This work addresses the challenge of passive inference attacks against Split Learning (SL) under an honest-but-curious server, specifically targeting U-shaped SL architectures. We propose SDAR—a novel framework that enables joint inference of both private client features and labels for the first time in such settings. SDAR leverages auxiliary data-driven modeling and adversarial regularization to construct a decodable private-model simulator, facilitating deep feature inversion and label prediction. Evaluated on CIFAR-10 with deep split at layer 7, SDAR achieves a private feature reconstruction MSE < 0.025 and label inference accuracy > 98%, matching the performance of active attacks and substantially outperforming existing passive methods. By breaking the capability ceiling of passive inference, SDAR establishes a new paradigm for rigorous privacy risk assessment in SL systems.

Split Learning (SL) has emerged as a practical and efficient alternative to traditional federated learning. While previous attempts to attack SL have often relied on overly strong assumptions or targeted easily exploitable models, we seek to develop more capable attacks. We introduce SDAR, a novel attack framework against SL with an honest-but-curious server. SDAR leverages auxiliary data and adversarial regularization to learn a decodable simulator of the client's private model, which can effectively infer the client's private features under the vanilla SL, and both features and labels under the U-shaped SL. We perform extensive experiments in both configurations to validate the effectiveness of our proposed attacks. Notably, in challenging scenarios where existing passive attacks struggle to reconstruct the client's private data effectively, SDAR consistently achieves significantly superior attack performance, even comparable to active attacks. On CIFAR-10, at the deep split level of 7, SDAR achieves private feature reconstruction with less than 0.025 mean squared error in both the vanilla and the U-shaped SL, and attains a label inference accuracy of over 98% in the U-shaped setting, while existing attacks fail to produce non-trivial results.