This work addresses the vulnerability of vertically partitioned learning to malicious clients that inject stealthy backdoor triggers by poisoning intermediate embeddings—a threat to which existing defenses are ill-equipped, particularly under adaptive attacks. To counter this, the paper introduces, for the first time in this setting, a server-side two-stage defense framework grounded in class-conditional prototype consistency. The approach first constructs robust class prototypes and uses them to transform embeddings into a consistency-aligned space; it then applies a distribution-agnostic conformal filtering mechanism to detect and remove anomalous embeddings. Extensive experiments on CIFAR-10, SVHN, and Bank Marketing datasets demonstrate that the proposed method significantly outperforms current defenses across diverse attack scenarios, achieving state-of-the-art robustness.

Vertical split learning (SL) enables collaborative model training across parties holding complementary features without sharing raw data, but recent work has shown that it is highly vulnerable to poisoning-based backdoor attacks operating on intermediate embeddings. By compromising malicious clients, adversaries can inject stealthy triggers that manipulate the server-side model while remaining difficult to detect, and existing defenses provide limited robustness against adaptive attacks. In this paper, we propose ProtoGuard-SL, a server-side defense that improves the robustness of split learning by exploiting class-conditional representation consistency in the embedding space. Our approach is motivated by the observation that benign embeddings within the same class exhibit stable semantic alignment, whereas poisoned embeddings inevitably disrupt this structure. ProtoGuard-SL adopts a two-stage framework that constructs robust class prototypes and transforms embeddings into a prototype-consistency representation, followed by a class-conditional, distribution-free conformal filtering strategy to identify and remove anomalous embeddings. Extensive experiments are conducted on three datasets, CIFAR-10, SVHN, and Bank Marketing, under three different attack settings demonstrate that our method achieves state-of-the-art performance.