Lingchen Zhao,Qian Wang,Qin Zou,Yan Zhang,Yanjiao Chen

DOI: https://doi.org/10.1109/tifs.2019.2939713

2018-01-01

Abstract:With powerful parallel computing GPUs and massive user data, neural-network-based deep learning can well exert its strong power in problem modeling and solving, and has archived great success in many applications such as image classification, speech recognition and machine translation etc. While deep learning has been increasingly popular, the problem of privacy leakage becomes more and more urgent. Given the fact that the training data may contain highly sensitive information, e.g., personal medical records, directly sharing them among the users (i.e., participants) or centrally storing them in one single location may pose a considerable threat to user privacy. In this paper, we present a practical privacy-preserving collaborative deep learning system that allows users to cooperatively build a collective deep learning model with data of all participants, without direct data sharing and central data storage. In our system, each participant trains a local model with their own data and only shares model parameters with the others. To further avoid potential privacy leakage from sharing model parameters, we use functional mechanism to perturb the objective function of the neural network in the training process to achieve $\epsilon $ -differential privacy. In particular, for the first time, we consider the existence of unreliable participants , i.e., the participants with low-quality data, and propose a solution to reduce the impact of these participants while protecting their privacy. We evaluate the performance of our system on two well-known real-world datasets for regression and classification tasks. The results demonstrate that the proposed system is robust against unreliable participants, and achieves high accuracy close to the model trained in a traditional centralized manner while ensuring rigorous privacy protection.

Jinyu Liu,Ziyang Wang,Qing Yang,Sissi Xiaoxiao Wu

DOI: https://doi.org/10.1109/wocc55104.2022.9880591

2022-01-01

Abstract:We focus on the security issues of decentralized federated learning systems for the core requirements of secure environments and trusted computing for applications such as medical big data, distributed cognitive learning, and autonomous driving. We propose a three-layer security assurance model that aims to ensure secure trusted computing in decentralized networks. Therein, the first-layer security model realizes the authentication of trusted users through blockchain technology to ensure the safe access of legitimate users to the greatest extent; the second-layer security model utilizes the trusted execution environment (TEE) technology to realize the privacy protection and trusted computing of each local user; the last layer of security model adopts a set of detection and location algorithms for defending the internal attackers, in case the first two layers of models fail. Our experimental results show that the proposed three-layer security model can effectively defend against external and internal attacks in the network, thereby promoting secure and trusted computing in distributed federated learning networks.

TANG Ling-tao,WANG Di,ZHANG Lu-fei,LIU Sheng-yun

DOI: https://doi.org/10.11896/jsjkx.210800108

2022-01-01

Computer Science

Abstract:Federated learning provides a novel solution to collaborative learning among untrusted entities. Through a local-trai-ning-and-central-aggregation pattern,the federated learning algorithm trains a global model while protects local data privacy of each entity. However,recent studies show that local models uploaded by clients and global models produced by the server may still leak users' private information. Secure multi-party computation and differential privacy are two mainstream privacy-preserving techniques,which are used to protect the privacy of computation process and computation outputs respectively. There are few works that exploit the benefits of these two techniques at the same time. This paper proposes a privacy-preserving federated learning scheme for deep learning by combining secure multi-party computation and differential privacy. Clients add noise to local models,and secret share them to multiple servers. Servers aggregate these model shares by secure multi-party computation to obtain a private global model. The proposed scheme not only protects the privacy of local model updates uploaded by clients,but also prevents adversaries from inferring sensitive information from globally shared data such as aggregated models. The scheme also allows dropout of unstable clients and is compatible with complex aggregation functions. In addition,it can be naturally extended to the decentralized setting for real-world applications where no trusted centers exist. We implement our system in Python and Pytorch. Experiments validate that the proposed scheme achieves the same level of efficiency and accuracy as plaintext fede-rated learning.

