Shanshan Han,Baturalp Buyukates,Zijian Hu,Han Jin,Weizhao Jin,Lichao Sun,Xiaoyang Wang,Wenxuan Wu,Chulin Xie,Yuhang Yao,Kai Zhang,Qifan Zhang,Yuhui Zhang,Carlee Joe-Wong,Salman Avestimehr,Chaoyang He

2024-06-21

Abstract:This paper introduces FedSecurity, an end-to-end benchmark that serves as a supplementary component of the FedML library for simulating adversarial attacks and corresponding defense mechanisms in Federated Learning (FL). FedSecurity eliminates the need for implementing the fundamental FL procedures, e.g., FL training and data loading, from scratch, thus enables users to focus on developing their own attack and defense strategies. It contains two key components, including FedAttacker that conducts a variety of attacks during FL training, and FedDefender that implements defensive mechanisms to counteract these attacks. FedSecurity has the following features: i) It offers extensive customization options to accommodate a broad range of machine learning models (e.g., Logistic Regression, ResNet, and GAN) and FL optimizers (e.g., FedAVG, FedOPT, and FedNOVA); ii) it enables exploring the effectiveness of attacks and defenses across different datasets and models; and iii) it supports flexible configuration and customization through a configuration file and some APIs. We further demonstrate FedSecurity's utility and adaptability through federated training of Large Language Models (LLMs) to showcase its potential on a wide range of complex applications.

Cryptography and Security,Artificial Intelligence

Zekai Chen,Fuyi Wang,Zhiwei Zheng,Ximeng Liu,Yujie Lin

2023-07-01

Abstract:Federated learning (FL) enables multiple clients to collaboratively train deep learning models while considering sensitive local datasets' privacy. However, adversaries can manipulate datasets and upload models by injecting triggers for federated backdoor attacks (FBA). Existing defense strategies against FBA consider specific and limited attacker models, and a sufficient amount of noise to be injected only mitigates rather than eliminates FBA. To address these deficiencies, we introduce a Flexible Federated Backdoor Defense Framework (Fedward) to ensure the elimination of adversarial backdoors. We decompose FBA into various attacks, and design amplified magnitude sparsification (AmGrad) and adaptive OPTICS clustering (AutoOPTICS) to address each attack. Meanwhile, Fedward uses the adaptive clipping method by regarding the number of samples in the benign group as constraints on the boundary. This ensures that Fedward can maintain the performance for the Non-IID scenario. We conduct experimental evaluations over three benchmark datasets and thoroughly compare them to state-of-the-art studies. The results demonstrate the promising defense performance from Fedward, moderately improved by 33% $\sim$ 75 in clustering defense methods, and 96.98%, 90.74%, and 89.8% for Non-IID to the utmost extent for the average FBA success rate over MNIST, FMNIST, and CIFAR10, respectively.

Machine Learning,Cryptography and Security

Chaoyang He,Songze Li,Jinhyun So,Xiao Zeng,Mi Zhang,Hongyi Wang,Xiaoyang Wang,Praneeth Vepakomma,Abhishek Singh,Hang Qiu,Xinghua Zhu,Jianzong Wang,Li Shen,Peilin Zhao,Yan Kang,Yang Liu,Ramesh Raskar,Qiang Yang,Murali Annavaram,Salman Avestimehr

DOI: https://doi.org/10.48550/arxiv.2007.13518

2020-01-01

Abstract:Federated learning (FL) is a rapidly growing research field in machine learning. However, existing FL libraries cannot adequately support diverse algorithmic development; inconsistent dataset and model usage make fair algorithm comparison challenging. In this work, we introduce FedML, an open research library and benchmark to facilitate FL algorithm development and fair performance comparison. FedML supports three computing paradigms: on-device training for edge devices, distributed computing, and single-machine simulation. FedML also promotes diverse algorithmic research with flexible and generic API design and comprehensive reference baseline implementations (optimizer, models, and datasets). We hope FedML could provide an efficient and reproducible means for developing and evaluating FL algorithms that would benefit the FL research community. We maintain the source code, documents, and user community at https://fedml.ai.

