Xicong Shen,Ying Liu,Fu Li,Chunguang Li

DOI: https://doi.org/10.1109/jiot.2023.3288886

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) has attracted widespread attention in the Internet of Things domain recently. With FL, multiple distributed devices can cooperatively train a global model by transmitting model updates without disclosing the original data. However, the distributed nature of FL makes it vulnerable to data poisoning attacks. In practice, malicious clients can launch the label-flipping attack (LFA) by simply tampering with the labels of local data, thus causing the global model to misclassify the samples of a selected class as the target class. Although some defense mechanisms have been proposed, they rely on specific assumptions about data distribution, and their performance degrades significantly when the data on clients are non-IID. Besides, most existing methods require clients to upload model updates in plaintext so that the server can identify and remove the malicious updates. But, direct transmission of model updates may still reveal private information. Considering these issues, we develop a label-flipping-robust and privacy-preserving FL (LFR-PPFL) algorithm, which is applicable to both independent and identically distributed (IID) and non-IID data. We first propose a detection method based on temporal analysis on cosine similarity to distinguish malicious clients from benign clients. Then, we propose a privacy-preserving computation protocol based on homomorphic encryption to implement this detection method and perform federated aggregation while protecting the privacy of clients. Besides, a detailed theoretical analysis is given to demonstrate the privacy guarantee of the proposed protocol. Experimental results on real-world data sets show that the proposed algorithm can effectively defend against LFAs under various data distributions.

Xicong Shen,Ying Liu,Zhaoyang Zhang

DOI: https://doi.org/10.1109/jiot.2022.3189361

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL), which enables multiple distributed devices (clients) to collaboratively train a global model without transmitting their private data, has attracted much attention in the Internet of Things (IoT) domain. Compared with centralized learning, FL has obvious privacy advantages because it can protect the clients’ raw data from direct access by adversaries. Furthermore, to prevent the adversaries from inferring private information from the transmitted parameters, several FL algorithms based on differential privacy (DP) have been proposed, where the clients add artificial noise to their local parameters for privacy protection. Nevertheless, the added noise would disrupt the learning process and degrade the performance of the trained model. Considering this, in this article, we develop a performance-enhanced DP-based FL (PEDPFL) algorithm, where a classifier-perturbation regularization method is proposed to improve the robustness of the trained model against DP-injected noise. We derive the theoretical privacy and convergence analysis of the proposed algorithm, and also demonstrate the influence of some hyperparameters on the convergence performance. Simulation results on real-world data sets show that the proposed algorithm has better classification performance than the existing DP-based FL algorithms at the same level of privacy protection, and thus, it is more applicable to IoT applications.

Yong Li,Gaochao Xu,Xutao Meng,Wei Du,Xianglin Ren

DOI: https://doi.org/10.3390/e26050353

IF: 2.738

2024-04-24

Entropy

Abstract:In the realm of federated learning (FL), the exchange of model data may inadvertently expose sensitive information of participants, leading to significant privacy concerns. Existing FL privacy-preserving techniques, such as differential privacy (DP) and secure multi-party computing (SMC), though offering viable solutions, face practical challenges including reduced performance and complex implementations. To overcome these hurdles, we propose a novel and pragmatic approach to privacy preservation in FL by employing localized federated updates (LF3PFL) aimed at enhancing the protection of participant data. Furthermore, this research refines the approach by incorporating cross-entropy optimization, carefully fine-tuning measurement, and improving information loss during the model training phase to enhance both model efficacy and data confidentiality. Our approach is theoretically supported and empirically validated through extensive simulations on three public datasets: CIFAR-10, Shakespeare, and MNIST. We evaluate its effectiveness by comparing training accuracy and privacy protection against state-of-the-art techniques. Our experiments, which involve five distinct local models (Simple-CNN, ModerateCNN, Lenet, VGG9, and Resnet18), provide a comprehensive assessment across a variety of scenarios. The results clearly demonstrate that LF3PFL not only maintains competitive training accuracies but also significantly improves privacy preservation, surpassing existing methods in practical applications. This balance between privacy and performance underscores the potential of localized federated updates as a key component in future FL privacy strategies, offering a scalable and effective solution to one of the most pressing challenges in FL.

