abstract_inverted_index.defend | 71 |
| abstract_inverted_index.devise | 112 |
| abstract_inverted_index.either | 48 |
| abstract_inverted_index.entire | 133 |
| abstract_inverted_index.faster | 243 |
| abstract_inverted_index.layers | 118 |
| abstract_inverted_index.level) | 217 |
| abstract_inverted_index.levels | 155 |
| abstract_inverted_index.model, | 225, 263 |
| abstract_inverted_index.model. | 110, 134 |
| abstract_inverted_index.paper, | 59 |
| abstract_inverted_index.random | 215 |
| abstract_inverted_index.recent | 11 |
| abstract_inverted_index.secret | 99 |
| abstract_inverted_index.strong | 88 |
| abstract_inverted_index.system | 17 |
| abstract_inverted_index.0.09%). | 235 |
| abstract_inverted_index.VMask's | 236 |
| abstract_inverted_index.against | 46, 72 |
| abstract_inverted_index.attacks | 23 |
| abstract_inverted_index.between | 90 |
| abstract_inverted_index.control | 152 |
| abstract_inverted_index.defense | 44, 191 |
| abstract_inverted_index.disrupt | 86 |
| abstract_inverted_index.exceeds | 251 |
| abstract_inverted_index.insight | 83 |
| abstract_inverted_index.methods | 45 |
| abstract_inverted_index.naively | 128 |
| abstract_inverted_index.outputs | 95 |
| abstract_inverted_index.privacy | 66, 145, 158 |
| abstract_inverted_index.propose | 61 |
| abstract_inverted_index.results | 194 |
| abstract_inverted_index.runtime | 237 |
| abstract_inverted_index.sharing | 100 |
| abstract_inverted_index.studies | 12 |
| abstract_inverted_index.system, | 167 |
| abstract_inverted_index.tunable | 144 |
| abstract_inverted_index.various | 26 |
| abstract_inverted_index.Existing | 43 |
| abstract_inverted_index.accuracy | 51, 212, 232 |
| abstract_inverted_index.achieves | 198 |
| abstract_inverted_index.allowing | 149 |
| abstract_inverted_index.applying | 97, 129 |
| abstract_inverted_index.attacks, | 31 |
| abstract_inverted_index.averaged | 227 |
| abstract_inverted_index.critical | 117 |
| abstract_inverted_index.datasets | 182 |
| abstract_inverted_index.designed | 69 |
| abstract_inverted_index.flexible | 151 |
| abstract_inverted_index.guessing | 216 |
| abstract_inverted_index.learning | 3 |
| abstract_inverted_index.masking. | 80 |
| abstract_inverted_index.methods, | 246 |
| abstract_inverted_index.methods. | 192 |
| abstract_inverted_index.overhead | 123 |
| abstract_inverted_index.powerful | 41 |
| abstract_inverted_index.reducing | 121 |
| abstract_inverted_index.standard | 254 |
| abstract_inverted_index.strategy | 114 |
| abstract_inverted_index.vertical | 1 |
| abstract_inverted_index.(reducing | 208 |
| abstract_inverted_index.Moreover, | 135 |
| abstract_inverted_index.according | 159 |
| abstract_inverted_index.comparing | 186 |
| abstract_inverted_index.currently | 38 |
| abstract_inverted_index.different | 184 |
| abstract_inverted_index.evaluated | 174 |
| abstract_inverted_index.federated | 2 |
| abstract_inverted_index.framework | 68, 140 |
| abstract_inverted_index.generally | 6, 266 |
| abstract_inverted_index.inference | 22, 211 |
| abstract_inverted_index.overhead. | 56 |
| abstract_inverted_index.sacrifice | 49 |
| abstract_inverted_index.selecting | 116 |
| abstract_inverted_index.surfaces. | 28 |
| abstract_inverted_index.technique | 102 |
| abstract_inverted_index.thwarting | 204 |
| abstract_inverted_index.attacker's | 109 |
| abstract_inverted_index.completion | 34 |
| abstract_inverted_index.considered | 7 |
| abstract_inverted_index.defenders, | 148 |
| abstract_inverted_index.marginally | 250 |
| abstract_inverted_index.parameters | 106 |
| abstract_inverted_index.preserving | 219 |
| abstract_inverted_index.protection | 67 |
| abstract_inverted_index.trade-off, | 202 |
| abstract_inverted_index.vulnerable | 19 |
| abstract_inverted_index.acceptable. | 267 |
| abstract_inverted_index.correlation | 89 |
| abstract_inverted_index.demonstrate | 195 |
| abstract_inverted_index.extensively | 173 |
| abstract_inverted_index.implemented | 168 |
| abstract_inverted_index.impractical | 54 |
| abstract_inverted_index.modalities, | 185 |
| abstract_inverted_index.originating | 24 |
| abstract_inverted_index.performance | 221 |
| abstract_inverted_index.perspective | 77 |
| abstract_inverted_index.intermediate | 94 |
| abstract_inverted_index.successfully | 203 |
| abstract_inverted_index.architectures | 179 |
| abstract_inverted_index.computational | 55 |
| abstract_inverted_index.requirements. | 162 |
| abstract_inverted_index.privacy-utility | 201 |
| abstract_inverted_index.Transformer-based | 224, 262 |
| abstract_inverted_index.cryptography-based | 245 |
| abstract_inverted_index.privacy-preserving, | 10 |
| cited_by_percentile_year | |
| countries_distinct_count | 0 |
| institutions_distinct_count | 3 |
| citation_normalized_percentile |