Bo Yu,Huajie Shen,Qian Xu,Wei He,Wankui Mao,Qing Zhang,Fan Zhang

DOI: https://doi.org/10.1145/3634737.3656285

2024-01-01

Abstract:Federated Learning (FL) has attracted increasing attention from both academia and industry due to its merit of securely constructing AI models across multiple entities while preserving the privacy of local training data. However, recent research shows two persisting problems in FL that have yet to be solved: (1) limited practical adaptation of federated learning because of time-consuming conventional privacy-preserving methods, and (2) the absence of quantum-computing resistance in these methods. To address these problems, we propose a novel vertical federated learning strategy, HQsFL, which relies on Fully Homomorphic Encryption (FHE) and Matrix Vector Product basing on Coefficient Encoding. The proposed method can be widely applied to FL algorithms such as logistic regression and XGBoost, etc. We fully implement our approach and evaluate its utility and efficiency through extensive experiments performed on four synthetic datasets. The experimental results demonstrate that our proposed methods for vertical LR and XGBoost achieve comparable levels of AUC to conventional methods, while significantly improving training efficiency and achieving security property of quantum-computing resistance.

Isaac Baglin,Xiatian Zhu,Simon Hadfield

2024-11-05

Abstract:Federated Learning is a privacy preserving decentralized machine learning paradigm designed to collaboratively train models across multiple clients by exchanging gradients to the server and keeping private data local. Nevertheless, recent research has revealed that the security of Federated Learning is compromised, as private ground truth data can be recovered through a gradient inversion technique known as Deep Leakage. While these attacks are crafted with a focus on applications in Federated Learning, they generally are not evaluated in realistic scenarios. This paper introduces the FEDLAD Framework (Federated Evaluation of Deep Leakage Attacks and Defenses), a comprehensive benchmark for evaluating Deep Leakage attacks and defenses within a realistic Federated context. By implementing a unified benchmark that encompasses multiple state-of-the-art Deep Leakage techniques and various defense strategies, our framework facilitates the evaluation and comparison of the efficacy of these methods across different datasets and training states. This work highlights a crucial trade-off between privacy and model accuracy in Federated Learning and aims to advance the understanding of security challenges in decentralized machine learning systems, stimulate future research, and enhance reproducibility in evaluating Deep Leakage attacks and defenses.

Cryptography and Security,Computer Vision and Pattern Recognition

Zhou Tan,Jianping Cai,De Li,Puwei Lian,Ximeng Liu,Yan Che

DOI: https://doi.org/10.1016/j.neunet.2024.107016

IF: 7.8

2024-12-13

Neural Networks

Abstract:Federated Learning (FL) is an efficient, distributed machine learning paradigm that enables multiple clients to jointly train high-performance deep learning models while maintaining training data locally. However, due to its distributed computing nature, malicious clients can manipulate the prediction of the trained model through backdoor attacks. Existing defense methods require significant computational and communication overhead during the training or testing phases, limiting their practicality in resource-constrained scenarios and being unsuitable for the Non-IID data distribution typical in general FL scenarios. To address these challenges, we propose the FedPD framework, in which servers and clients exchange prototypes rather than model parameters, preventing the implantation of backdoor channels by malicious clients during FL training and effectively eliminating the success of backdoor attacks at the source, significantly reducing communication overhead. Additionally, prototypes can serve as global knowledge to correct clients' local training. Experiments and performance analysis show that FedPD achieves superior and consistent defense performance compared to existing representative approaches against backdoor attacks. In specific scenarios, FedPD can reduce the success rate of attacks by 90.73% compared to FedAvg without defense while maintaining the main task accuracy above 90%.