physics, multidisciplinary

Qiang Yang,Anbu Huang,Lixin Fan,Chee Seng Chan,Jian Han Lim,Kam Woh Ng,Ding Sheng Ong,Bowen Li

DOI: https://doi.org/10.1007/s11633-022-1343-2

2023-01-11

Machine Intelligence Research

Abstract:In the past decades, artificial intelligence (AI) has achieved unprecedented success, where statistical models become the central entity in AI. However, the centralized training and inference paradigm for building and using these models is facing more and more privacy and legal challenges. To bridge the gap between data privacy and the need for data fusion, an emerging AI paradigm federated learning (FL) has emerged as an approach for solving data silos and data privacy problems. Based on secure distributed AI, federated learning emphasizes data security throughout the lifecycle, which includes the following steps: data preprocessing, training, evaluation, and deployments. FL keeps data security by using methods, such as secure multi-party computation (MPC), differential privacy, and hardware solutions, to build and use distributed multiple-party machine-learning systems and statistical models over different data sources. Besides data privacy concerns, we argue that the concept of "model" matters, when developing and deploying federated models, they are easy to expose to various kinds of risks including plagiarism, illegal copy, and misuse. To address these issues, we introduce FedIPR, a novel ownership verification scheme, by embedding watermarks into FL models to verify the ownership of FL models and protect model intellectual property rights (IPR or IP-right for short). While security is at the core of FL, there are still many articles referred to distributed machine learning with no security guarantee as "federated learning", which are not satisfied with the FL definition supposed to be. To this end, in this paper, we reiterate the concept of federated learning and propose secure federated learning (SFL), where the ultimate goal is to build trustworthy and safe AI with strong privacy-preserving and IP-right-preserving. We provide a comprehensive overview of existing works, including threats, attacks, and defenses in each phase of SFL from the lifecycle perspective.

Zhibo Wang,Yuting Huang,Mengkai Song,Libing Wu,Feng Xue,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2022.3196646

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Federated learning (FL) has emerged as an ideal privacy-preserving learning technique which can train a global model in a collaborative way while preserving the private data in the local. However, recent advances have demonstrated that FL is still vulnerable to inference attacks, such as reconstruction attack and membership inference. Among these attacks, the property inference attack, aiming to infer properties of the training data that are irrelevant with the learning objective, has not received too much attention while resulting in severe privacy leakage. Existing property inference attack approaches either cannot achieve satisfactory performance when the global model has converged or under dynamic FL where participants can drop in and drop out freely. In this paper, we propose a novel poisoning-assisted property inference attack (PAPI-attack) against FL. The key insight is that there exists underlying discriminative ability in the periodic model updates, which reflects the change of the data distribution, especially the occurrence of the sensitive property. Thus, a binary attack model can be constructed by a malicious participant for inferring the unintended information. More importantly, we present a property-specific poisoning mechanism by modifying the label of training data from the adversary to distort the decision boundary of shared (global) model in FL. Consequently, benign participants are induced to disclose more information about the sensitive property. Extensive experiments on real-world datasets demonstrate that PAPI-attack outperforms the state-of-the-art property inference attacks against FL.

Yong Li,Yipeng Zhou,Alireza Jolfaei,Dongjin Yu,Gaochao Xu,Xi Zheng

DOI: https://doi.org/10.1109/jiot.2020.3022911

IF: 10.6

2021-04-15

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is a promising new technology in the field of IoT intelligence. However, exchanging model-related data in FL may leak the sensitive information of participants. To address this problem, we propose a novel privacy-preserving FL framework based on an innovative chained secure multiparty computing technique, named chain-PPFL. Our scheme mainly leverages two mechanisms: 1) single-masking mechanism that protects information exchanged between participants and 2) chained-communication mechanism that enables masked information to be transferred between participants with a serial chain frame. We conduct extensive simulation-based experiments using two public data sets (MNIST and CIFAR-100) by comparing both training accuracy and leak defence with other state-of-the-art schemes. We set two data sample distributions (IID and NonIID) and three training models (CNN, MLP, and L-BFGS) in our experiments. The experimental results demonstrate that the chain-PPFL scheme can achieve practical privacy preservation (equivalent to differential privacy with $epsilon $ approaching zero) for FL with some cost of communication and without impairing the accuracy and convergence speed of the training model.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ruijin Wang,Jinshan Lai,Xiong Li,Donglin He,Muhammad Khurram Khan

