Jinyu Liu,Ziyang Wang,Qing Yang,Sissi Xiaoxiao Wu

DOI: https://doi.org/10.1109/wocc55104.2022.9880591

2022-01-01

Abstract:We focus on the security issues of decentralized federated learning systems for the core requirements of secure environments and trusted computing for applications such as medical big data, distributed cognitive learning, and autonomous driving. We propose a three-layer security assurance model that aims to ensure secure trusted computing in decentralized networks. Therein, the first-layer security model realizes the authentication of trusted users through blockchain technology to ensure the safe access of legitimate users to the greatest extent; the second-layer security model utilizes the trusted execution environment (TEE) technology to realize the privacy protection and trusted computing of each local user; the last layer of security model adopts a set of detection and location algorithms for defending the internal attackers, in case the first two layers of models fail. Our experimental results show that the proposed three-layer security model can effectively defend against external and internal attacks in the network, thereby promoting secure and trusted computing in distributed federated learning networks.

Depeng Chen,Xiao Jiang,Hong Zhong,Jie Cui

DOI: https://doi.org/10.3390/jsan12010013

2023-01-01

Journal of Sensor and Actuator Networks

Abstract:Federated learning (FL) provides convenience for cross-domain machine learning applications and has been widely studied. However, the original FL is still vulnerable to poisoning and inference attacks, which will hinder the landing application of FL. Therefore, it is essential to design a trustworthy federation learning (TFL) to eliminate users' anxiety. In this paper, we aim to provide a well-researched picture of the security and privacy issues in FL that can bridge the gap to TFL. Firstly, we define the desired goals and critical requirements of TFL, observe the FL model from the perspective of the adversaries and extrapolate the roles and capabilities of potential adversaries backward. Subsequently, we summarize the current mainstream attack and defense means and analyze the characteristics of the different methods. Based on a priori knowledge, we propose directions for realizing the future of TFL that deserve attention.

Yifei Zhang,Dun Zeng,Jinglong Luo,Xinyu Fu,Guanzhong Chen,Zenglin Xu,Irwin King

DOI: https://doi.org/10.1145/3678181

IF: 5

2024-07-23

ACM Transactions on Intelligent Systems and Technology

Abstract:Trustworthy Artificial Intelligence (TAI) has proven invaluable in curbing potential negative repercussions tied to AI applications. Within the TAI spectrum, Federated Learning (FL) emerges as a promising solution to safeguard personal information in distributed settings across a multitude of practical contexts. However, the realm of FL is not without its challenges. Especially worrisome are adversarial attacks targeting its algorithmic robustness and systemic confidentiality. Moreover, the presence of biases and opacity in prediction outcomes further complicates FL’s broader adoption. Consequently, there is a growing expectation for FL to instill trust. To address this, we chart out a comprehensive road-map for Trustworthy Federated Learning (TFL) and provide an overview of existing efforts across four pivotal dimensions: Privacy & Security , Robustness , Fairness , and Explainability . For each dimension, we identify potential pitfalls that might undermine TFL and present a curated selection of defensive strategies, enriched by a discourse on technical solutions tailored for TFL. Furthermore, we present potential challenges and future directions to be explored for in-depth TFL research with broader impacts.

computer science, information systems, artificial intelligence

Meng Hao,Hongwei Li,Guowen Xu,Hanxiao Chen,Tianwei Zhang

DOI: https://doi.org/10.1145/3485832.3488014

2021-12-06

Abstract:Federated learning (FL) has demonstrated tremendous success in various mission-critical large-scale scenarios. However, such promising distributed learning paradigm is still vulnerable to privacy inference and byzantine attacks. The former aims to infer the privacy of target participants involved in training, while the latter focuses on destroying the integrity of the constructed model. To mitigate the above two issues, a few works recently explored unified solutions by utilizing generic secure computation techniques and common byzantine-robust aggregation rules, but there are two major limitations: 1) they suffer from impracticality due to efficiency bottlenecks, and 2) they are still vulnerable to various types of attacks because of model incomprehensiveness. To approach the above problems, in this paper, we present SecureFL, an efficient, private and byzantine-robust FL framework. SecureFL follows the state-of-the-art byzantine-robust FL method (FLTrust NDSS’21), which performs comprehensive byzantine defense by normalizing the updates’ magnitude and measuring directional similarity, adapting it to the privacy-preserving context. More importantly, we carefully customize a series of cryptographic components. First, we design a crypto-friendly validity checking protocol that functionally replaces the normalization operation in FLTrust, and further devise tailored cryptographic protocols on top of it. Benefiting from the above optimizations, the communication and computation costs are reduced by half without sacrificing the robustness and privacy protection. Second, we develop a novel preprocessing technique for costly matrix multiplication. With this technique, the directional similarity measurement can be evaluated securely with negligible computation overhead and zero communication cost. Extensive evaluations conducted on three real-world datasets and various neural network architectures demonstrate that SecureFL outperforms prior art up to two orders of magnitude in efficiency with state-of-the-art byzantine robustness.

