Geming Xia,Jian Chen,Xinyi Huang,Chaodong Yu,Zhong Zhang

DOI: https://doi.org/10.1109/compsac57700.2023.00101

2023-01-01

Abstract:Federated learning allows participants to share models (gradients) rather than raw data to collaboratively train a global model, enhancing participants' privacy protection but making the global model more vulnerable to poisoning attacks. Poisoning attacks not only lead to the degradation of model performance but also cause a security risk. A mainstream defense strategy against poisoning attacks is that the server identifies malicious models by analyzing the models uploaded by participants. However, the attackers can use the models uploaded by the participants to recover their privacy data, leading to a privacy disclosure. Therefore, participants need to encrypt or perturb the models before uploading them so that all individuals, including the server, cannot access the model, which poses a great challenge for the defense against poisoning attacks. Moreover, many existing defense strategies against poisoning attacks only work well when the data distribution is non-independently and identically distributed. To address these issues, we propose a novel defense strategy for poisoning attacks of federated learning called FL-PTD, which can judge whether the global model is subjected to poisoning attacks without accessing the participant's local model. Besides, Our method incorporates a trust evaluation mechanism, which computes reputation scores based on the historical behavior of participants to identify malicious participants. Finally, we verify our proposed method on several real world datasets. The experimental results show that our method can effectively defend against poisoning attacks and accurately identify attackers without compromising the model's performance.

Jiaqi Zhao,Hui Zhu,Fengwei Wang,Yandong Zheng,Rongxing Lu,Hui Li

DOI: https://doi.org/10.1109/tsc.2024.3377931

2024-01-01

Abstract:The ever-growing data scale and increasingly strict privacy restraint have recently drawn extensive attention to federated learning (FL) as a multi-party machine learning paradigm for achieving high-quality model construction without data collection. Nevertheless, uploading local models in FL can still be exploited by adversaries to infer participants' sensitive data. Furthermore, it is possible for malicious participants to manipulate the global model by submitting poisonous local models. To tackle these challenges, this paper proposes an efficient and privacy-preserving federated learning framework against poisoning adversaries, namely ELFL, which can ensure the confidentiality of local models while effectively resisting data poisoning attacks. Specifically, we first design a grouped secure aggregation algorithm, through which the aggregation server can compute the summations of local models inside logic groups but cannot see individual ones. Then, based on grouped aggregations, our poisoning defense mechanism could detect and quickly phase out malicious participants from training candidates. Moreover, the computational complexity of participants is independent of their total number, so it is suitable for large-scale scenes. Detailed security analysis demonstrates the security of ELFL. Experimental results show that ELFL could maintain a high accuracy against representative data poisoning attacks, and its computational and communication overhead is indeed low.

Zhibo Xing,Zijian Zhang,Zi'ang Zhang,Jiamou Liu,Liehuang Zhu,Giovanni Russello

2024-06-03

Abstract:Federated learning allows several clients to train one machine learning model jointly without sharing private data, providing privacy protection. However, traditional federated learning is vulnerable to poisoning attacks, which can not only decrease the model performance, but also implant malicious backdoors. In addition, direct submission of local model parameters can also lead to the privacy leakage of the training dataset. In this paper, we aim to build a privacy-preserving and Byzantine-robust federated learning scheme to provide an environment with no vandalism (NoV) against attacks from malicious participants. Specifically, we construct a model filter for poisoned local models, protecting the global model from data and model poisoning attacks. This model filter combines zero-knowledge proofs to provide further privacy protection. Then, we adopt secret sharing to provide verifiable secure aggregation, removing malicious clients that disrupting the aggregation process. Our formal analysis proves that NoV can protect data privacy and weed out Byzantine attackers. Our experiments illustrate that NoV can effectively address data and model poisoning attacks, including PGD, and outperforms other related schemes.