Haohua Duan,Zedong Peng,Liyao Xiang,Yuncong Hu,Bo Li

DOI: https://doi.org/10.1109/tdsc.2024.3369658

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Federated learning allows multiple clients to collaboratively train a global model without revealing their private data. Despite its success in many applications, it remains a challenge to prevent malicious clients to corrupt the global model through uploading incorrect model updates. Hence, one critical issue arises in how to validate the training is truly conducted on legitimate neural networks. To address the issue, we propose VPNNT, a zero-knowledge proof scheme for neural network backpropagation. VPNNT enables each client to prove to others that the model updates (gradients) are indeed calculated on the global model of the previous round, without leaking any information about the client's private training data. Our proof scheme is generally applicable to any type of neural network. Different from conventional verification schemes constructing neural network operations by gate-level circuits, we improve verification efficiency by formulating the training process using custom gates — matrix operations, and apply an optimized linear time zero knowledge protocol for verification. Thanks to the recursive structure of neural network backward propagation, common custom gates are combined in verification thereby reducing prover and verifier costs over conventional zero knowledge proofs. Experimental results show that VPNNT is a lightweighted verification scheme for neural network backpropagation with an improved prove time, verification time and proof size.

computer science, information systems, software engineering, hardware & architecture

Yan Feng,Xue Yang,Weijun Fang,Shu-Tao Xia,Xiaohu Tang,Jun Shao,Tao Xiong

2020-01-01

Abstract:Although federated learning improves privacy of training data by exchanging model updates rather than raw data, many research results show that sharing the model updates may still involve risks. To alleviate this problem, many privacy-preserving techniques have been introduced to federated learning. However, considering deep learning models in federated learning, the resulting schemes either cannot implement non-linear activation functions well, or cannot remain the same model accuracy as the original training, or suffer from unaffordable costs. In this paper, we customize a \emph{practical privacy-preserving method for federated deep learning}, which is versatile and applicable to most state-of-the-art models, such as ResNet and DenseNet. In particular, this method can support non-linear activation functions well on the encrypted domain, hence supporting semi-trusted clients to efficiently train deep neural network locally over encrypted model iterates (i.e., protecting the privacy of the model for server-side). Meanwhile, it can be combined with the secret sharing technique to further ensure the semi-trusted server cannot obtain local gradients of each client (i.e., protect the privacy of training data for client-side). Detailed security analysis and extensive experiments demonstrate that the proposed method can achieve privacy-preservation without sacrificing model accuracy and introducing too much extra costs.

Benxin Yin,Hanlin Zhang,Jie Lin,Fanyu Kong,Leyun Yu

DOI: https://doi.org/10.1016/j.cose.2024.103700

IF: 5.105

2024-01-11

Computers & Security

Abstract:Machine learning has been applied in a wide range of various fields. To train more effective control models, it is a trend for organizations holding their private data to collaborate with others, which raises privacy problems. Federated learning allows multiple participants to train learning models collaboratively without sharing their private training data but only the gradient. Nonetheless, recent researches show that sharing the gradient can also cause the original data leakage. To eliminate the data leakage of federated learning, in this paper, we propose a secure multiparty federated learning control system, including a secure training process and a secure prediction process. In the training process, data providers train the learning model collaboratively without disclosing local data. The trained model can be verified by participants. The data providers can then provide users with prediction services based on the trained model. In the prediction process, data providers cannot access the user data, and users cannot obtain the model. Also, the prediction result can be verified by users. We carry out comprehensive experiments to demonstrate the effectiveness of our proposed scheme.

computer science, information systems

Xue Yang,Minjie Ma,Xiaohu Tang

DOI: https://doi.org/10.1016/j.future.2024.06.002

IF: 7.307

2024-06-07

Future Generation Computer Systems

Abstract:As one of the most important methods of privacy computing, federated learning has attracted much attention as it makes data available but invisible (i.e., uploading gradients instead of raw data). However, adversaries may still recover some private information such as tabs, memberships or even training data, from gradients. Additionally, the malicious server may return the incorrect or forged aggregated result to clients for certain illegal interests. To ensure verifiability and privacy-preservation, in this paper, we present a verifiable secure aggregation scheme under the dual-server federated learning framework. Specifically, we combine the learning with error (LWE) cryptosystem with the secret sharing technique to guarantee the privacy of the aggregated result and each client's local gradient. Meanwhile, we skillfully design a double-verification protocol, including the server-side and client-side verification, to efficiently verify the correctness of the aggregated result and ensure data availability. Specifically, two servers mutually verify the correctness of the aggregated result through the linear homomorphic hash technique. After passing the server-side mutual verification, the malicious server may still directly broadcast the forged aggregated result to clients. Our client-side verification protocol can ensure data availability to identify the correct aggregation result sent by the semi-trusted server. To the best of our knowledge, existing solutions do not take data availability into account. Extensive experimental comparisons with the state-of-the-art schemes demonstrate the effectiveness and efficiency of the proposed scheme in terms of accuracy, computational cost and communication overhead.