Yifei Zhang,Dun Zeng,Jinglong Luo,Zenglin Xu,Irwin King

DOI: https://doi.org/10.1145/3543873.3587681

2023-01-01

Abstract:Trustworthy artificial intelligence (AI) technology has revolutionized daily life and greatly benefited human society. Among various AI technologies, Federated Learning (FL) stands out as a promising solution for diverse real-world scenarios, ranging from risk evaluation systems in finance to cutting-edge technologies like drug discovery in life sciences. However, challenges around data isolation and privacy threaten the trustworthiness of FL systems. Adversarial attacks against data privacy, learning algorithm stability, and system confidentiality are particularly concerning in the context of distributed training in federated learning. Therefore, it is crucial to develop FL in a trustworthy manner, with a focus on robustness and privacy. In this survey, we propose a comprehensive roadmap for developing trustworthy FL systems and summarize existing efforts from two key aspects: robustness and privacy. We outline the threats that pose vulnerabilities to trustworthy federated learning across different stages of development, including data processing, model training, and deployment. To guide the selection of the most appropriate defense methods, we discuss specific technical solutions for realizing each aspect of Trustworthy FL (TFL). Our approach differs from previous work that primarily discusses TFL from a legal perspective or presents FL from a high-level, non-technical viewpoint.

Xiaoyu Cao,Minghong Fang,Jia Liu,Neil Zhenqiang Gong

DOI: https://doi.org/10.48550/arXiv.2012.13995

2022-04-12

Abstract:Byzantine-robust federated learning aims to enable a service provider to learn an accurate global model when a bounded number of clients are malicious. The key idea of existing Byzantine-robust federated learning methods is that the service provider performs statistical analysis among the clients' local model updates and removes suspicious ones, before aggregating them to update the global model. However, malicious clients can still corrupt the global models in these methods via sending carefully crafted local model updates to the service provider. The fundamental reason is that there is no root of trust in existing federated learning methods. In this work, we bridge the gap via proposing FLTrust, a new federated learning method in which the service provider itself bootstraps trust. In particular, the service provider itself collects a clean small training dataset (called root dataset) for the learning task and the service provider maintains a model (called server model) based on it to bootstrap trust. In each iteration, the service provider first assigns a trust score to each local model update from the clients, where a local model update has a lower trust score if its direction deviates more from the direction of the server model update. Then, the service provider normalizes the magnitudes of the local model updates such that they lie in the same hyper-sphere as the server model update in the vector space. Our normalization limits the impact of malicious local model updates with large magnitudes. Finally, the service provider computes the average of the normalized local model updates weighted by their trust scores as a global model update, which is used to update the global model. Our extensive evaluations on six datasets from different domains show that our FLTrust is secure against both existing attacks and strong adaptive attacks.

Cryptography and Security,Artificial Intelligence,Distributed, Parallel, and Cluster Computing

