Xiao Chen,Haining Yu,Xiaohua Jia,Xiangzhan Yu

DOI: https://doi.org/10.1109/tifs.2023.3315125

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) is an emerging paradigm of privacy-preserving distributed machine learning that effectively deals with the privacy leakage problem by utilizing cryptographic primitives. However, how to prevent poisoning attacks in distributed situations has recently become a major FL concern. Indeed, an adversary can manipulate multiple edge nodes and submit malicious gradients to disturb the global model's availability. Currently, most existing works rely on an Independently Identical Distribution (IID) situation and identify malicious gradients using plaintext. However, we demonstrates that current works cannot handle the data heterogeneity scenario challenges and that publishing unencrypted gradients imposes significant privacy leakage problems. Therefore, we develop APFed, a layered privacy-preserving defense mechanism that significantly mitigates the effects of poisoning attacks in data heterogeneity scenarios. Specifically, we exploit HE as the underlying technique and employ the median coordinate as the benchmark. Subsequently, we propose a secure cosine similarity scheme to identify poisonous gradients, and we innovatively use clustering as part of the defense mechanism and develop a hierarchical aggregation that enhances our scheme's robustness in IID and non-IID scenarios. Extensive evaluations on two benchmark datasets demonstrate that APFed outperforms existing defense strategies while reducing the communication overhead by replacing the expensive remote communication method with inexpensive intra-cluster communication.

Hongliang Zhou,Yifeng Zheng,Xiaohua Jia

DOI: https://doi.org/10.1016/j.comnet.2024.110321

IF: 5.493

2024-04-01

Computer Networks

Abstract:Federated learning (FL) has recently emerged as an attractive distributed machine learning paradigm for harnessing the distributed data in edge computing. Its salient feature is that the individual datasets can stay local all the time during the training process and only model updates need to be exchanged for aggregation. Despite being intriguing, FL is also known to be confronted with critical security and privacy concerns. Firstly, even sharing the model updates/gradients can incur privacy leakages of the local datasets. Secondly, there could be malicious clients who may attempt to launch poisoning attacks so as to compromise the utility of trained models. Driven by such challenges, various research efforts have been proposed to secure FL. However, most existing works have just considered either privacy preservation or robustness against poisoning attacks. In this paper, we propose a new robust and privacy-preserving FL framework RoPPFL for edge computing applications, which supports hierarchical federated learning with privacy preservation as well as robust aggregation against poisoning attacks. RoPPFL delicately bridges local differential privacy for privacy protection and similarity-based robust aggregation for resistance to malicious clients. We formally analyze the convergence and privacy guarantees of RoPPFL. Extensive experiments demonstrate the superior performance of RoPPFL.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Jiaqi Zhao,Hui Zhu,Fengwei Wang,Yandong Zheng,Rongxing Lu,Hui Li

DOI: https://doi.org/10.1109/tsc.2024.3377931

2024-01-01

Abstract:The ever-growing data scale and increasingly strict privacy restraint have recently drawn extensive attention to federated learning (FL) as a multi-party machine learning paradigm for achieving high-quality model construction without data collection. Nevertheless, uploading local models in FL can still be exploited by adversaries to infer participants' sensitive data. Furthermore, it is possible for malicious participants to manipulate the global model by submitting poisonous local models. To tackle these challenges, this paper proposes an efficient and privacy-preserving federated learning framework against poisoning adversaries, namely ELFL, which can ensure the confidentiality of local models while effectively resisting data poisoning attacks. Specifically, we first design a grouped secure aggregation algorithm, through which the aggregation server can compute the summations of local models inside logic groups but cannot see individual ones. Then, based on grouped aggregations, our poisoning defense mechanism could detect and quickly phase out malicious participants from training candidates. Moreover, the computational complexity of participants is independent of their total number, so it is suitable for large-scale scenes. Detailed security analysis demonstrates the security of ELFL. Experimental results show that ELFL could maintain a high accuracy against representative data poisoning attacks, and its computational and communication overhead is indeed low.

haibin zheng,Jinyin Chen,Tao Liu,Yao Cheng,Zhao Wang,Yun Wang,Lan Gao,Shouling Ji,Xuhong Zhang