computer science, artificial intelligence,neurosciences

Rui Ye,Jingyi Chai,Xiangrui Liu,Yaodong Yang,Yanfeng Wang,Siheng Chen

2024-06-15

Abstract:Federated learning (FL) enables multiple parties to collaboratively fine-tune an large language model (LLM) without the need of direct data sharing. Ideally, by training on decentralized data that is aligned with human preferences and safety principles, federated instruction tuning can result in an LLM that could behave in a helpful and safe manner. In this paper, we for the first time reveal the vulnerability of safety alignment in FedIT by proposing a simple, stealthy, yet effective safety attack method. Specifically, the malicious clients could automatically generate attack data without involving manual efforts and attack the FedIT system by training their local LLMs on such attack data. Unfortunately, this proposed safety attack not only can compromise the safety alignment of LLM trained via FedIT, but also can not be effectively defended against by many existing FL defense methods. Targeting this, we further propose a post-hoc defense method, which could rely on a fully automated pipeline: generation of defense data and further fine-tuning of the LLM. Extensive experiments show that our safety attack method can significantly compromise the LLM's safety alignment (e.g., reduce safety rate by 70\%), which can not be effectively defended by existing defense methods (at most 4\% absolute improvement), while our safety defense method can significantly enhance the attacked LLM's safety alignment (at most 69\% absolute improvement).

Computation and Language,Artificial Intelligence,Cryptography and Security,Multiagent Systems

Kun Zhao,Wei Xi,Zhi Wang,Jizhong Zhao,Ruimeng Wang,Zhiping Jiang

DOI: https://doi.org/10.1109/mis.2020.3007207

IF: 6.744

2020-01-01

IEEE Intelligent Systems

Abstract:Data security and user privacy-issue have become an important field. As federated learning (FL) could solve the problems from data security and privacy-issue, it starts to be applied in many different applied machine learning tasks. However, FL does not verify the quality of the data from different parties in the system. Hence, the low-quality datasets with fewer common entities can be cotrained with others. This could result in a huge amount of computing-resources waste, and the attack on the FL model from malicious clients as federal members. To solve this problem, this article proposes a secure member selection strategy (SMSS), which can evaluate the data qualities of members before training. With SMSS, only datasets share more common entities than a certain threshold can be selected for learning, whereas malicious clients with fewer common objects cannot acquire any information about the model. This article implements SMSS, and evaluate its performance via several extensive experiments. Experimental results demonstrate that SMSS is safe, efficient, and effective.

Minghui Li,Wei Wan,Yuxuan Ning,Shengshan Hu,Lulu Xue,Leo Yu Zhang,Yichen Wang

2024-05-06

Abstract:Federated learning (FL) has been demonstrated to be susceptible to backdoor attacks. However, existing academic studies on FL backdoor attacks rely on a high proportion of real clients with main task-related data, which is impractical. In the context of real-world industrial scenarios, even the simplest defense suffices to defend against the state-of-the-art attack, 3DFed. A practical FL backdoor attack remains in a nascent stage of development.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Qingdi Han,Siqi Lu,Wenhao Wang,Haipeng Qu,Jingsheng Li,Yang Gao

DOI: https://doi.org/10.1002/cpe.8084

2024-03-20

Concurrency and Computation Practice and Experience

Abstract:Summary Federated learning (FL) has emerged as a promising solution to address the challenges posed by data silos and the need for global data fusion. It offers a distributed machine learning framework with privacy‐preserving features, allowing model training without the need to collect user data. However, FL also presents significant security and privacy threats that hinder its widespread adoption. The requirements of privacy and security in FL are inherently conflicting. Privacy necessitates the concealment of individual client updates, while security requires the disclosure of client updates to detect anomalies. While most existing research focused on the privacy and security aspects of FL, very few studies have addressed the compatibility of these two demands. In this work, we aim to bridge this gap by proposing a comprehensive defense scheme that ensures privacy, security, and compatibility in FL. We categorize the existing literature into two key directions: privacy defense and security defense. Privacy defense includes methods based on additive masks, differential privacy, homomorphic encryption, and trusted execution environment, whereas security defense encompasses distance‐, performance‐, clustering‐, and similarity‐based anomaly detection techniques and statistical information‐based anomaly update bypassing techniques when the server is trusted and privacy‐compatible anomaly update detection techniques when the server is not trusted. In addition, this article presents decentralized FL solutions based on blockchain. For each direction, we discuss specific technical solutions, their advantages, and disadvantages. By evaluating various defense methods, we identify the most suitable approach to address the primary challenge of "achieving a secure and robust FL system against malicious adversaries while protecting users' privacy." We then propose a theoretical reference framework for end‐to‐end protection of privacy and security in FL for the key problem, which summarizes the attack surface of FL systems from the client to the server under the security model where the client and server are malicious. Leveraging the strengths and characteristics of existing schemes, our proposed framework integrates multiple techniques to strike a balance between privacy, usability, and efficiency. This framework serves as a valuable reference and provides insights for future work in the field. Finally, we also provide recommendations for future research directions in this field.