Chang Xu,Yu Jia,Liehuang Zhu,Chuan Zhang,Guoxie Jin,Kashif Sharif

DOI: https://doi.org/10.1109/tpds.2022.3205714

IF: 5.3

2022-09-30

IEEE Transactions on Parallel and Distributed Systems

Abstract:Federated learning (FL) enables data owners to train a joint global model without sharing private data. However, it is vulnerable to Byzantine attackers that can launch poisoning attacks to destroy model training. Existing defense strategies rely on the additional datasets to train trustable server models or trusted execution environments to mitigate attacks. Besides, these strategies can only tolerate a small number of malicious users or resist a few types of poisoning attacks. To address these challenges, we design a novel federated learning method TDFL, Truth Discovery based Federated Learning, which can defend against multiple poisoning attacks without additional datasets even when the Byzantine users are ≥50%. Specifically, the TDFL considers different scenarios with different malicious proportions. For Honest-majority setting (Byzantine <50%), we design a special robust truth discovery aggregation scheme to remove malicious model updates, which can assign weights according to users' contribution; for Byzantine-majority setting (Byzantine ≥50%), w- use maximum clique-based filter to guarantee global model quality. To the best of our knowledge, this is the first study that uses truth discovery to defend against poisoning attacks. It is also the first scheme which can achieve strong robustness under multiple kinds of attacks launched by high proportion attackers without root datasets. Extensive comparative experiments are designed with five state-of-the-art aggregation rules under five types of classical poisoning attacks on different datasets. The experimental results demonstrate that TDFL is practical and achieves reasonable Byzantine-robustness.

computer science, theory & methods,engineering, electrical & electronic

Yanbin Li,Xuemei Wang,Runkang Sun,Xiaojun Xie,Shijia Ying,Shougang Ren

DOI: https://doi.org/10.1016/j.knosys.2023.110763

2023-01-01

Abstract:Federated Learning (FL) breaks the “data island” and lets clients cooperate in training a shared model with private data locally. And hierarchical framework is used in FL to alleviate the problem of excessive communication overhead. FL provides a certain degree of privacy, but privacy inference and Byzantine attacks still affect the existing FL methods. Moreover, the parameter server brings new security troubles, and the group size limits the model’s robustness. Thus, this paper presents a new decentralized FL framework called Trustiness-based Hierarchical Decentralized Federated Learning (TH-DFL) via a Security Robust Aggregation (SRA) rule, which introduces a trust mechanism. This study provides privacy protection and robustness even if there are malicious nodes. Besides, it somewhat reduces communication overhead. A series of comparative studies are also implemented to evaluate the performance of the model. In this process, the Gaussian, the bit-flipping, and other attacks are launched in the simulated federated learning. The results show that on the basis of ensuring privacy and robustness, TH-DFL seeks a better balance between privacy and robustness when the size of the group changes.

Hangn Su,Jianhong Zhou,Xianhua Niu,Gang Feng

DOI: https://doi.org/10.48550/arXiv.2312.04597

2023-12-06

Cryptography and Security

Abstract:As a key technology in 6G research, federated learning (FL) enables collaborative learning among multiple clients while ensuring individual data privacy. However, malicious attackers among the participating clients can intentionally tamper with the training data or the trained model, compromising the accuracy and trustworthiness of the system. To address this issue, in this paper, we propose a hierarchical audit-based FL (HiAudit-FL) framework, with the aim to enhance the reliability and security of the learning process. The hierarchical audit process includes two stages, namely model-audit and parameter-audit. In the model-audit stage, a low-overhead audit method is employed to identify suspicious clients. Subsequently, in the parameter-audit stage, a resource-consuming method is used to detect all malicious clients with higher accuracy among the suspicious ones. Specifically, we execute the model audit method among partial clients for multiple rounds, which is modeled as a partial observation Markov decision process (POMDP) with the aim to enhance the robustness and accountability of the decision-making in complex and uncertain environments. Meanwhile, we formulate the problem of identifying malicious attackers through a multi-round audit as an active sequential hypothesis testing problem and leverage a diffusion model-based AI-Enabled audit selection strategy (ASS) to decide which clients should be audited in each round. To accomplish efficient and effective audit selection, we design a DRL-ASS algorithm by incorporating the ASS in a deep reinforcement learning (DRL) framework. Our simulation results demonstrate that HiAudit-FL can effectively identify and handle potential malicious users accurately, with small system overhead.