DOI: https://doi.org/10.1145/3702325

IF: 2.717

2024-01-01

ACM Transactions on Privacy and Security

Abstract:Federated learning (FL) enables resource-constrained node devices to learn a shared model while keeping the training data local. Since recent research has demonstrated multiple privacy leakage attacks in FL, e.g., gradient inference attacks and membership inference attacks, differential privacy (DP) is applied to serve as one of the most effective privacy protection mechanisms. Despite the benefit DP brings, we observe that the introduction of DP also brings random changes to client updates, which will affect the robust aggregation algorithms. We reveal a novel poisoning attack under the cover of DP, named the DP-Poison attack in FL. Specifically, the DP-Poison attack is designed to achieve four goals: 1) maintaining the main task performance; 2) launching a successful attack; 3) escaping the robust aggregation algorithms in FL; and 4) keeping the effectiveness of DP privacy protection. To achieve these goals, we design multiple optimization goals to generate DP noise through a genetic algorithm. The optimization ensures that while the benign updates change randomly, the malicious updates can change towards the global model after adding the DP noise, so that it is easier to be accepted by the robust aggregation algorithms. Extensive experiments show that DP-Poison achieves a nearly 100% attack success rate while maintaining the proposed four goals.

Xueyang Li,Xue Yang,Zhengchun Zhou,Rongxing Lu

DOI: https://doi.org/10.1109/tifs.2024.3378006

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning enables clients to train models locally and provide local updates to the server instead of raw dataset, thereby preserving data privacy to some extent. However, adversaries can still pry users’ privacy by inferring updates, and compromise the integrity of the global model through poisoning attack. Therefore, many related works have integrated poisoning attack detection method with secure computation to address both issues. Nevertheless, they still encounter two major challenges: (i) the efficiency is too low to be applied in practice, and (ii) the privacy is still at risk of being leaked, e.g., the distance of two local updates for detecting poisoning attack could be exposed to the server. Aiming at the challenges, in this paper, we propose an Efficient Privacy-preserving and Poisoning attack Resistant scheme for Federated Learning, named EPPRFL, which preserves the privacy for local updates and some intermediate information used to detect poisoning attack. In particular, we design an efficient poisoning attack detection method based on Euclidean distance filtering & clipping technique, named F&C. Then, considering the privacy preservation of the F&C method, we efficiently customize secure comparison, secure median, secure distance computation and secure clipping protocols based on additive secret sharing. Experimental results and theoretical analysis show that compared with existing schemes, EPPRFL can better resist poisoning attack and has lower computational and communication overheads on the client side.

computer science, theory & methods,engineering, electrical & electronic

Geming Xia,Jian Chen,Xinyi Huang,Chaodong Yu,Zhong Zhang

DOI: https://doi.org/10.1109/compsac57700.2023.00101

2023-01-01

Abstract:Federated learning allows participants to share models (gradients) rather than raw data to collaboratively train a global model, enhancing participants' privacy protection but making the global model more vulnerable to poisoning attacks. Poisoning attacks not only lead to the degradation of model performance but also cause a security risk. A mainstream defense strategy against poisoning attacks is that the server identifies malicious models by analyzing the models uploaded by participants. However, the attackers can use the models uploaded by the participants to recover their privacy data, leading to a privacy disclosure. Therefore, participants need to encrypt or perturb the models before uploading them so that all individuals, including the server, cannot access the model, which poses a great challenge for the defense against poisoning attacks. Moreover, many existing defense strategies against poisoning attacks only work well when the data distribution is non-independently and identically distributed. To address these issues, we propose a novel defense strategy for poisoning attacks of federated learning called FL-PTD, which can judge whether the global model is subjected to poisoning attacks without accessing the participant's local model. Besides, Our method incorporates a trust evaluation mechanism, which computes reputation scores based on the historical behavior of participants to identify malicious participants. Finally, we verify our proposed method on several real world datasets. The experimental results show that our method can effectively defend against poisoning attacks and accurately identify attackers without compromising the model's performance.