Cryptography and Security,Machine Learning

Xueyang Li,Xue Yang,Zhengchun Zhou,Rongxing Lu

DOI: https://doi.org/10.1109/tifs.2024.3378006

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning enables clients to train models locally and provide local updates to the server instead of raw dataset, thereby preserving data privacy to some extent. However, adversaries can still pry users’ privacy by inferring updates, and compromise the integrity of the global model through poisoning attack. Therefore, many related works have integrated poisoning attack detection method with secure computation to address both issues. Nevertheless, they still encounter two major challenges: (i) the efficiency is too low to be applied in practice, and (ii) the privacy is still at risk of being leaked, e.g., the distance of two local updates for detecting poisoning attack could be exposed to the server. Aiming at the challenges, in this paper, we propose an Efficient Privacy-preserving and Poisoning attack Resistant scheme for Federated Learning, named EPPRFL, which preserves the privacy for local updates and some intermediate information used to detect poisoning attack. In particular, we design an efficient poisoning attack detection method based on Euclidean distance filtering & clipping technique, named F&C. Then, considering the privacy preservation of the F&C method, we efficiently customize secure comparison, secure median, secure distance computation and secure clipping protocols based on additive secret sharing. Experimental results and theoretical analysis show that compared with existing schemes, EPPRFL can better resist poisoning attack and has lower computational and communication overheads on the client side.

computer science, theory & methods,engineering, electrical & electronic

Yan Hong,Zhiqing Huang,Chenyang Zhang

DOI: https://doi.org/10.1117/12.2684744

2023-01-01

Abstract:Federated learning is a new privacy protection framework for machine learning. The central server aggregates multiple participants to decentralized optimized parameters, then distributes the generated model to the client, and finally converges the global model. The model obtained by performance approaching centralized data training is trained under the condition that the data is not leave local. However, many studies have shown that this centralized federation system is vulnerable to confidentiality attacks by "honest but curious" attackers, using the gradient parameter information transmitted during federation model training to carry out reconstruction attacks or inference attacks, obtain the privacy data of participants or deduce some member information, which poses a severe challenge to the privacy protection of federated learning. In this paper, a hybrid defense strategy based on confusion self-encoder combined with localized differential privacy is proposed. On the one hand, the labels of the participants' local data are confused through the self-encoder network, so as to cut off the relationship between the gradient information and the original data. On the other hand, the localized differential privacy mechanism is used to disturb the transmitted gradient parameter information, and a model performance loss constraint mechanism is designed to reduce the impact of noise addition on the model performance. Experiments show that the hybrid defense strategy proposed in this paper can effectively resist reconstruction attacks and inference attacks in the process of federated learning model training, and achieve a better balance among computing overhead, model performance and privacy security.

John Reuben Gilbert

DOI: https://doi.org/10.48550/arXiv.2211.06324

2022-11-10

Cryptography and Security

Abstract:Federated learning is a collaborative method that aims to preserve data privacy while creating AI models. Current approaches to federated learning tend to rely heavily on secure aggregation protocols to preserve data privacy. However, to some degree, such protocols assume that the entity orchestrating the federated learning process (i.e., the server) is not fully malicious or dishonest. We investigate vulnerabilities to secure aggregation that could arise if the server is fully malicious and attempts to obtain access to private, potentially sensitive data. Furthermore, we provide a method to further defend against such a malicious server, and demonstrate effectiveness against known attacks that reconstruct data in a federated learning setting.

Zheng Yuan,Youliang Tian,Jinbo Xiong,Linjie Wang

DOI: https://doi.org/10.1109/nana63151.2024.00009

2024-01-01

Abstract:Federated learning has garnered considerable attention for its capacity to aggregate efficient and accurate models while preserving user’s data privacy. Nonetheless, conventional federated learning frameworks remain susceptible to malicious threats like collusion and inference attacks. We design a robust and resilient enhancing privacy-preserving federated learning framework based on blockchain (EPFL) to address these threats. Initially, we meticulously design a two-round encryption scheme that allows users to upload encryption gradients while the server can still perform aggregation. Subsequently, a secure communication protocol termed the “server-blockchain-user” is devised based on blockchain architecture. This protocol guarantees the openness, transparency, and traceability of the entire training process, while also offering resilience in users’ drop-out and joining that may arise during the aggregation process. Finally, experimental assessments are conducted to appraise the robustness and accuracy of EPFL. The empirical findings demonstrate that EPFL not only demonstrates robustness against collusion and inference attacks, but also adeptly handles user exits and entries without compromising the confidentiality of user keys. Moreover, EPFL attains model accuracy commensurate with the FedAvg.