DOI: https://doi.org/10.1016/j.jnca.2023.103768

IF: 7.574

2024-01-01

Journal of Network and Computer Applications

Abstract:Federated Learning for the Internet of Things(FL for IoT) contributes to the enhancement of security in smart cities. However, the privacy disclosure attacks within the FL for IoT framework exposes user’s local data . Although differential privacy mechanism (DP) ensures the privacy of IoT data, one crucial issue is DP affects model accuracy and reduces model reliability. Besides, DP cannot provide comprehensive privacy preservation in the IoT environment. To tackle the above problems, we propose reliable federated learning with privacy-preserving for IoT(RPIFL). Our approach comprises three key components. First, we leverage a lightweight network to hide the private data locally, then use the output to perform the next model training. Second, we propose a multi-modal fine-grained model optimization, which significantly improves the accuracy of the IoT model. Third, we implement adaptive differential privacy mechanisms tailored to dynamic privacy requirements, thereby safeguarding the confidentiality of IoT data. To empirically validate our framework, we conducted a simulation experiment on an image classification dataset. Our methodology concurrently ensures privacy protection and achieves superior accuracy compared to the baseline model with an average accuracy increase of 1.1% over the two prevailing federated privacy protection methods, coupled with an average reduction in convergence time of over 9%.

Ruiguang Yang,Xiaodong Shen,Chang Xu,Liehuang Zhu,Kashif Sharif

DOI: https://doi.org/10.1109/cyberc62439.2024.00037

2024-01-01

Abstract:Personalized Federated Learning (PFL) tackles the challenges of FL on heterogeneous data and provides customized solutions to each client. However, like commonly employed FL settings, PFL is still vulnerable to attacks on privacy and model availability. Existing PFL frameworks focus on either privacy protection or attack defense instead of simultaneously implementing both functionalities. To address this challenge, we design and implement a novel Privacy-preserving and Robust Personalized Federated Learning framework, PR-PFL, which can simultaneously protect data privacy and defend against model availability attacks. Specifically, PR-PFL adopts Mean Regularized Multi-Task Learning (MR-MTL) as the base training paradigm. Clients perform per-sample DP to protect data privacy, and the central server executes a robust aggregation algorithm to filter out potential attackers. After collective training, clients tune their models locally to eliminate malicious injections further. To the best of our knowledge, this is the first PFL framework that protects both clients’ privacy and model availability. The method combining robust aggregation and local tuning we have designed can effectively defend against 5 kinds of attacks. We conduct an extensive empirical evaluation demonstrating that our framework is practical and achieves reasonable robustness under an honest majority setting (attackers <50%).

Jingxue Chen,Hang Yan,Zhiyuan Liu,Min Zhang,Hu Xiong,Shui Yu

DOI: https://doi.org/10.1145/3679013

IF: 16.6

2024-07-22

ACM Computing Surveys

Abstract:Nowadays, with the development of artificial intelligence (AI), privacy issues attract wide attention from society and individuals. It is desirable to make the data available but invisible, i.e., to realize data analysis and calculation without disclosing the data to unauthorized entities. Federated learning (FL) has emerged as a promising privacy-preserving computation method for AI. However, new privacy issues have arisen in FL-based application because various inference attacks can still infer relevant information about the raw data from local models or gradients. This will directly lead to the privacy disclosure. Therefore, it is critical to resist these attacks to achieve complete privacy-preserving computation. In light of the overwhelming variety and a multitude of privacy-preserving computation protocols, we survey these protocols from a series of perspectives to supply better comprehension for researchers and scholars. Concretely, the classification of attacks is discussed including four kinds of inference attacks as well as malicious server and poisoning attack. Besides, this paper systematically captures the state of the art of privacy-preserving computation protocols by analyzing the design rationale, reproducing the experiment of classic schemes, and evaluating all discussed protocols in terms of efficiency and security properties. Finally, this survey identifies a number of interesting future directions.