computer science, theory & methods

Jiaqi Zhao,Hui Zhu,Fengwei Wang,Rongxing Lu,Zhe Liu,Hui Li

DOI: https://doi.org/10.1109/tifs.2022.3176191

IF: 7.231

2022-06-29

IEEE Transactions on Information Forensics and Security

Abstract:Over the past years, the increasingly severe data island problem has spawned an emerging distributed deep learning framework—federated learning, in which the global model can be constructed over multiple participants without directly sharing their raw data. Despite its promising prospect, there are still many security challenges in federated learning, such as privacy preservation and integrity verification. Furthermore, federated learning is usually performed with the assistance of a center, which is prone to cause trust worries and communicational bottlenecks. To tackle these challenges, in this paper, we propose a privacy-preserving and verifiable decentralized federated learning framework, named PVD-FL, which can achieve secure deep learning model training under a decentralized architecture. Specifically, we first design an efficient and verifiable cipher-based matrix multiplication (EVCM) algorithm to execute the most basic calculation in deep learning. Then, by employing EVCM, we design a suite of decentralized algorithms to construct the PVD-FL framework, which ensures the confidentiality of both global model and local update and the verification of every training step. Detailed security analysis shows that PVD-FL can well protect privacy against various inference attacks and guarantee training integrity. In addition, the extensive experiments on real-world datasets also demonstrate that PVD-FL can achieve lossless accuracy and practical performance.

computer science, theory & methods,engineering, electrical & electronic

Lifeng Liu,Yifan Hu,Jiawei Yu,Fengda Zhang,Gang Huang,Jun Xiao,Chao Wu

DOI: https://doi.org/10.1145/3387168.3387211

2019-01-01

Abstract:Currently, training neural networks often requires a large corpus of data from multiple parties. However, data owners are reluctant to share their sensitive data to third parties for modelling in many cases. Therefore, Federated Learning (FL) has arisen as an alternative to enable collaborative training of models without sharing raw data, by distributing modelling tasks to multiple data owners. Based on FL, we premodel sent a novel and decentralized approach to training encrypted models with privacy-preserved data on Blockchain. In our approach, Blockchain is adopted as the machine learning environment where different actors (i.e., the model provider, the data provider) collaborate on the training task. During the training process, an encryption algorithm is used to protect the privacy of data and the trained model. Our experiments demonstrate that our approach is practical in real-world applications.

Meng Hao,Hongwei Li,Guowen Xu,Sen Liu,Haomiao Yang

DOI: https://doi.org/10.1109/icc.2019.8761267

2019-05-01

Abstract:Deep learning has been applied in many areas, such as computer vision, natural language processing and emotion analysis. Differing from the traditional deep learning that collects users’ data centrally, federated deep learning requires participants to train the networks on private datasets and share the training results, and hence has more gratifying efficiency and stronger security. However, it still presents some privacy issues since adversaries can deduce users’ privacy from local outputs, such as gradients. While the problem of private federated deep learning has been an active research issue, the latest research findings are still inadequate in terms of security, accuracy and efficiency. In this paper, we propose an efficient and privacy-preserving federated deep learning protocol based on stochastic gradient descent method by integrating the additively homomorphic encryption with differential privacy. Specifically, users add noises to each local gradients before encrypting them to obtain the optical performance and security. Moreover, our scheme is secure to honest-but-curious server setting even if the cloud server colludes with multiple users. Besides, our scheme supports federated learning for large-scale users scenarios and extensive experiments demonstrate our scheme has high efficiency and high accuracy compared with non-private model.