Jiayan Chen,Zhirong Qian,Tianhui Meng,Xitong Gao,Tian Wang,Weijia Jia

2024-05-20

Abstract:Aiming at privacy preservation, Federated Learning (FL) is an emerging machine learning approach enabling model training on decentralized devices or data sources. The learning mechanism of FL relies on aggregating parameter updates from individual clients. However, this process may pose a potential security risk due to the presence of malicious devices. Existing solutions are either costly due to the use of compute-intensive technology, or restrictive for reasons of strong assumptions such as the prior knowledge of the number of attackers and how they attack. Few methods consider both privacy constraints and uncertain attack scenarios. In this paper, we propose a robust FL approach based on the credibility management scheme, called Fed-Credit. Unlike previous studies, our approach does not require prior knowledge of the nodes and the data distribution. It maintains and employs a credibility set, which weighs the historical clients' contributions based on the similarity between the local models and global model, to adjust the global model update. The subtlety of Fed-Credit is that the time decay and attitudinal value factor are incorporated into the dynamic adjustment of the reputation weights and it boasts a computational complexity of O(n) (n is the number of the clients). We conducted extensive experiments on the MNIST and CIFAR-10 datasets under 5 types of attacks. The results exhibit superior accuracy and resilience against adversarial attacks, all while maintaining comparatively low computational complexity. Among these, on the Non-IID CIFAR-10 dataset, our algorithm exhibited performance enhancements of 19.5% and 14.5%, respectively, in comparison to the state-of-the-art algorithm when dealing with two types of data poisoning attacks.

Machine Learning,Artificial Intelligence

Fengwei Wang,Hui Zhu,Xingdong Liu,Yandong Zheng,Hui Li,Jiafeng Hua

DOI: https://doi.org/10.1016/j.ins.2024.121115

IF: 8.1

2024-01-01

Information Sciences

Abstract:In the distributed machine learning field, federated learning (FL) serves as a highly effective framework for dismantling data silos and integrating data from multiple sources. However, the flourishing of FL still encounters significant challenges, particularly in the realms of data security and information privacy. In recent years, plenty of privacy-preserving FL schemes have been proposed, yet few of them support global model confidentiality protection for the training server. In this paper, by combining Trusted Execution Environment (TEE) and homomorphic encryption, we propose a TEE-assisted federated logistic regression training scheme with model confidentiality protection, named TFLR. Specifically, we first formalize a cryptography-TEE hybrid security model under the multi-party cooperative computation scenario. Subsequently, within this hybrid security model, we design a series of secure computation protocols with semi-honest TEE to execute non-linear operations while maintaining the encryption form of global model parameters. Therefore, the global model of the training server can be well protected. In addition, TFLR incorporates a double masking technique, further fortifying the privacy of data owners' local updates. Detailed security analysis shows that TFLR is able to protect all sensitive information of data owners and the training server. Furthermore, we evaluate the performance of TFLR with real machine learning datasets, and the results substantiate that TFLR is indeed efficient.

Sheldon C. Ebron Jr.,Kan Yang

2023-11-17

Abstract:Federated Learning (FL) enables collaborative machine learning model training across multiple parties without sharing raw data. However, FL's distributed nature allows malicious clients to impact model training through Byzantine or backdoor attacks, using erroneous model updates. Existing defenses measure the deviation of each update from a 'ground-truth model update.' They often rely on a benign root dataset on the server or use trimmed mean or median for clipping, both methods having limitations. We introduce FedTruth, a robust defense against model poisoning in FL. FedTruth doesn't assume specific data distributions nor requires a benign root dataset. It estimates a global model update with dynamic aggregation weights, considering contributions from all benign clients. Empirical studies demonstrate FedTruth's efficacy in mitigating the impacts of poisoned updates from both Byzantine and backdoor attacks.

Machine Learning,Artificial Intelligence,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Junpeng Zhang,Hui Zhu,Fengwei Wang,Jiaqi Zhao,Qi Xu,Hui Li

DOI: https://doi.org/10.1155/2022/2886795

IF: 1.968

2022-09-30

Security and Communication Networks

Abstract:Federated learning (FL) has nourished a promising method for data silos, which enables multiple participants to construct a joint model collaboratively without centralizing data. The security and privacy considerations of FL are focused on ensuring the robustness of the global model and the privacy of participants' information. However, the FL paradigm is under various security threats from the adversary aggregator and participants. Therefore, it is necessary to comprehensively identify and classify potential threats to provide a theoretical basis for FL with security guarantees. In this paper, a unique classification of attacks, which reviews state-of-the-art research on security and privacy issues for FL, is constructed from the perspective of malicious threats based on different computing parties. Specifically, we categorize attacks with respect to performed by aggregator and participant, highlighting the Deep Gradients Leakage attacks and Generative Adversarial Networks attacks. Following an overview of attack methods, we discuss the primary mitigation techniques against security risks and privacy breaches, especially the application of blockchain and Trusted Execution Environments. Finally, several promising directions for future research are discussed.