computer science, theory & methods

Yufeng Wang,Jianhua Ma,Xu Zhang,Qun Jin

DOI: https://doi.org/10.1002/cpe.7429

2022-11-01

Abstract:As a distributed learning framework, Federated Learning (FL) allows different local learners/participants to collaboratively train a joint model without exposing their own localdata,andoffersafeasiblesolutiontolegallyresolvedataislands.However,among them, the data privacy and model security are two challenges. The former means that, if original data are used for trained FL models, various methods can be used to deduce the original data samples, thereby causing the leakage of data. The latter implies that unreliable/malicious participants may affect or destroy the joint FL model, through uploading wrong local model parameters. Therefore, this paper proposes a novel distributed FL training framework, namely LDP-Fed + , which takes into account differential privacy protection and model security defense. Specifically, firstly, a local perturbationmoduleisaddedatthelocallearnerside,whichperturbstheoriginaldata of local learners through feature extraction, binary encoding and decoding, and random response. Then, through using the perturbed data, local neural network model is trained to obtain the network parameters that meet local differential protection, to effectively deal with model inversion attacks. Secondly, a security defense module is added on the server side, which uses the auxiliary model and differential index mechanismtoselectanappropriatenumberoflocaldisturbanceparametersforaggre-gationtoenhancemodelsecuritydefenseanddealwithmembershipinferenceattacks. The experimental results show that, compared with other federated learning models based on differential privacy, LDP-Fed + has stronger robustness for model security and higher accuracy for model training while ensuring strict privacy protection.

Computer Science

Kang Wei,Jun Li,Ming Ding,Chuan Ma,Hang Su,Bo Zhang,H. Vincent Poor

2020-01-01

Abstract:As a means of decentralized machine learning, federated learning (FL) has recently drawn considerable attentions. One of the prominent advantages of FL is its capability of preventing clients' data from being directly exposed to external adversaries. Nevertheless, via a viewpoint of information theory, it is still possible for an attacker to steal private information from eavesdropping upon the shared models uploaded by FL clients. In order to address this problem, we develop a novel privacy preserving FL framework based on the concept of differential privacy (DP). To be specific, we first borrow the concept of local DP and introduce a client-level DP (CDP) by adding artificial noises to the shared models before uploading them to servers. Then, we prove that our proposed CDP algorithm can satisfy the DP guarantee with adjustable privacy protection levels by varying the variances of the artificial noises. More importantly, we derive a theoretical convergence upper-bound of the CDP algorithm. Our derived upper-bound reveals that there exists an optimal number of communication rounds to achieve the best convergence performance in terms of loss function values for a given privacy protection level. Furthermore, to obtain this optimal number of communication rounds, which cannot be derived in a closed-form expression, we propose a communication rounds discounting (CRD) method. Compared with the heuristic searching method, our proposed CRD can achieve a much better trade-off between the computational complexity of searching for the optimal number and the convergence performance. Extensive experiments indicate that our CDP algorithm with an optimization on the number of communication rounds using the proposed CRD can effectively improve both the FL training efficiency and FL model quality for a given privacy protection level.