Runhua Xu,Nathalie Baracaldo,Yi Zhou,Ali Anwar,Swanand Kadhe,Heiko Ludwig

DOI: https://doi.org/10.48550/arXiv.2207.07779

2022-07-16

Abstract:Federated learning has emerged as a privacy-preserving machine learning approach where multiple parties can train a single model without sharing their raw training data. Federated learning typically requires the utilization of multi-party computation techniques to provide strong privacy guarantees by ensuring that an untrusted or curious aggregator cannot obtain isolated replies from parties involved in the training process, thereby preventing potential inference attacks. Until recently, it was thought that some of these secure aggregation techniques were sufficient to fully protect against inference attacks coming from a curious aggregator. However, recent research has demonstrated that a curious aggregator can successfully launch a disaggregation attack to learn information about model updates of a target party. This paper presents DeTrust-FL, an efficient privacy-preserving federated learning framework for addressing the lack of transparency that enables isolation attacks, such as disaggregation attacks, during secure aggregation by assuring that parties' model updates are included in the aggregated model in a private and secure manner. DeTrust-FL proposes a decentralized trust consensus mechanism and incorporates a recently proposed decentralized functional encryption (FE) scheme in which all parties agree on a participation matrix before collaboratively generating decryption key fragments, thereby gaining control and trust over the secure aggregation process in a decentralized setting. Our experimental evaluation demonstrates that DeTrust-FL outperforms state-of-the-art FE-based secure multi-party aggregation solutions in terms of training time and reduces the volume of data transferred. In contrast to existing approaches, this is achieved without creating any trust dependency on external trusted entities.

Cryptography and Security

Zhen Liu,Changsong Yang,Yong Ding,Hai Liang,Yujue Wang

DOI: https://doi.org/10.1109/jiot.2024.3478208

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The emergence of Big Data and Artificial Intelligence (AI) marks a significant milestone in technological advancement, impacting various sectors and transforming the essence of public and personal activities. Traditional machine learning, known as centralized learning, involves collecting data from multiple sources for model development, which poses significant privacy risks. To address the conflict between the need for data sharing and the protection of privacy, federated learning has emerged as a promising solution. This approach allows for the continuous sharing of model updates between a central server and numerous local devices, fostering collaborative model development. However, it also brings about considerable communication costs and raises privacy concerns due to the potential for sensitive information leakage from the central server and local devices. To address these issues, we propose a lightweight and accuracy-lossless privacy-preserving federated learning scheme based on gradient clipping. The central server introduces noise to the global model to prevent clients from extracting valuable information, and then the local devices train these models using their data. To reduce the communication load, parameters with less impact on the model are removed using the Fisher information matrix. Additionally, to enhance privacy protection, the client-computed parameters are perturbed using the Diffie-Hellman key exchange method. Our experiments show that this approach greatly reduces the communication load for clients and the server, while effectively safeguarding client privacy and maintaining the model’s accuracy.

Yuchen Li,Yifan Bao,Liyao Xiang,Junhan Liu,Cen Chen,Li Wang,Xinbing Wang

2021-01-01

Abstract: Federated learning is emerging as a machine learning technique that trains a model across multiple decentralized parties. It is renowned for preserving privacy as the data never leaves the computational devices, and recent approaches further enhance its privacy by hiding messages transferred in encryption. However, we found that despite the efforts, federated learning remains privacy-threatening, due to its interactive nature across different parties. In this paper, we analyze the privacy threats in industrial-level federated learning frameworks with secure computation, and reveal such threats widely exist in typical machine learning models such as linear regression, logistic regression and decision tree. For the linear and logistic regression, we show through theoretical analysis that it is possible for the attacker to invert the entire private input of the victim, given very few information. For the decision tree model, we launch an attack to infer the range of victim's private inputs. All attacks are evaluated on popular federated learning frameworks and real-world datasets.

Yanli Ren,Yerong Li,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.1109/jiot.2022.3194930

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is a distributed machine learning framework, which allows multiple users to collaboratively train and obtain a global model with high accuracy. Currently, FL is paid more attention by researchers and a growing number of protocols are proposed. This article first analyzes the security vulnerabilities of the VerifyNet and VeriFL protocols, and proposes a new aggregation protocol for FL. We use additive homomorphic encryption and double masking to simultaneously protect the user’s local model and the aggregated global model while most of the existing protocols only consider the privacy of the local model. Also, linear homomorphic hash and digital signature are used to achieve traceable verification, which means the users can not only verify the aggregation results, but also be able to identify the wrong epoch if the results are wrong. In summary, our protocol can realize the privacy of the local model and global model and achieve verification traceability even if the cloud server colludes with malicious users. The experimental results show that the proposed protocol improves the security of FL without decreasing the efficiency of the users and classification accuracy of the training model.