Ping Zhao,Zhikui Cao,Jin Jiang,Fei Gao

DOI: https://doi.org/10.1109/jiot.2022.3201231

IF: 10.6

2022-12-24

IEEE Internet of Things Journal

Abstract:Federated learning (FL) enables multiple worker devices share local models trained on their private data to collaboratively train a machine learning model. However, local models are proved to imply the information about the private data and, thus, introduce much vulnerabilities to inference attacks where the adversary reconstructs or infers the sensitive information about the private data (e.g., labels, memberships, etc.) from the local models. To address this issue, existing works proposed homomorphic encryption, secure multiparty computation (SMC), and differential privacy methods. Nevertheless, the homomorphic encryption and SMC-based approaches are not applicable to large-scale FL scenarios as they incur substantial additional communication and computation costs and require secure channels to delivery keys. Moreover, differential privacy brings a substantial tradeoff between privacy budget and model performance. In this article, we propose a novel FL framework, which can protect the data privacy of worker devices against the inference attacks with minimal accuracy cost and low computation and communication cost, and does not rely on the secure pairwise communication channels. The main idea is to generate the lightweight keys based on computational Diffie–Hellman (CDH) problem to encrypt the local models, and the FL server can only get the sum of the local models of all worker devices without knowing the exact local model of any specific worker device. The extensive experimental results on three real-world data sets validate that the proposed FL framework can protect the data privacy of worker devices, and only incurs a small constant of computation and communication cost and a drop in test accuracy of no more than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yipeng Dong,Lei Zhang,Lin Xu

DOI: https://doi.org/10.1007/978-981-97-0834-5_9

2024-01-01

Abstract:Federated learning enables collaborative training of the global model by participants with diverse data sources while preserving data privacy. However, the traditional federated learning architecture faces some challenges, including single-point of server failure and privacy disclosure. To address these challenges, this paper proposes a distributed federated learning scheme based on multi-key homomorphic encryption, which fundamentally solves the problems of server single-point failure and malicious behavior, while effectively protecting the data privacy of participants. The trusted execution environment (TEE) is used to detect the quality of the models and to prevent some malicious participants from executing malicious behavior. Furthermore, an incentive mechanism is designed to encourage participants to actively and honestly perform training tasks. Our scheme satisfies privacy, robustness, and fairness criteria, as demonstrated in our analysis.

Zhaosen Shi,Zeyu Yang,Alzubair Hassan,Fagen Li,Xuyang Ding

DOI: https://doi.org/10.1007/s11235-022-00982-3

2022-12-09

Telecommunication Systems

Abstract:The performance of machine learning models largely depends on the amount of data. However, with the improvement of privacy awareness, data sharing has become more and more difficult. Federated learning provides a solution for joint machine learning, which alleviates this difficulty. Although it works by sharing parameters instead of data, privacy threats like inference attacks still exist owing to the exposed parameters or updates. In this paper, we propose a privacy preserving scheme for federated learning by combining the homomorphism of both secret sharing and encryption. Our scheme ensures the confidentiality of local parameters and tolerates collusion threats under a certain range. Our scheme also tolerates dropping of some clients, performs aggregation without sharing keys and has simple interaction process. Meantime, we use the automatic protocol tool ProVerif to verify its cryptographic functionality, analyze its theoretical complexity and compare them with similar schemes. We verify our scheme by experiment to show that it has less running time compared with some schemes.