Jingwei Sun,Ang Li,Binghui Wang,Huanrui Yang,Hai Li,Yiran Chen

DOI: https://doi.org/10.48550/arXiv.2012.06043

2020-12-09

Abstract:Federated learning (FL) is a popular distributed learning framework that can reduce privacy risks by not explicitly sharing private data. However, recent works demonstrated that sharing model updates makes FL vulnerable to inference attacks. In this work, we show our key observation that the data representation leakage from gradients is the essential cause of privacy leakage in FL. We also provide an analysis of this observation to explain how the data presentation is leaked. Based on this observation, we propose a defense against model inversion attack in FL. The key idea of our defense is learning to perturb data representation such that the quality of the reconstructed data is severely degraded, while FL performance is maintained. In addition, we derive certified robustness guarantee to FL and convergence guarantee to FedAvg, after applying our defense. To evaluate our defense, we conduct experiments on MNIST and CIFAR10 for defending against the DLG attack and GS attack. Without sacrificing accuracy, the results demonstrate that our proposed defense can increase the mean squared error between the reconstructed data and the raw data by as much as more than 160X for both DLG attack and GS attack, compared with baseline defense methods. The privacy of the FL system is significantly improved.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition

Jiahui Hu,Zhibo Wang,Yongsheng Shen,Bohan Lin,Peng Sun,Xiaoyi Pang,Jian Liu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2023.3317870

2024-01-01

Abstract:Federated learning (FL) requires frequent uploading and updating of model parameters, which is naturally vulnerable to gradient leakage attacks (GLAs) that reconstruct private training data through gradients. Although some works incorporate differential privacy (DP) into FL to mitigate such privacy issues, their performance is not satisfactory since they did not notice that GLA incurs heterogeneous risks of privacy leakage (RoPL) with respect to gradients from different communication rounds and clients. In this paper, we propose an Adaptive Privacy-Preserving Federated Learning (Adp-PPFL) framework to achieve satisfactory privacy protection against GLA, while ensuring good performance in terms of model accuracy and convergence speed. Specifically, a leakage risk-aware privacy decomposition mechanism is proposed to provide adaptive privacy protection to different communication rounds and clients by dynamically allocating the privacy budget according to the quantified RoPL. In particular, we exploratively design a round-level and a client-level RoPL quantification method to measure the possible risks of GLA breaking privacy from gradients in different communication rounds and clients respectively, which only employ the limited information in general FL settings. Furthermore, to improve the FL model training performance (i.e., convergence speed and global model accuracy), we propose an adaptive privacy-preserving local training mechanism that dynamically clips the gradients and decays the noises added to the clipped gradients during the local training process. Extensive experiments show that our framework outperforms the existing differentially private FL schemes on model accuracy, convergence, and attack resistance.

Xinyu Feng,Qingni Shen,Cong Li,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1109/icassp48485.2024.10446283

2024-01-01

Abstract:Federated learning (FL) allows different participants to collaborate on model training without transmitting raw data, thereby protecting user data privacy. However, FL faces a series of security and privacy issues (e.g. the leakage of raw data from publicly shared parameters). Several privacy protection technologies, such as homomorphic encryption, differential privacy and functional encryption, are introduced for privacy enhancement in FL. Among them, the FL frameworks based on functional encryption better balance security and performance, thus receiving increasing attention. The previous FL frameworks based on functional encryption suffer from several security issues, including attacks by combining multiple rounds of ciphertexts and keys, and leakage of global parameters to the central server. To tackle these issues, we propose a novel multi-input functional proxy re-encryption (MI-FPRE) scheme and further design a new FL framework with better privacy based on MI-FPRE. Our framework allows a semi-trusted central server to aggregate the parameters without knowing the intermediate parameters and the result of aggregation, thus achieves better privacy in FL training. The experimental results indicate that our framework achieves less communication overhead and higher computational efficiency without losing accuracy.