computer science, information systems,telecommunications

Xujiang Luo,Bin Tang

DOI: https://doi.org/10.3390/electronics13081540

IF: 2.9

2024-04-19

Electronics

Abstract:Federated learning (FL) is a highly promising collaborative machine learning method that preserves privacy by enabling model training on client nodes (e.g., mobile phones, Internet-of-Things devices) without sharing raw data. However, FL is vulnerable to Byzantine nodes, which can disrupt model performance, render training ineffective, or even manipulate the model by transmitting harmful gradients. In this paper, we propose a Byzantine fault-tolerant FL algorithm called federated learning with trustworthy data and historical information (FLTH). It utilizes a small trusted training dataset at the parameter server to filter out gradient updates from suspicious client nodes during model training, which provides both Byzantine resilience and convergence guarantee. It further introduces a historical information-based credibility assessment scheme such that the client nodes performing poorly over the long-term have a lower impact on the aggregation of gradients, thereby enhancing fault tolerance capability. Additionally, FLTH does not compromise the training efficiency of FL because of its low time complexity. Extensive simulation results show that FLTH achieves higher model accuracy compared to state-of-the-art methods under typical kinds of attack.

engineering, electrical & electronic,computer science, information systems,physics, applied

Runhua Xu,Nathalie Baracaldo,Yi Zhou,Ali Anwar,Swanand Kadhe,Heiko Ludwig

DOI: https://doi.org/10.48550/arXiv.2207.07779

2022-07-16

Abstract:Federated learning has emerged as a privacy-preserving machine learning approach where multiple parties can train a single model without sharing their raw training data. Federated learning typically requires the utilization of multi-party computation techniques to provide strong privacy guarantees by ensuring that an untrusted or curious aggregator cannot obtain isolated replies from parties involved in the training process, thereby preventing potential inference attacks. Until recently, it was thought that some of these secure aggregation techniques were sufficient to fully protect against inference attacks coming from a curious aggregator. However, recent research has demonstrated that a curious aggregator can successfully launch a disaggregation attack to learn information about model updates of a target party. This paper presents DeTrust-FL, an efficient privacy-preserving federated learning framework for addressing the lack of transparency that enables isolation attacks, such as disaggregation attacks, during secure aggregation by assuring that parties' model updates are included in the aggregated model in a private and secure manner. DeTrust-FL proposes a decentralized trust consensus mechanism and incorporates a recently proposed decentralized functional encryption (FE) scheme in which all parties agree on a participation matrix before collaboratively generating decryption key fragments, thereby gaining control and trust over the secure aggregation process in a decentralized setting. Our experimental evaluation demonstrates that DeTrust-FL outperforms state-of-the-art FE-based secure multi-party aggregation solutions in terms of training time and reduces the volume of data transferred. In contrast to existing approaches, this is achieved without creating any trust dependency on external trusted entities.

Cryptography and Security

Yufang Wu,Guorong Chen,Yuhao Liu,Chao Li,Mingqing Hu,Wei Wang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys57074.2022.00072

2022-01-01

Abstract:Federated learning (FL) is a promising distributed machine learning architecture that allows participants to cooperatively train a global model without sharing local data. However, both the trust of a central FL server and well-designed attacks against FL have significantly restricted the development of FL. In this work, we propose TBFL, a trusted blockchain-based federated learning system. It replaces the traditional central server with the functionalities provided by a decentralized blockchain. To prevent malicious participants from attacking the global model, TBFL employs a novel model verification and a scoring mechanism to keep detecting malicious participants. In addition, TBFL leverages a scalable incentive mechanism to enhance its reliability and fairness. We demonstrate the efficacy and attack-resilience of the proposed TBFL through experimental evaluation. The results validate the great performance and security properties of TBFL in training global models.

Jinqian Chen,Jihua Zhu

2024-10-16

Abstract:Federated learning (FL) enables collaborative model training across distributed clients while preserving data privacy. Despite its widespread adoption, most FL approaches focusing solely on privacy protection fall short in scenarios where trustworthiness is crucial, necessitating advancements in secure training, dependable decision-making mechanisms, robustness on corruptions, and enhanced performance with Non-IID data. To bridge this gap, we introduce Trustworthy Personalized Federated Learning (TPFL) framework designed for classification tasks via subjective logic in this paper. Specifically, TPFL adopts a unique approach by employing subjective logic to construct federated models, providing probabilistic decisions coupled with an assessment of uncertainty rather than mere probability assignments. By incorporating a trainable heterogeneity prior to the local training phase, TPFL effectively mitigates the adverse effects of data heterogeneity. Model uncertainty and instance uncertainty are further utilized to ensure the safety and reliability of the training and inference stages. Through extensive experiments on widely recognized federated learning benchmarks, we demonstrate that TPFL not only achieves competitive performance compared with advanced methods but also exhibits resilience against prevalent malicious attacks, robustness on domain shifts, and reliability in high-stake scenarios.