Yinbin Miao,Xinru Yan,Xinghua Li,Shujiang Xu,Ximeng Liu,Hongwei Li,Robert H. Deng

DOI: https://doi.org/10.1109/tifs.2024.3402113

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning not only realizes collaborative training of models, but also effectively maintains user privacy. However, with the widespread application of privacy-preserving federated learning, poisoning attacks threaten the model utility. Existing defense schemes suffer from a series of problems, including low accuracy, low robustness and reliance on strong assumptions, which limit the practicability of federated learning. To solve these problems, we propose a Robustness-enhanced privacy-preserving Federated learning with scaled dot-product attention (RFed) under dual-server model. Specifically, we design a highly robust defense mechanism that uses a dual-server model instead of traditional single-server model to significantly improve model accuracy and completely eliminate the reliance on strong assumptions. Formal security analysis proves that our scheme achieves convergence and provides privacy protection, and extensive experiments demonstrate that our scheme reduces high computational overhead while guaranteeing privacy preservation and model accuracy, and ensures that the failure rate of poisoning attacks is higher than 96%.

computer science, theory & methods,engineering, electrical & electronic

Shaojun Zuo,Yong Xie,Libing Wu,Jing Wu

DOI: https://doi.org/10.1109/tce.2024.3376561

2024-01-01

IEEE Transactions on Consumer Electronics

Abstract:The large amount of data collected by intelligent devices in consumer electronics cannot be fully utilized because it involves a lot of privacy information. At present, researchers propose many security protection schemes, among which the scheme using edge computing architecture attracts much attention. However, existing schemes cannot simultaneously address security, efficiency, and robustness, especially in the case of intelligent devices dropout. Therefore, we propose an intelligent device data secure federated learning scheme using edge computing architecture named ApaPRFL. ApaPRFL is based on the gradient strong privacy-preserving method using secure secret sharing. It leverages the property of high regional similarity to ensure system stability even when the end devices (intelligent devices) dropout. Additionally, it improves the efficiency of poisoning detection and reduces error rates. The performance of ApaPRFL is evaluated on two real datasets. Experimental results demonstrate that ApaPRFL is more effective in countering two typical poisoning attacks compared to similar schemes.

telecommunications,engineering, electrical & electronic

Mengfan Xu,Xinghua Li

DOI: https://doi.org/10.1007/s11036-023-02231-6

2023-01-01

Abstract:In view of the existing federated learning can only encrypt the model to ensure data privacy, but can not guarantee the correctness of the uploaded model, this paper proposes an anti-poisoning attack intrusion detection scheme based on privacy-preserving federated learning. First, an anti-poisoning attack algorithm based on the encryption model is designed, and a comprehensive anti-attack model is proposed. On this basis, the model defines the defense strategy, and objective function, and introduces the poisoning rate into the objective function to make the model take into account the availability and concealing of attack. The privacy of local data is protected while the intrusion detection model based on knowledge sharing among islands is constructed. The experimental results show that the proposed scheme can greatly improve the robustness of the detection model, and its accuracy rate can reach 83.11% even after being poisoned, and the detection performance has not significantly decreased compared with that before being poisoned.

Ming Yang,Hang Cheng,Fei Chen,Ximeng Liu,Meiqing Wang,Xibin Li

DOI: https://doi.org/10.1016/j.ins.2023.02.025

IF: 8.1

2023-01-01

Information Sciences

Abstract:Although federated learning can provide privacy protection for individual raw data, some studies have shown that the shared parameters or gradients under federated learning may still reveal user privacy. Differential privacy is a promising solution to the above problem due to its small computational overhead. At present, differential privacy-based federated learning generally focuses on the trade-off between privacy and model convergence. Even though differential privacy obscures sensitive information by adding a controlled amount of noise to the confidential data, it opens a new door for model poisoning attacks: attackers can use noise to escape anomaly detection. In this paper, we propose a novel model poisoning attack called Model Shuffle Attack (MSA), which designs a unique way to shuffle and scale the model parameters. If we treat the model as a black box, it behaves like a benign model on test set. Unlike other model poisoning attacks, the malicious model after MSA has high accuracy on test set while reducing the global model convergence speed and even causing the model to diverge. Extensive experiments show that under FedAvg and robust aggregation rules, MSA is able to significantly degrade performance of the global model while guaranteeing stealthiness.