telecommunications

Yanli Ren,Yerong Li,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.1109/jiot.2022.3194930

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is a distributed machine learning framework, which allows multiple users to collaboratively train and obtain a global model with high accuracy. Currently, FL is paid more attention by researchers and a growing number of protocols are proposed. This article first analyzes the security vulnerabilities of the VerifyNet and VeriFL protocols, and proposes a new aggregation protocol for FL. We use additive homomorphic encryption and double masking to simultaneously protect the user’s local model and the aggregated global model while most of the existing protocols only consider the privacy of the local model. Also, linear homomorphic hash and digital signature are used to achieve traceable verification, which means the users can not only verify the aggregation results, but also be able to identify the wrong epoch if the results are wrong. In summary, our protocol can realize the privacy of the local model and global model and achieve verification traceability even if the cloud server colludes with malicious users. The experimental results show that the proposed protocol improves the security of FL without decreasing the efficiency of the users and classification accuracy of the training model.

Sherin Mary Mathews,Samuel A. Assefa

DOI: https://doi.org/10.48550/arXiv.2204.13697

IF: 5.414

2022-04-22

Machine Learning

Abstract:Federated learning holds great promise in learning from fragmented sensitive data and has revolutionized how machine learning models are trained. This article provides a systematic overview and detailed taxonomy of federated learning. We investigate the existing security challenges in federated learning and provide a comprehensive overview of established defense techniques for data poisoning, inference attacks, and model poisoning attacks. The work also presents an overview of current training challenges for federated learning, focusing on handling non-i.i.d. data, high dimensionality issues, and heterogeneous architecture, and discusses several solutions for the associated challenges. Finally, we discuss the remaining challenges in managing federated learning training and suggest focused research directions to address the open questions. Potential candidate areas for federated learning, including IoT ecosystem, healthcare applications, are discussed with a particular focus on banking and financial domains.

Lun Wang

DOI: https://doi.org/10.1609/aaaiss.v3i1.31229

2024-05-20

Abstract:In this talk, we will discuss how to make federated learning secure for the server and private for the clients simultaneously. Most prior efforts fall into either of the two categories. At one end of the spectrum, some work uses techniques like secure aggregation to hide the individual client’s updates and only reveal the aggregated global update to a malicious server that strives to infer the clients’ privacy from their updates. At the other end of the spectrum, some work uses Byzantine-robust FL protocols to suppress the influence of malicious clients’ updates. We present a protocol that offers bidirectional defense to simultaneously combat against the malicious centralized server and Byzantine malicious clients. Our protocol also improves the dimension dependence and achieve a near-optimal statistical rate for strongly convex cases.

Yan Feng,Xue Yang,Weijun Fang,Shu-Tao Xia,Xiaohu Tang,Jun Shao,Tao Xiong

2020-01-01

Abstract:Although federated learning improves privacy of training data by exchanging model updates rather than raw data, many research results show that sharing the model updates may still involve risks. To alleviate this problem, many privacy-preserving techniques have been introduced to federated learning. However, considering deep learning models in federated learning, the resulting schemes either cannot implement non-linear activation functions well, or cannot remain the same model accuracy as the original training, or suffer from unaffordable costs. In this paper, we customize a \emph{practical privacy-preserving method for federated deep learning}, which is versatile and applicable to most state-of-the-art models, such as ResNet and DenseNet. In particular, this method can support non-linear activation functions well on the encrypted domain, hence supporting semi-trusted clients to efficiently train deep neural network locally over encrypted model iterates (i.e., protecting the privacy of the model for server-side). Meanwhile, it can be combined with the secret sharing technique to further ensure the semi-trusted server cannot obtain local gradients of each client (i.e., protect the privacy of training data for client-side). Detailed security analysis and extensive experiments demonstrate that the proposed method can achieve privacy-preservation without sacrificing model accuracy and introducing too much extra costs.