Machine Learning,Distributed, Parallel, and Cluster Computing

Haiqin Weng,Juntao Zhang,Feng Xue,Tao Wei,Shouling Ji,Zhiyuan Zong

2020-01-01

Abstract:Federated learning enables mutually distrusting participants to collaboratively learn a distributed machine learning model without revealing anything but the model's output. Generic federated learning has been studied extensively, and several learning protocols, as well as open-source frameworks, have been developed. Yet, their over pursuit of computing efficiency and fast implementation might diminish the security and privacy guarantees of participant's training data, about which little is known thus far. In this paper, we consider an honest-but-curious adversary who participants in training a distributed ML model, does not deviate from the defined learning protocol, but attempts to infer private training data from the legitimately received information. In this setting, we design and implement two practical attacks, reverse sum attack and reverse multiplication attack, neither of which will affect the accuracy of the learned model. By empirically studying the privacy leakage of two learning protocols, we show that our attacks are (1) effective - the adversary successfully steal the private training data, even when the intermediate outputs are encrypted to protect data privacy; (2) evasive - the adversary's malicious behavior does not deviate from the protocol specification and deteriorate any accuracy of the target model; and (3) easy - the adversary needs little prior knowledge about the data distribution of the target participant. We also experimentally show that the leaked information is as effective as the raw training data through training an alternative classifier on the leaked information. We further discuss potential countermeasures and their challenges, which we hope may lead to several promising research directions.

Jie Yang,Thar Baker,Sukhpal Singh Gill,Xiaochuan Yang,Weifeng Han,Yuanzhang Li

DOI: https://doi.org/10.1002/spe.3180

2022-12-12

Software Practice and Experience

Abstract:Federated learning (FL) is widely used in edge‐cloud collaborative training due to its distributed architecture and privacy‐preserving properties without sharing local data. FLTrust, the most state‐of‐the‐art FL defense method, is a federated learning defense system with trust guidance. However, we found that FLTrust is not very robust. Therefore, in the edge collaboration scenario, we mainly study the poisoning attack on the FLTrust defense system. Due to the aggregation rule, FLTrust, with trust guidance, the model updates of participants with a significant deviation from the root gradient direction will be eliminated, which makes the poisoning effect on the global model not obvious. To solve this problem, under the premise of not being deleted by the FLTrust aggregation rules, we construct malicious model updates that deviate from the trust gradient to the greatest extent to achieve model poisoning attacks. First, we utilize the rotation of high‐dimensional vectors around axes to construct malicious vectors with fixed orientations. Second, the malicious vector is constructed by the gradient inversion method to achieve an efficient and fast attack. Finally, a method of optimizing random noise is used to construct a malicious vector with a fixed direction. Experimental results show that our attack method reduces the model accuracy by 20%, severely undermining the usability of the model. Attacks are also successful hundreds of times faster than the FLTrust adaptive attack method.

Yanli Li,Zhongliang Guo,Nan Yang,Huaming Chen,Dong Yuan,Weiping Ding

2024-07-11

Abstract:Federated Learning (FL) offers innovative solutions for privacy-preserving collaborative machine learning (ML). Despite its promising potential, FL is vulnerable to various attacks due to its distributed nature, affecting the entire life cycle of FL services. These threats can harm the model's utility or compromise participants' privacy, either directly or indirectly. In response, numerous defense frameworks have been proposed, demonstrating effectiveness in specific settings and scenarios. To provide a clear understanding of the current research landscape, this paper reviews the most representative and state-of-the-art threats and defense frameworks throughout the FL service life cycle. We start by identifying FL threats that harm utility and privacy, including those with potential or direct impacts. Then, we dive into the defense frameworks, analyze the relationship between threats and defenses, and compare the trade-offs among different defense strategies. Finally, we summarize current research bottlenecks and offer insights into future research directions to conclude this survey. We hope this survey sheds light on trustworthy FL research and contributes to the FL community.

Distributed, Parallel, and Cluster Computing,Artificial Intelligence