computer science, theory & methods, software engineering

Qammar, Attia,Ding, Jianguo,Ning, Huansheng

DOI: https://doi.org/10.1007/s10462-021-10098-w

IF: 9.588

2021-01-01

Artificial Intelligence Review

Abstract:Federated learning (FL) has received a great deal of research attention in the context of privacy protection restrictions. By jointly training deep learning models, a variety of training tasks can be competently performed with the help of invited participants. However, FL is concerned with a large number of attacks involving privacy and security aspects. This paper shows a federated learning workflow process and how a malicious client can exploit vulnerabilities in the FL system to attack the system. A systematic survey of existing research on the taxonomy of federated learning attack surface and the classification is presented. As with the FL attack surface, attackers compromise security, privacy, gain free incentives and abuse the Confidentiality, Integrity, and Availability (CIA) security triad. In addition, state-of-the-art defensive approaches against FL attacks are elaborated which help to protect and minimize the likelihood of attacks. FL models and tools for privacy attacks are explained, along with their best aspects and drawbacks. Finally, technical challenges and possible research guidelines are discussed as future work to build robust FL systems.

Tiantian Feng,Digbalay Bose,Tuo Zhang,Rajat Hebbar,Anil Ramakrishna,Rahul Gupta,Mi Zhang,Salman Avestimehr,Shrikanth Narayanan

DOI: https://doi.org/10.1145/3580305.3599825

2023-08-04

Abstract:Over the past few years, Federated Learning (FL) has become an emerging machine learning technique to tackle data privacy challenges through collaborative training. In the Federated Learning algorithm, the clients submit a locally trained model, and the server aggregates these parameters until convergence. Despite significant efforts that have been made to FL in fields like computer vision, audio, and natural language processing, the FL applications utilizing multimodal data streams remain largely unexplored. It is known that multimodal learning has broad real-world applications in emotion recognition, healthcare, multimedia, and social media, while user privacy persists as a critical concern. Specifically, there are no existing FL benchmarks targeting multimodal applications or related tasks. In order to facilitate the research in multimodal FL, we introduce FedMultimodal, the first FL benchmark for multimodal learning covering five representative multimodal applications from ten commonly used datasets with a total of eight unique modalities. FedMultimodal offers a systematic FL pipeline, enabling end-to-end modeling framework ranging from data partition and feature extraction to FL benchmark algorithms and model evaluation. Unlike existing FL benchmarks, FedMultimodal provides a standardized approach to assess the robustness of FL against three common data corruptions in real-life multimodal applications: missing modalities, missing labels, and erroneous labels. We hope that FedMultimodal can accelerate numerous future research directions, including designing multimodal FL algorithms toward extreme data heterogeneity, robustness multimodal FL, and efficient multimodal FL. The datasets and benchmark results can be accessed at: https://github.com/usc-sail/fed-multimodal.