Zhaosen Shi,Xuyang Ding,Fagen Li,Yingni Chen,Canran Li

DOI: https://doi.org/10.1007/s12243-022-00929-4

2022-01-01

Abstract:Federated learning provides a way to achieve joint model training while keeping the data of every party stored locally, and it protects the data privacy of all participants in cooperative training. However, there are availability and integrity threats in federated learning, as malicious parties may pretend to be benign ones to interfere with the global model. In this paper, we consider a federated learning scenario with one center server and multiple clients, where malicious clients launch poisoning attacks. We explore the statistical relationship of Euclidean distance among models, including benign versus benign models and malicious versus benign models. Then, we design a defense method based on our findings and inspired by evolutionary clustering. The center server uses this defense scheme to screen possible malicious clients and mitigate their attacks. Our mitigation scheme refers to the detection results of both the current and previous rounds. Moreover, we improve our scheme to apply it to a privacy threat scenario. Finally, we demonstrate the effectiveness of our scheme through experiments in several different scenarios.

Qingdi Han,Siqi Lu,Wenhao Wang,Haipeng Qu,Jingsheng Li,Yang Gao

DOI: https://doi.org/10.1002/cpe.8084

2024-03-20

Concurrency and Computation Practice and Experience

Abstract:Summary Federated learning (FL) has emerged as a promising solution to address the challenges posed by data silos and the need for global data fusion. It offers a distributed machine learning framework with privacy‐preserving features, allowing model training without the need to collect user data. However, FL also presents significant security and privacy threats that hinder its widespread adoption. The requirements of privacy and security in FL are inherently conflicting. Privacy necessitates the concealment of individual client updates, while security requires the disclosure of client updates to detect anomalies. While most existing research focused on the privacy and security aspects of FL, very few studies have addressed the compatibility of these two demands. In this work, we aim to bridge this gap by proposing a comprehensive defense scheme that ensures privacy, security, and compatibility in FL. We categorize the existing literature into two key directions: privacy defense and security defense. Privacy defense includes methods based on additive masks, differential privacy, homomorphic encryption, and trusted execution environment, whereas security defense encompasses distance‐, performance‐, clustering‐, and similarity‐based anomaly detection techniques and statistical information‐based anomaly update bypassing techniques when the server is trusted and privacy‐compatible anomaly update detection techniques when the server is not trusted. In addition, this article presents decentralized FL solutions based on blockchain. For each direction, we discuss specific technical solutions, their advantages, and disadvantages. By evaluating various defense methods, we identify the most suitable approach to address the primary challenge of "achieving a secure and robust FL system against malicious adversaries while protecting users' privacy." We then propose a theoretical reference framework for end‐to‐end protection of privacy and security in FL for the key problem, which summarizes the attack surface of FL systems from the client to the server under the security model where the client and server are malicious. Leveraging the strengths and characteristics of existing schemes, our proposed framework integrates multiple techniques to strike a balance between privacy, usability, and efficiency. This framework serves as a valuable reference and provides insights for future work in the field. Finally, we also provide recommendations for future research directions in this field.

computer science, theory & methods, software engineering

Juan Mao,Chunjie Cao,LongJuan Wang,Jun Ye,WenJie Zhong

DOI: https://doi.org/10.1088/1742-6596/1757/1/012192

2021-01-01

Journal of Physics Conference Series

Abstract:With the emergence of data islands and the popular awareness of privacy, federated learning, as an emerging data sharing and exchange model, can realize multi-party collaboration under the premise of protecting data privacy and security because the data distributed in multiple devices cannot be sent locally. To achieve benefits for all parties involved, it has been widely used in many fields such as finance, medical care, and education. However, FL also has various security and privacy issues. Starting from the overview of federated learning, this article describes in detail the threat model and existing security issues, including replay attacks, poisoning attacks, reasoning attacks, etc., and then makes a certain analysis of FL privacy protection security technologies. Compared with SMC and HE, differential privacy is excellent in terms of efficiency. Finally, we discussed the challenges of privacy protection and security issues and future research directions.