Qingdi Han,Siqi Lu,Wenhao Wang,Haipeng Qu,Jingsheng Li,Yang Gao

DOI: https://doi.org/10.1002/cpe.8084

2024-03-20

Concurrency and Computation Practice and Experience

Abstract:Summary Federated learning (FL) has emerged as a promising solution to address the challenges posed by data silos and the need for global data fusion. It offers a distributed machine learning framework with privacy‐preserving features, allowing model training without the need to collect user data. However, FL also presents significant security and privacy threats that hinder its widespread adoption. The requirements of privacy and security in FL are inherently conflicting. Privacy necessitates the concealment of individual client updates, while security requires the disclosure of client updates to detect anomalies. While most existing research focused on the privacy and security aspects of FL, very few studies have addressed the compatibility of these two demands. In this work, we aim to bridge this gap by proposing a comprehensive defense scheme that ensures privacy, security, and compatibility in FL. We categorize the existing literature into two key directions: privacy defense and security defense. Privacy defense includes methods based on additive masks, differential privacy, homomorphic encryption, and trusted execution environment, whereas security defense encompasses distance‐, performance‐, clustering‐, and similarity‐based anomaly detection techniques and statistical information‐based anomaly update bypassing techniques when the server is trusted and privacy‐compatible anomaly update detection techniques when the server is not trusted. In addition, this article presents decentralized FL solutions based on blockchain. For each direction, we discuss specific technical solutions, their advantages, and disadvantages. By evaluating various defense methods, we identify the most suitable approach to address the primary challenge of "achieving a secure and robust FL system against malicious adversaries while protecting users' privacy." We then propose a theoretical reference framework for end‐to‐end protection of privacy and security in FL for the key problem, which summarizes the attack surface of FL systems from the client to the server under the security model where the client and server are malicious. Leveraging the strengths and characteristics of existing schemes, our proposed framework integrates multiple techniques to strike a balance between privacy, usability, and efficiency. This framework serves as a valuable reference and provides insights for future work in the field. Finally, we also provide recommendations for future research directions in this field.

computer science, theory & methods, software engineering

Wei Yang,Yuan Yang,Yingjie Xi,Hailong Zhang,Wei Xiang

DOI: https://doi.org/10.1007/s10489-024-05521-y

IF: 5.3

2024-05-28

Applied Intelligence

Abstract:Within the federated learning (FL) framework, the client collaboratively trains the model in coordination with a central server, while the training data can be kept locally on the client. Thus, the FL framework mitigates the privacy disclosure and costs related to conventional centralized machine learning. Nevertheless, current surveys indicate that FL still has problems in terms of communication efficiency and privacy risks. In this paper, to solve these problems, we develop an FL framework with communication-efficient and privacy-preserving (FLCP). To realize the FLCP, we design a novel compression algorithm with efficient communication, namely, adaptive weight compression FedAvg (AWC-FedAvg). On the basis of the non-independent and identically distributed (non-IID) and unbalanced data distribution in FL, a specific compression rate is provided for each client, and homomorphic encryption (HE) and differential privacy (DP) are integrated to provide demonstrable privacy protection and maintain the desirability of the model. Therefore, our proposed FLCP smoothly balances communication efficiency and privacy risks, and we prove its security against "honest-but-curious" servers and extreme collusion under the defined threat model. We evaluate the scheme by comparing it with state-of-the-art results on the MNIST and CIFAR-10 datasets. The results show that the FLCP performs better in terms of training efficiency and model accuracy than the baseline method.

computer science, artificial intelligence

Yisheng Zhong,Li-Ping Wang

2023-12-02

Abstract:Federated Learning (FL) faces two major issues: privacy leakage and poisoning attacks, which may seriously undermine the reliability and security of the system. Overcoming them simultaneously poses a great challenge. This is because privacy protection policies prohibit access to users' local gradients to avoid privacy leakage, while Byzantine-robust methods necessitate access to these gradients to defend against poisoning attacks. To address these problems, we propose a novel privacy-preserving Byzantine-robust FL framework PROFL. PROFL is based on the two-trapdoor additional homomorphic encryption algorithm and blinding techniques to ensure the data privacy of the entire FL process. During the defense process, PROFL first utilize secure Multi-Krum algorithm to remove malicious gradients at the user level. Then, according to the Pauta criterion, we innovatively propose a statistic-based privacy-preserving defense algorithm to eliminate outlier interference at the feature level and resist impersonation poisoning attacks with stronger concealment. Detailed theoretical analysis proves the security and efficiency of the proposed method. We conducted extensive experiments on two benchmark datasets, and PROFL improved accuracy by 39% to 75% across different attack settings compared to similar privacy-preserving robust methods, demonstrating its significant advantage in robustness.