Zhibo Xing,Zijian Zhang,Zi'ang Zhang,Jiamou Liu,Liehuang Zhu,Giovanni Russello

2024-06-03

Abstract:Federated learning allows several clients to train one machine learning model jointly without sharing private data, providing privacy protection. However, traditional federated learning is vulnerable to poisoning attacks, which can not only decrease the model performance, but also implant malicious backdoors. In addition, direct submission of local model parameters can also lead to the privacy leakage of the training dataset. In this paper, we aim to build a privacy-preserving and Byzantine-robust federated learning scheme to provide an environment with no vandalism (NoV) against attacks from malicious participants. Specifically, we construct a model filter for poisoned local models, protecting the global model from data and model poisoning attacks. This model filter combines zero-knowledge proofs to provide further privacy protection. Then, we adopt secret sharing to provide verifiable secure aggregation, removing malicious clients that disrupting the aggregation process. Our formal analysis proves that NoV can protect data privacy and weed out Byzantine attackers. Our experiments illustrate that NoV can effectively address data and model poisoning attacks, including PGD, and outperforms other related schemes.

Cryptography and Security,Machine Learning

Ehsan Hallaji,Roozbeh Razavi-Far,Mehrdad Saif,Boyu Wang,Qiang Yang

DOI: https://doi.org/10.1109/TBDATA.2024.3362191

2024-01-26

Abstract:Federated learning has been rapidly evolving and gaining popularity in recent years due to its privacy-preserving features, among other advantages. Nevertheless, the exchange of model updates and gradients in this architecture provides new attack surfaces for malicious users of the network which may jeopardize the model performance and user and data privacy. For this reason, one of the main motivations for decentralized federated learning is to eliminate server-related threats by removing the server from the network and compensating for it through technologies such as blockchain. However, this advantage comes at the cost of challenging the system with new privacy threats. Thus, performing a thorough security analysis in this new paradigm is necessary. This survey studies possible variations of threats and adversaries in decentralized federated learning and overviews the potential defense mechanisms. Trustability and verifiability of decentralized federated learning are also considered in this study.

Cryptography and Security,Artificial Intelligence,Machine Learning

Jianan Su,Ai Gu,Xiaowei Liu,Xiaohui Li,Siting Lv

DOI: https://doi.org/10.1109/WCNC57260.2024.10570990

2024-04-21

Abstract:With the emergence of distributed machine learning, federated learning has become a prevalent paradigm for multi-party collaborative training scenarios. To address security vulnerabilities such as imperfect encryption and incapability to with-stand attacks within existing federated learning architectures, a blockchain-based trustworthy federated learning architecture is proposed. The architecture utilizes a threshold variant of the Paillier encryption scheme to protect the local and global model updates. A flexible Multi-Krum selection scheme is also proposed for balancing the utility of the overall architecture while ensuring safe federated learning training processes. Based on theoretical analysis and experimental results, the proposed architecture demonstrates a high level of security and the feasibility of the scheme is supported.

Engineering,Computer Science

Huang Zeng,Anjia Yang,Jian Weng,Min-Rong Chen,Fengjun Xiao,Yi Liu,Ye Yao

2024-05-07

Abstract:Federated learning (FL) has attracted widespread attention because it supports the joint training of models by multiple participants without moving private dataset. However, there are still many security issues in FL that deserve discussion. In this paper, we consider three major issues: 1) how to ensure that the training process can be publicly audited by any third party; 2) how to avoid the influence of malicious participants on training; 3) how to ensure that private gradients and models are not leaked to third parties. Many solutions have been proposed to address these issues, while solving the above three problems simultaneously is seldom considered. In this paper, we propose a publicly auditable and privacy-preserving federated learning scheme that is resistant to malicious participants uploading gradients with wrong directions and enables anyone to audit and verify the correctness of the training process. In particular, we design a robust aggregation algorithm capable of detecting gradients with wrong directions from malicious participants. Then, we design a random vector generation algorithm and combine it with zero sharing and blockchain technologies to make the joint training process publicly auditable, meaning anyone can verify the correctness of the training. Finally, we conduct a series of experiments, and the experimental results show that the model generated by the protocol is comparable in accuracy to the original FL approach while keeping security advantages.

Cryptography and Security