Jiguang Lv,Shuchun Xu,Yi Ling,Dapeng Man,Shuai Han,Wu Yang

DOI: https://doi.org/10.1109/msn60784.2023.00074

2023-01-01

Abstract:Federated learning is designed to train models in a distributed scheme while keeping the clients' data stored locally. The aggregation server only receives local models from clients and does not require clients to upload their local data, in which way it protects the clients' privacy. However, federated learning is vulnerable. The federated learning models are sensitive to poisoning attacks. Existing data poisoning attack methods assume that the attacker and the client have the same data distribution and data volume, which is unpractical. In this paper, we first propose a privacy inference-based poisoning data generation method, FLPDG. FLPDG changes the relationship between data and labels, and uses the data of benign clients to launch poisoning attacks. This method relies on the global model of an iterative update to obtain the data and labels of benign clients. Second, a privacy inference-based data poisoning attack model Poi_PDG is proposed. This model uses the FLPDG method to launch a data poisoning attack under conditions of insufficient original data volume of the attacker. Meanwhile, a defense method PDG_DF is proposed for Poi_PDG. It splits the image data into variance regions and utilizes GANs to hide the visual features of each image region. It controls the degree of feature hiding by setting different thresholds to keep the classification features of the image while ensuring the accuracy of the training model. Finally, several experiments are conducted to evaluate the proposed attack and defense methods, and the experimental results indicate the effectiveness of the methods.

Zhuoran Ma,Jianfeng Ma,Yinbin Miao,Ximeng Liu,Kim-Kwang Raymond Choo,Robert H. Deng,Robert Deng

DOI: https://doi.org/10.1109/tsc.2021.3090771

IF: 11.019

2021-01-01

IEEE Transactions on Services Computing

Abstract:Federated learning has become prevalent in medical diagnosis due to its effectiveness in training a federated model among multiple health institutions (i.e., Data Islands (DIs)). However, increasingly massive DI-level poisoning attacks have shed light on a vulnerability in federated learning, which inject poisoned data into certain DIs to corrupt the availability of the federated model. Previous works on federated learning have been inadequate in ensuring the privacy of DIs and the availability of the final federated model. In this article, we design a secure federated learning mechanism with multiple keys to prevent DI-level poisoning attacks for medical diagnosis, called SFAP. Concretely, SFAP provides privacy-preserving random forest-based federated learning by using the multi-key secure computation, which guarantees the confidentiality of DI-related information. Meanwhile, a secure defense strategy over encrypted locally-submitted models is proposed to resist DI-level poisoning attacks. Finally, our formal security analysis and empirical tests on a public cloud platform demonstrate the security and efficiency of SFAP as well as its capability of resisting DI-level poisoning attacks.

computer science, information systems, software engineering

Jianping Wu,Jiahe Jin,Chunming Wu

DOI: https://doi.org/10.3390/math12060901

IF: 2.4

2024-03-20

Mathematics

Abstract:Federated learning is a distributed learning method used to solve data silos and privacy protection in machine learning, aiming to train global models together via multiple clients without sharing data. However, federated learning itself introduces certain security threats, which pose significant challenges in its practical applications. This article focuses on the common security risks of data poisoning during the training phase of federated learning clients. First, the definition of federated learning, attack types, data poisoning methods, privacy protection technology and data security situational awareness are summarized. Secondly, the system architecture fragility, communication efficiency shortcomings, computing resource consumption and situation prediction robustness of federated learning are analyzed, and related issues that affect the detection of data poisoning attacks are pointed out. Thirdly, a review is provided from the aspects of building a trusted federation, optimizing communication efficiency, improving computing power technology and personalized the federation. Finally, the research hotspots of the federated learning data poisoning attack situation prediction are prospected.

mathematics

Xingchen Zhou,Ming Xu,Yiming Wu,Ning Zheng

DOI: https://doi.org/10.3390/fi13030073

2021-01-01

Future Internet

Abstract:Federated learning is a novel distributed learning framework, which enables thousands of participants to collaboratively construct a deep learning model. In order to protect confidentiality of the training data, the shared information between server and participants are only limited to model parameters. However, this setting is vulnerable to model poisoning attack, since the participants have permission to modify the model parameters. In this paper, we perform systematic investigation for such threats in federated learning and propose a novel optimization-based model poisoning attack. Different from existing methods, we primarily focus on the effectiveness, persistence and stealth of attacks. Numerical experiments demonstrate that the proposed method can not only achieve high attack success rate, but it is also stealthy enough to bypass two existing defense methods.