Cryptography and Security,Artificial Intelligence,Machine Learning

Junqing Le,Di Zhang,Xinyu Lei,Long Jiao,Kai Zeng,Xiaofeng Liao

DOI: https://doi.org/10.1109/tifs.2023.3295949

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) enables multiple clients to jointly train a global learning model while keeping their training data locally, thereby protecting clients’ privacy. However, there still exist some security issues in FL, e.g., the honest-but-curious servers may mine privacy from clients’ model updates, and the malicious clients may launch poisoning attacks to disturb or break global model training. Moreover, most previous works focus on the security issues of FL in the presence of only honest-but-curious servers or only malicious clients. In this paper, we consider a stronger and more practical threat model in FL, where the honest-but-curious servers and malicious clients coexist, named as the non-fully trusted model. In the non-fully trusted FL, privacy protection schemes for honest-but-curious servers are executed to ensure that all model updates are indistinguishable, which makes malicious model updates difficult to detect. Toward this end, we present an Adaptive Privacy-Preserving FL (Ada-PPFL) scheme with Differential Privacy (DP) as the underlying technology, to simultaneously protect clients’ privacy and eliminate the adverse effects of malicious clients on model training. Specifically, we propose an adaptive DP strategy to achieve strong client-level privacy protection while minimizing the impact on the prediction accuracy of the global model. In addition, we introduce DPAD, an algorithm specifically designed to precisely detect malicious model updates, even in cases where the updates are protected by DP measures. Finally, the theoretical analysis and experimental results further illustrate that the proposed Ada-PPFL enables client-level privacy protection with 35% DP-noise savings, and maintains similar prediction accuracy to models without malicious attacks.

Zhimo Cheng,Xinsheng Ji,Wei You,Yi Bai,Yunjie Chen,Xiaogang Qin

DOI: https://doi.org/10.3390/e25111551

2023-11-16

Abstract:Data sharing and analyzing among different devices in mobile edge computing is valuable for social innovation and development. The limitation to the achievement of this goal is the data privacy risk. Therefore, existing studies mainly focus on enhancing the data privacy-protection capability. On the one hand, direct data leakage is avoided through federated learning by converting raw data into model parameters for transmission. On the other hand, the security of federated learning is further strengthened by privacy-protection techniques to defend against inference attack. However, privacy-protection techniques may reduce the training accuracy of the data while improving the security. Particularly, trading off data security and accuracy is a major challenge in dynamic mobile edge computing scenarios. To address this issue, we propose a federated-learning-based privacy-protection scheme, FLPP. Then, we build a layered adaptive differential privacy model to dynamically adjust the privacy-protection level in different situations. Finally, we design a differential evolutionary algorithm to derive the most suitable privacy-protection policy for achieving the optimal overall performance. The simulation results show that FLPP has an advantage of 8∼34% in overall performance. This demonstrates that our scheme can enable data to be shared securely and accurately.

Di Xiao,Zhuyang Yu,Lvjun Chen

DOI: https://doi.org/10.1109/icpads60453.2023.00213

2023-01-01

Abstract:Federated learning (FL) offers a solution for mitigating the issue of data silo. However, FL faces threats to both robustness and privacy, which hinder the widespread application of FL. Most existing approaches focus on one of these threats or require significant resources to tackle both simultaneously. To meet the requirements of robustness and privacy, we propose a robust and privacy-preserving FL (RPFL) based on random selection and lightweight sharing. Our random selection method effectively invalidates malicious models to protect the integrity of the global model. On the other hand, we employ the technique of multi-party computation (MPC) to enhance privacy. To mitigate additional communication overhead and computation overhead introduced by MPC, we propose lightweight sharing. Besides, we adopt compressed sensing and parameter-clipping to further improve the communication efficiency and robustness of RPFL. We prove the performance of RPFL in terms of robustness, privacy, as well as efficiency. The extensive experimental results demonstrate that RPFL effectively improves the robustness and privacy of FL with only a negligible performance penalty.