Yao Chen,Yijie Gui,Hong Lin,Wensheng Gan,Yongdong Wu

DOI: https://doi.org/10.48550/arXiv.2211.14952

2022-11-27

Cryptography and Security

Abstract:In terms of artificial intelligence, there are several security and privacy deficiencies in the traditional centralized training methods of machine learning models by a server. To address this limitation, federated learning (FL) has been proposed and is known for breaking down ``data silos" and protecting the privacy of users. However, FL has not yet gained popularity in the industry, mainly due to its security, privacy, and high cost of communication. For the purpose of advancing the research in this field, building a robust FL system, and realizing the wide application of FL, this paper sorts out the possible attacks and corresponding defenses of the current FL system systematically. Firstly, this paper briefly introduces the basic workflow of FL and related knowledge of attacks and defenses. It reviews a great deal of research about privacy theft and malicious attacks that have been studied in recent years. Most importantly, in view of the current three classification criteria, namely the three stages of machine learning, the three different roles in federated learning, and the CIA (Confidentiality, Integrity, and Availability) guidelines on privacy protection, we divide attack approaches into two categories according to the training stage and the prediction stage in machine learning. Furthermore, we also identify the CIA property violated for each attack method and potential attack role. Various defense mechanisms are then analyzed separately from the level of privacy and security. Finally, we summarize the possible challenges in the application of FL from the aspect of attacks and defenses and discuss the future development direction of FL systems. In this way, the designed FL system has the ability to resist different attacks and is more secure and stable.

Shuo Xu,Hui Xia,Rui Zhang,Peishun Liu,Yu Fu

DOI: https://doi.org/10.1016/j.ins.2024.121274

IF: 8.1

2024-01-01

Information Sciences

Abstract:Addressing data security and data silo issues in Edge Intelligence, this paper proposes a Byzantine-resilient framework (FedNor) for Federated Learning (FL). FedNor integrates robust statistical methods with personalized FL strategies to enhance resilience against malicious updates while maintaining model generalization capabilities. The framework comprises two key components: the Robust Normal Aggregation (RN) module and the Personalized Fusion (PF) module. The RN module employs normality tests to identify and rectify anomalous updates, thereby ensuring the integrity and quality of model updates. Concurrently, the PF module incorporates data distribution considerations when integrating global and local models to optimize model security and accuracy. Experimental results demonstrate FedNor's effectiveness in mitigating eight distinct poisoning attacks on the MNIST datasets, with minimal accuracy degradation ranging from 0.42% to 1.96%. Furthermore, FedNor limits the backdoor attack success rate on the CIFAR-10 datasets to below 20%, while maintaining accuracy comparable to personalized FL schemes.

Junpeng Zhang,Hui Zhu,Fengwei Wang,Jiaqi Zhao,Qi Xu,Hui Li

DOI: https://doi.org/10.1155/2022/2886795

IF: 1.968

2022-09-30

Security and Communication Networks

Abstract:Federated learning (FL) has nourished a promising method for data silos, which enables multiple participants to construct a joint model collaboratively without centralizing data. The security and privacy considerations of FL are focused on ensuring the robustness of the global model and the privacy of participants' information. However, the FL paradigm is under various security threats from the adversary aggregator and participants. Therefore, it is necessary to comprehensively identify and classify potential threats to provide a theoretical basis for FL with security guarantees. In this paper, a unique classification of attacks, which reviews state-of-the-art research on security and privacy issues for FL, is constructed from the perspective of malicious threats based on different computing parties. Specifically, we categorize attacks with respect to performed by aggregator and participant, highlighting the Deep Gradients Leakage attacks and Generative Adversarial Networks attacks. Following an overview of attack methods, we discuss the primary mitigation techniques against security risks and privacy breaches, especially the application of blockchain and Trusted Execution Environments. Finally, several promising directions for future research are discussed.

computer science, information systems,telecommunications

Sungwon Park,Sungwon Han,Fangzhao Wu,Sundong Kim,Bin Zhu,Xing Xie,Meeyoung Cha

DOI: https://doi.org/10.48550/arXiv.2307.09048

2023-07-18

Abstract:Federated learning enables learning from decentralized data sources without compromising privacy, which makes it a crucial technique. However, it is vulnerable to model poisoning attacks, where malicious clients interfere with the training process. Previous defense mechanisms have focused on the server-side by using careful model aggregation, but this may not be effective when the data is not identically distributed or when attackers can access the information of benign clients. In this paper, we propose a new defense mechanism that focuses on the client-side, called FedDefender, to help benign clients train robust local models and avoid the adverse impact of malicious model updates from attackers, even when a server-side defense cannot identify or remove adversaries. Our method consists of two main components: (1) attack-tolerant local meta update and (2) attack-tolerant global knowledge distillation. These components are used to find noise-resilient model parameters while accurately extracting knowledge from a potentially corrupted global model. Our client-side defense strategy has a flexible structure and can work in conjunction with any existing server-side strategies. Evaluations of real-world scenarios across multiple datasets show that the proposed method enhances the robustness of federated learning against model poisoning attacks.