Xia Feng,Wenhao Cheng,Chunjie Cao,Liangmin Wang,Victor S. Sheng

DOI: https://doi.org/10.1109/tsc.2024.3376255

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:Federated learning (FL) is vulnerable to data poisoning attacks when an adversary attempts to upload poison gradients with the intent to corrupt the global model of FL. Various approaches have been proposed to counter these risks. However, it becomes challenging when one tries to preserve the privacy of FL participants and ensure robustness against data poisoning attacks. In this paper, we propose DPFLA, a novel scheme that can detect poisoning attacks without revealing the actual gradients of participants. DPFLA is a lossless aggregation scheme delicately designed for adopting masks to protect private data while extracting poisoned data features. Specifically, we first apply removable masks to the gradients outputted by each participant. Second, we aggregate the masked data and decompose them using Singular Value Decomposition (SVD) to extract specific features as well as achieve dimensionality reduction. Third, we leverage a clustering paradigm to detect poison gradients from the low dimension and eliminate them in the following training rounds. We conducted extensive experiments to demonstrate that DPFLA can detect poison gradients effectively. Additionally, the comparisons of case studies demonstrate that DPFLA outperforms the state-of-the-art methods.

computer science, information systems, software engineering

Yanan Li,Shusen Yang,Xuebin Ren,Cong Zhao

DOI: https://doi.org/10.48550/arXiv.1912.07902

2019-12-17

Abstract:Federated learning has been showing as a promising approach in paving the last mile of artificial intelligence, due to its great potential of solving the data isolation problem in large scale machine learning. Particularly, with consideration of the heterogeneity in practical edge computing systems, asynchronous edge-cloud collaboration based federated learning can further improve the learning efficiency by significantly reducing the straggler effect. Despite no raw data sharing, the open architecture and extensive collaborations of asynchronous federated learning (AFL) still give some malicious participants great opportunities to infer other parties' training data, thus leading to serious concerns of privacy. To achieve a rigorous privacy guarantee with high utility, we investigate to secure asynchronous edge-cloud collaborative federated learning with differential privacy, focusing on the impacts of differential privacy on model convergence of AFL. Formally, we give the first analysis on the model convergence of AFL under DP and propose a multi-stage adjustable private algorithm (MAPA) to improve the trade-off between model utility and privacy by dynamically adjusting both the noise scale and the learning rate. Through extensive simulations and real-world experiments with an edge-could testbed, we demonstrate that MAPA significantly improves both the model accuracy and convergence speed with sufficient privacy guarantee.

Machine Learning,Optimization and Control

Hyejun Jeong,Hamin Son,Seohu Lee,Jayun Hyun,Tai-Myoung Chung

2024-06-06

Abstract:Federated Learning, designed to address privacy concerns in learning models, introduces a new distributed paradigm that safeguards data privacy but differentiates the attack surface due to the server's inaccessibility to local datasets and the change in protection objective--parameters' integrity. Existing approaches, including robust aggregation algorithms, fail to effectively filter out malicious clients, especially those with non-Independently and Identically Distributed data. Furthermore, these approaches often tackle non-IID data and poisoning attacks separately. To address both challenges simultaneously, we present FedCC, a simple yet novel algorithm. It leverages the Centered Kernel Alignment similarity of Penultimate Layer Representations for clustering, allowing it to identify and filter out malicious clients by selectively averaging chosen parameters, even in non-IID data settings. Our extensive experiments demonstrate the effectiveness of FedCC in mitigating untargeted model poisoning and backdoor attacks. FedCC reduces the attack confidence to a consistent zero compared to existing outlier detection-based and first-order statistics-based methods. Specifically, it significantly minimizes the average degradation of global performance by 65.5\%. We believe that this new perspective of assessing learning models makes it a valuable contribution to the field of FL model security and privacy. The code will be made available upon paper acceptance.