Xianyu Mu,Youliang Tian,Zhou,Jinbo Xiong

DOI: https://doi.org/10.1109/nana63151.2024.00079

2024-01-01

Abstract:With the increasing awareness of user privacy protection and the improvement of domestic and international privacy protection laws, coalitional learning has become the current machine learning framework to protect user privacy. However, there are still specific security threats in coalitional learning, i.e., semi-honest servers obtain the corresponding privacy information by launching reverse inference attacks on the user’s local model gradient. Although effective against the attacks of semi-honest adversaries, previous research schemes resulted in huge computational costs and poor robustness. Therefore, in this paper, we propose a federated learning security aggregation protocol based on lightweight cryptography algorithms, which can significantly reduce the computational costs at the user’s end and is robust to users offline. First, this paper constructs an efficient secure aggregation protocol based on lightweight cryptographic algorithms, which significantly reduces the computational costs required on the user side. Second, an effective reconfiguration algorithm is designed in order to prevent the aggregation failure caused by the auxiliary computing nodes going offline. Finally, this paper demonstrates the security of the protocol through security analysis. In addition, this paper shows through experimental results that the scheme achieves a significant efficiency improvement, and the number of required communication rounds is reduced to two.

Yuanyuan Gao,Lei Zhang,Lulu Wang,Kim-Kwang Raymond Choo,Rui Zhang

DOI: https://doi.org/10.1109/tsc.2023.3250705

2021-01-01

Abstract:Conventional federated learning (FL) approaches generally rely on a centralized server, and there has been a trend of designing asynchronous FL approaches for distributed applications partly to mitigate limitations associated with conventional (synchronous) FL approaches (e.g., single point of failure / attack). In this paper, we first introduce two new tools, namely: a quality-based aggregation method and an extended dynamic contribution broadcast encryption (DConBE). Building on these two new tools and local differential privacy, we then propose a privacy-preserving and reliable decentralized FL scheme, designed to support batch joining/leaving of clients while incurring minimal delay and achieving high model accuracy. In other words, our scheme seeks to ensure an optimal trade-off between model accuracy and data privacy, which is also demonstrated in our simulation results. For example, the results show that our aggregation method can effectively avoid low-quality updates in the sense that the scheme guarantees high model accuracy even in the presence of bad clients who may submit low-quality updates. In addition, our scheme incurs a lower loss and the extended DConBE only slightly affects the efficiency of our scheme. With the extended dynamic contribution broadcast encryption, our scheme can efficiently support batch joining/leaving of clients.

Yuping Yan,Mohammed B. M. Kamel,Marcell Zoltay,Marcell Gál,Roland Hollós,Yaochu Jin,Ligeti Péter,Ákos Tényi

DOI: https://doi.org/10.1007/s40747-023-01184-3

IF: 6.7

2023-01-01

Complex & Intelligent Systems

Abstract:Federated learning (FL) draws attention in academia and industry due to its privacy-preserving capability in training machine learning models. However, there are still some critical security attacks and vulnerabilities, including gradients leakage and interference attacks. Meanwhile, communication is another bottleneck in basic FL schemes since large-scale FL parameter transmission leads to inefficient communication, latency, and slower learning processes. To overcome these shortcomings, different communication efficiency strategies and privacy-preserving cryptographic techniques have been proposed. However, a single method can only partially resist privacy attacks. This paper presents a practical, privacy-preserving scheme combining cryptographic techniques and communication networking solutions. We implement Kafka for message distribution, the Diffie–Hellman scheme for secure server aggregation, and gradient differential privacy for interference attack prevention. The proposed approach maintains training efficiency while being able to addressing gradients leakage problems and interference attacks. Meanwhile, the implementation of Kafka and Zookeeper provides asynchronous communication and anonymous authenticated computation with role-based access controls. Finally, we prove the privacy-preserving properties of the proposed solution via security analysis and empirically demonstrate its efficiency and practicality.