Cryptography and Security,Artificial Intelligence

Huiming Chen,Huandong Wang,Qingyue Long,Depeng Jin,Yong Li

DOI: https://doi.org/10.48550/arXiv.2302.11466

IF: 14.4

2023-02-22

Artificial Intelligence

Abstract:Federated learning (FL) is a promising technique for addressing the rising privacy and security issues. Its main ingredient is to cooperatively learn the model among the distributed clients without uploading any sensitive data. In this paper, we conducted a thorough review of the related works, following the development context and deeply mining the key technologies behind FL from both theoretical and practical perspectives. Specifically, we first classify the existing works in FL architecture based on the network topology of FL systems with detailed analysis and summarization. Next, we abstract the current application problems, summarize the general techniques and frame the application problems into the general paradigm of FL base models. Moreover, we provide our proposed solutions for model training via FL. We have summarized and analyzed the existing FedOpt algorithms, and deeply revealed the algorithmic development principles of many first-order algorithms in depth, proposing a more generalized algorithm design framework. Based on these frameworks, we have instantiated FedOpt algorithms. As privacy and security is the fundamental requirement in FL, we provide the existing attack scenarios and the defense methods. To the best of our knowledge, we are among the first tier to review the theoretical methodology and propose our strategies since there are very few works surveying the theoretical approaches. Our survey targets motivating the development of high-performance, privacy-preserving, and secure methods to integrate FL into real-world applications.

Jinhe Long,Zekai Chen,Fuyi Wang,Jianping Cai,Ximeng Liu

DOI: https://doi.org/10.1109/icme57554.2024.10687918

2024-01-01

Abstract:Federated Learning (FL) enables multiple clients to collaborate in training neural network models while retaining their private data locally. Despite its advantages, FL is vulnerable to backdoor attacks due to its distributed nature. Attackers introduce triggers into the global model, causing it to make specified predictions on inputs containing these triggers. Existing detection or clustering defense methods based on distance and similarity have significant limitations. Methods based on clipping and adding noise can only slightly mitigate the impact of backdoor attacks. To achieve a better defense, we introduce FedCL, a backdoor defense framework that accurately detects backdoor models by assessing the uncertainty of model predictions. Additionally, it employs dynamic clipping to limit model updates’ impact, successfully mitigating backdoor attacks without compromising the global model’s accuracy. The experiments indicate that FedCL moderately improves by 0.01%↑ ∼ 85.78%↑ than the state-of-the-art (SOTA) defense methods, especially in the CIFAR-10 task trained with more complex networks.

Jie Zhang,Bo Li,Chen Chen,Lingjuan Lyu,Shuang Wu,Shouhong Ding,Chao Wu

DOI: https://doi.org/10.48550/arXiv.2302.09479

2023-02-19

Abstract:In Federated Learning (FL), models are as fragile as centrally trained models against adversarial examples. However, the adversarial robustness of federated learning remains largely unexplored. This paper casts light on the challenge of adversarial robustness of federated learning. To facilitate a better understanding of the adversarial vulnerability of the existing FL methods, we conduct comprehensive robustness evaluations on various attacks and adversarial training methods. Moreover, we reveal the negative impacts induced by directly adopting adversarial training in FL, which seriously hurts the test accuracy, especially in non-IID settings. In this work, we propose a novel algorithm called Decision Boundary based Federated Adversarial Training (DBFAT), which consists of two components (local re-weighting and global regularization) to improve both accuracy and robustness of FL systems. Extensive experiments on multiple datasets demonstrate that DBFAT consistently outperforms other baselines under both IID and non-IID settings.

Machine Learning,Artificial Intelligence,Cryptography and Security