Cryptography and Security,Artificial Intelligence

Liyan Shen,Zhenhan Ke,Jinqiao Shi,Xi Zhang,Yanwei Sun,Jiapeng Zhao,Xuebin Wang,Xiaojie Zhao

DOI: https://doi.org/10.1109/jiot.2023.3339638

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is a distributed machine learning paradigm in the Internet of Things (IoT), which allows multiple devices to collaboratively train models without leaking local data. In the open scenario of IoT, malicious devices can launch poisoning attacks to compromise the final model by submitting crafted gradients. Some previous studies defend against poisoning attacks by analyzing the statistical characteristics of plaintext gradients. However, plaintext gradients would expose private information to malicious FL devices or servers. To simultaneously resist poisoning attacks and preserve privacy, cryptography technology can be utilized to obfuscate the gradients in defense methods, but the private calculation of resisting poisoning attack methods will cause efficiency problems, especially imposing unaffordable overhead on resource-limited IoT devices. Therefore, resisting poisoning attacks efficiently while protecting privacy remains a challenge. This paper proposes a secure and privacy-enhanced FL (SPEFL) framework for efficient privacy-preserving and poisoning-resistant federated learning in IoT. We design an efficient secure computation protocol based on a three-server architecture to facilitate the cryptographic computation of large linear and complex nonlinear operators in the method against poisoning attacks. In SPEFL, most of the calculations are efficiently performed on the servers, which will not impose too much burden on resource-limited IoT devices. In addition, we design a security-enhanced verifiable protocol to detect the malicious behavior of the server and guarantee the correctness of FL aggregation results. Experimental and theoretical results demonstrate that SPEFL can efficiently complete FL training meanwhile guaranteeing the accuracy of the model.

Jiao Liu,Xinghua Li,Ximeng Liu,Haiyan Zhang,Yinbin Miao,Robert H. Deng

DOI: https://doi.org/10.1109/tnnls.2024.3423397

IF: 14.255

2024-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:Federated learning (FL) has become a popular mode of learning, allowing model training without the need to share data. Unfortunately, it remains vulnerable to privacy leakage and poisoning attacks, which compromise user data security and degrade model quality. Therefore, numerous privacy-preserving frameworks have been proposed, among which mask-based framework has certain advantages in terms of efficiency and functionality. However, it is more susceptible to poisoning attacks from malicious users, and current works lack practical means to detect such attacks within this framework. To overcome this challenge, we present DefendFL, an efficient, privacy-preserving, and poisoning-detectable mask-based FL scheme. We first leverage collinearity mask to protect users’ gradient privacy. Then, cosine similarity is utilized to detect masked gradients to identify poisonous gradients. Meanwhile, a verification mechanism is designed to detect the mask, ensuring the mask’s validity in aggregation and preventing poisoning attacks by intentionally changing the mask. Finally, we resist poisoning attacks by removing malicious gradients or lowering their weights in aggregation. Through security analysis and experimental evaluation, DefendFL can effectively detect and mitigate poisoning attacks while outperforming existing privacy-preserving detection works in efficiency.

Gan Sun,Yang Cong,Jiahua Dong,Qiang Wang,Lingjuan Lyu,Ji Liu

DOI: https://doi.org/10.1109/jiot.2021.3128646

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Federated machine learning which enables resource-constrained node devices (e.g., Internet of Things (IoT) devices and smartphones) to establish a knowledge-shared model while keeping the raw data local, could provide privacy preservation, and economic benefit by designing an effective communication protocol. However, this communication protocol can be adopted by attackers to launch data poisoning attacks for different nodes, which has been shown as a big threat to most machine learning models. Therefore, we in this article intend to study the model vulnerability of federated machine learning, and even on IoT systems. To be specific, we here attempt to attacking a popular federated multitask learning framework, which uses a general multitask learning framework to handle statistical challenges in the federated learning setting. The problem of calculating optimal poisoning attacks on federated multitask learning is formulated as a bilevel program, which is adaptive to the arbitrary selection of target nodes and source attacking nodes. We then propose a novel systems-aware optimization method, called as attack on federated learning (AT2FL), to efficiently derive the implicit gradients for poisoned data, and further attain optimal attack strategies in the federated machine learning. This is an earlier work, to our knowledge, that explores attacking federated machine learning via data poisoning. Finally, experiments on several real-world data sets demonstrate that when the attackers directly poison the target nodes or indirectly poison the related nodes via using the communication protocol, the federated multitask learning model is sensitive to both poisoning attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic