Xinchi Qiu,Heng Pan,Wanru Zhao,Chenyang Ma,William F. Shen,Pedro P.B. Gusmao,Nicholas D. Lane

DOI: https://doi.org/10.48550/arXiv.2305.16794

2023-05-26

Cryptography and Security

Abstract:Most work in privacy-preserving federated learning (FL) has focused on horizontally partitioned datasets where clients hold the same features and train complete client-level models independently. However, individual data points are often scattered across different institutions, known as clients, in vertical FL (VFL) settings. Addressing this category of FL necessitates the exchange of intermediate outputs and gradients among participants, resulting in potential privacy leakage risks and slow convergence rates. Additionally, in many real-world scenarios, VFL training also faces the acute issue of client stragglers and drop-outs, a serious challenge that can significantly hinder the training process but has been largely overlooked in existing studies. In this work, we present vFedSec, a first dropout-tolerant VFL protocol, which can support the most generalized vertical framework. It achieves secure and efficient model training by using an innovative Secure Layer alongside an embedding-padding technique. We provide theoretical proof that our design attains enhanced security while maintaining training performance. Empirical results from extensive experiments also demonstrate vFedSec is robust to client dropout and provides secure training with negligible computation and communication overhead. Compared to widely adopted homomorphic encryption (HE) methods, our approach achieves a remarkable > 690x speedup and reduces communication costs significantly by > 9.6x.

Zhiying Feng,Xu Chen,Qiong Wu,Wen Wu,Xiaoxi Zhang,Qianyi Huang

DOI: https://doi.org/10.1109/TMC.2023.3311188

2023-09-01

Abstract:Federated Learning (FL) requires frequent exchange of model parameters, which leads to long communication delay, especially when the network environments of clients vary greatly. Moreover, the parameter server needs to wait for the slowest client (i.e., straggler, which may have the largest model size, lowest computing capability or worst network condition) to upload parameters, which may significantly degrade the communication efficiency. Commonly-used client selection methods such as partial client selection would lead to the waste of computing resources and weaken the generalization of the global model. To tackle this problem, along a different line, in this paper, we advocate the approach of model parameter dropout instead of client selection, and accordingly propose a novel framework of Federated learning scheme with Differential parameter Dropout (FedDD). FedDD consists of two key modules: dropout rate allocation and uploaded parameter selection, which will optimize the model parameter uploading ratios tailored to different clients' heterogeneous conditions and also select the proper set of important model parameters for uploading subject to clients' dropout rate constraints. Specifically, the dropout rate allocation is formulated as a convex optimization problem, taking system heterogeneity, data heterogeneity, and model heterogeneity among clients into consideration. The uploaded parameter selection strategy prioritizes on eliciting important parameters for uploading to speedup convergence. Furthermore, we theoretically analyze the convergence of the proposed FedDD scheme. Extensive performance evaluations demonstrate that the proposed FedDD scheme can achieve outstanding performances in both communication efficiency and model convergence, and also possesses a strong generalization capability to data of rare classes.

Machine Learning,Distributed, Parallel, and Cluster Computing

Z. H. Qin,Shuiguang Deng,Xin Yan,Schahram Dustdar,Albert Y. Zomaya

DOI: https://doi.org/10.48550/arxiv.2205.10568

2022-01-01

Abstract:Federated learning (FL) is a promising technical support to the vision of ubiquitous artificial intelligence in the sixth generation (6G) wireless communication network. However, traditional FL heavily relies on a trusted centralized server. Besides, FL is vulnerable to poisoning attacks, and the global aggregation of model updates makes the private training data under the risk of being reconstructed. What's more, FL suffers from efficiency problem due to heavy communication cost. Although decentralized FL eliminates the problem of the central dependence of traditional FL, it makes other problems more serious. In this paper, we propose BlockDFL, an efficient fully peer-to-peer (P2P) framework for decentralized FL. It integrates gradient compression and our designed voting mechanism with blockchain to efficiently coordinate multiple peer participants without mutual trust to carry out decentralized FL, while preventing data from being reconstructed according to transmitted model updates. Extensive experiments conducted on two real-world datasets exhibit that BlockDFL obtains competitive accuracy compared to centralized FL and can defend against poisoning attacks while achieving efficiency and scalability. Especially when the proportion of malicious participants is as high as 40 percent, BlockDFL can still preserve the accuracy of FL, which outperforms existing fully decentralized FL frameworks.

Tao Chen,Xiao-Fen Wang,Hong-Ning Dai,Hao-Miao Yang,Rang Zhou,Xiao-Song Zhang

DOI: https://doi.org/10.1109/globecom54140.2023.10437934

2023-01-01

Abstract:Federated Learning (FL) enables participants to collaboratively train a global model by sharing their gradients without the need for uploading privacy-sensitive data. Despite certain privacy preservation of FL, local gradients in plaintext may reveal data privacy when gradient-leakage attacks are launched. To further protect local gradients, privacy-preserving FL schemes have been proposed. However, these existing schemes that require a fully trusted central server are vulnerable to a single point of failure and malicious attacks. Although more robust privacy-preserving decentralized FL schemes have recently been proposed on multiple servers, they will fail to aggregate the local gradients with message transmission errors or data packet dropping out due to the instability of the communication network. To address these challenges, we propose a novel privacy-preserving decentralized FL scheme system based on the blockchain and a modified identity-based homomorphic broadcast encryption algorithm. This scheme achieves both privacy protection and error/dropout tolerance. Security analysis shows that the proposed scheme can protect the privacy of the local gradients against both internal and external adversaries, and protect the privacy of the global gradients against external adversaries. Moreover, it ensures the correctness of local gradients' aggregation even when transmission error or data packet dropout happens. Extensive experiments demonstrate that the proposed scheme guarantees model accuracy and achieves performance efficiency.

Chuan Ma,Jun Li,Ming Ding,Kang Wei,Wen Chen,H. Vincent Poor

DOI: https://doi.org/10.1109/jiot.2021.3079472

IF: 10.6

2021-12-15

IEEE Internet of Things Journal

Abstract:Owing to the low communication costs and privacy-promoting capabilities, federated learning (FL) has become a promising tool for training effective machine learning models among distributed clients. However, with the distributed architecture, low-quality models could be uploaded to the aggregator server by unreliable clients, leading to a degradation or even a collapse of training. In this article, we model these unreliable behaviors of clients and propose a defensive mechanism to mitigate such a security risk. Specifically, we first investigate the impact on the models caused by unreliable clients by deriving a convergence upper bound on the loss function based on the gradient descent updates. Our bounds reveal that with a fixed amount of total computational resources, there exists an optimal number of local training iterations in terms of convergence performance. We further design a novel defensive mechanism, named deep neural network-based secure aggregation (DeepSA). Our experimental results validate our theoretical analysis. In addition, the effectiveness of DeepSA is verified by comparing with other state-of-the-art defensive mechanisms.

computer science, information systems,telecommunications,engineering, electrical & electronic

Nader Bouacida,Jiahui Hou,Hui Zang,Xin Liu

DOI: https://doi.org/10.48550/arXiv.2011.04050

2020-11-09

Abstract:With more regulations tackling users' privacy-sensitive data protection in recent years, access to such data has become increasingly restricted and controversial. To exploit the wealth of data generated and located at distributed entities such as mobile phones, a revolutionary decentralized machine learning setting, known as Federated Learning, enables multiple clients located at different geographical locations to collaboratively learn a machine learning model while keeping all their data on-device. However, the scale and decentralization of federated learning present new challenges. Communication between the clients and the server is considered a main bottleneck in the convergence time of federated learning. In this paper, we propose and study Adaptive Federated Dropout (AFD), a novel technique to reduce the communication costs associated with federated learning. It optimizes both server-client communications and computation costs by allowing clients to train locally on a selected subset of the global model. We empirically show that this strategy, combined with existing compression methods, collectively provides up to 57x reduction in convergence time. It also outperforms the state-of-the-art solutions for communication efficiency. Furthermore, it improves model generalization by up to 1.7%.

Machine Learning,Distributed, Parallel, and Cluster Computing

Zhifeng Jiang,Wei Wang,Ruichuan Chen

DOI: https://doi.org/10.1145/3627703.3629559

2023-11-10

Abstract:Federated learning (FL) is increasingly deployed among multiple clients to train a shared model over decentralized data. To address privacy concerns, FL systems need to safeguard the clients' data from disclosure during training and control data leakage through trained models when exposed to untrusted domains. Distributed differential privacy (DP) offers an appealing solution in this regard as it achieves a balanced tradeoff between privacy and utility without a trusted server. However, existing distributed DP mechanisms are impractical in the presence of client dropout, resulting in poor privacy guarantees or degraded training accuracy. In addition, these mechanisms suffer from severe efficiency issues. We present Dordis, a distributed differentially private FL framework that is highly efficient and resilient to client dropout. Specifically, we develop a novel `add-then-remove' scheme that enforces a required noise level precisely in each training round, even if some sampled clients drop out. This ensures that the privacy budget is utilized prudently, despite unpredictable client dynamics. To boost performance, Dordis operates as a distributed parallel architecture via encapsulating the communication and computation operations into stages. It automatically divides the global model aggregation into several chunk-aggregation tasks and pipelines them for optimal speedup. Large-scale deployment evaluations demonstrate that Dordis efficiently handles client dropout in various realistic FL scenarios, achieving the optimal privacy-utility tradeoff and accelerating training by up to 2.4$\times$ compared to existing solutions.

Distributed, Parallel, and Cluster Computing

Giorgio Severi,Matthew Jagielski,Gökberk Yar,Yuxuan Wang,Alina Oprea,Cristina Nita-Rotaru

DOI: https://doi.org/10.48550/arXiv.2208.12911

2022-08-27

Abstract:Federated learning is a popular strategy for training models on distributed, sensitive data, while preserving data privacy. Prior work identified a range of security threats on federated learning protocols that poison the data or the model. However, federated learning is a networked system where the communication between clients and server plays a critical role for the learning task performance. We highlight how communication introduces another vulnerability surface in federated learning and study the impact of network-level adversaries on training federated learning models. We show that attackers dropping the network traffic from carefully selected clients can significantly decrease model accuracy on a target population. Moreover, we show that a coordinated poisoning campaign from a few clients can amplify the dropping attacks. Finally, we develop a server-side defense which mitigates the impact of our attacks by identifying and up-sampling clients likely to positively contribute towards target accuracy. We comprehensively evaluate our attacks and defenses on three datasets, assuming encrypted communication channels and attackers with partial visibility of the network.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Yuanyuan Gao,Lei Zhang,Lulu Wang,Kim-Kwang Raymond Choo,Rui Zhang

DOI: https://doi.org/10.1109/tsc.2023.3250705

2021-01-01

Abstract:Conventional federated learning (FL) approaches generally rely on a centralized server, and there has been a trend of designing asynchronous FL approaches for distributed applications partly to mitigate limitations associated with conventional (synchronous) FL approaches (e.g., single point of failure / attack). In this paper, we first introduce two new tools, namely: a quality-based aggregation method and an extended dynamic contribution broadcast encryption (DConBE). Building on these two new tools and local differential privacy, we then propose a privacy-preserving and reliable decentralized FL scheme, designed to support batch joining/leaving of clients while incurring minimal delay and achieving high model accuracy. In other words, our scheme seeks to ensure an optimal trade-off between model accuracy and data privacy, which is also demonstrated in our simulation results. For example, the results show that our aggregation method can effectively avoid low-quality updates in the sense that the scheme guarantees high model accuracy even in the presence of bad clients who may submit low-quality updates. In addition, our scheme incurs a lower loss and the extended DConBE only slightly affects the efficiency of our scheme. With the extended dynamic contribution broadcast encryption, our scheme can efficiently support batch joining/leaving of clients.

Dingzhu Wen,Ki-Jun Jeon,Kaibin Huang

DOI: https://doi.org/10.48550/arXiv.2109.15258

2022-02-06

Abstract:Federated learning (FL) is a popular framework for training an AI model using distributed mobile data in a wireless network. It features data parallelism by distributing the learning task to multiple edge devices while attempting to preserve their local-data privacy. One main challenge confronting practical FL is that resource constrained devices struggle with the computation intensive task of updating of a deep-neural network model. To tackle the challenge, in this paper, a federated dropout (FedDrop) scheme is proposed building on the classic dropout scheme for random model pruning. Specifically, in each iteration of the FL algorithm, several subnets are independently generated from the global model at the server using dropout but with heterogeneous dropout rates (i.e., parameter-pruning probabilities),each of which is adapted to the state of an assigned channel. The subnets are downloaded to associated devices for updating. Thereby, FedDrop reduces both the communication overhead and devices' computation loads compared with the conventional FL while outperforming the latter in the case of overfitting and also the FL scheme with uniform dropout (i.e., identical subnets).

Machine Learning,Information Theory

Kang Wei,Jun Li,Chuan Ma,Ming Ding,H. Vincent Poor

DOI: https://doi.org/10.1007/978-3-030-70604-3_3

2021-01-01

Abstract:Federated learning (FL), a type of collaborative machine learning framework, is capable of helping protect users’ private data while training the data into useful models. Nevertheless, privacy leakage may still happen by analyzing the exchanged parameters, e.g., weights and biases in deep neural networks, between the central server and clients. In this chapter, to effectively prevent information leakage, we investigate a differential privacy mechanism in which, at the clients’ side, artificial noises are added to parameters before uploading. Moreover, we propose a K-client random scheduling policy, in which K clients are randomly selected from a total of N clients to participate in each communication round. Furthermore, a theoretical convergence bound is derived from the loss function of the trained FL model. In detail, considering a fixed privacy level, the theoretical bound reveals that there exists an optimal number of clients K that can achieve the best convergence performance due to the tradeoff between the volume of user data and the variances of aggregated artificial noises. To optimize this tradeoff, we further provide a differentially private FL based client selection (DP-FedCS) algorithm, which can dynamically select the number of training clients. Our experimental results validate our theoretical conclusions and also show that the proposed algorithm can effectively improve both the FL training efficiency and FL model quality for a given privacy protection level.

Chenghui Shi,Shouling Ji,Xudong Pan,Xuhong Zhang,Mi Zhang,Min Yang,Jun Zhou,Jianwei Yin,Ting Wang

DOI: https://doi.org/10.1109/tdsc.2024.3376790

2024-01-01

Abstract:Federated Learning (FL) is nowadays one of the most promising paradigms for privacy-preserving distributed learning. Without revealing its local private data to outsiders, a client in FL systems collaborates to build a global Deep Neural Network (DNN) by submitting its local model parameter update to a central server for iterative aggregation. With secure multi-party computation protocols, the submitted update of any client is also by design invisible to the server. Seemingly, this standard design is a win-win for client privacy and service provider utility. Ironically, any attacker may also use manipulated or impersonated client to submit almost any attack payloads under the umbrella of the FL protocol itself. In this work, we craft a practical backdoor attack on FL systems that is proved to be simultaneously effective and stealthy on diverse use cases of FL systems and leading commercial FL platforms in the real world. Basically, we first identify a small number of redundant neurons which tend to be rarely or slightly updated in the model, and then inject backdoor into these redundant neurons instead of the whole model. In this way, our backdoor attack can achieve a high attack success rate with a minor impact on the accuracy of the original task. As countermeasures, we further consider several common technical choices including robust aggregation mechanisms, differential privacy mechanism,s and network pruning. However, none of the defenses show desirable defense capability against our backdoor attack. Our results strongly highlight the vulnerability of existing FL systems against backdoor attacks and the urgent need to develop more effective defense mechanisms.

Pei Fang,Jinghui Chen

DOI: https://doi.org/10.48550/arXiv.2301.08170

2023-01-20

Abstract:Federated Learning (FL) is a popular distributed machine learning paradigm that enables jointly training a global model without sharing clients' data. However, its repetitive server-client communication gives room for backdoor attacks with aim to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. In response to such backdoor threats on federated learning, various defense measures have been proposed. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning in a practical setting by proposing a new federated backdoor attack method for possible countermeasures. Different from traditional training (on triggered data) and rescaling (the malicious client model) based backdoor injection, the proposed backdoor attack framework (1) directly modifies (a small proportion of) local model weights to inject the backdoor trigger via sign flips; (2) jointly optimize the trigger pattern with the client model, thus is more persistent and stealthy for circumventing existing defenses. In a case study, we examine the strength and weaknesses of recent federated backdoor defenses from three major categories and provide suggestions to the practitioners when training federated models in practice.

Machine Learning,Artificial Intelligence,Cryptography and Security

Jingjing Xue,Min Liu,Sheng Sun,Yuwei Wang,Hui Jiang,Xuefeng Jiang

DOI: https://doi.org/10.48550/arXiv.2307.07172

2023-07-14

Abstract:Federated Learning (FL) emerges as a distributed machine learning paradigm without end-user data transmission, effectively avoiding privacy leakage. Participating devices in FL are usually bandwidth-constrained, and the uplink is much slower than the downlink in wireless networks, which causes a severe uplink communication bottleneck. A prominent direction to alleviate this problem is federated dropout, which drops fractional weights of local models. However, existing federated dropout studies focus on random or ordered dropout and lack theoretical support, resulting in unguaranteed performance. In this paper, we propose Federated learning with Bayesian Inference-based Adaptive Dropout (FedBIAD), which regards weight rows of local models as probability distributions and adaptively drops partial weight rows based on importance indicators correlated with the trend of local training loss. By applying FedBIAD, each client adaptively selects a high-quality dropping pattern with accurate approximations and only transmits parameters of non-dropped weight rows to mitigate uplink costs while improving accuracy. Theoretical analysis demonstrates that the convergence rate of the average generalization error of FedBIAD is minimax optimal up to a squared logarithmic factor. Extensive experiments on image classification and next-word prediction show that compared with status quo approaches, FedBIAD provides 2x uplink reduction with an accuracy increase of up to 2.41% even on non-Independent and Identically Distributed (non-IID) data, which brings up to 72% decrease in training time.

Distributed, Parallel, and Cluster Computing,Machine Learning

Suchul Lee

DOI: https://doi.org/10.1109/access.2024.3426534

IF: 3.9

2024-07-19

IEEE Access

Abstract:Federated learning (FL) is a deep learning paradigm that allows clients to train deep learning models distributively, keeping raw data local rather than sending it to the cloud, thereby reducing security and privacy concerns. Although FL is designed to be inherently secure, it still has many vulnerabilities. In this paper, we consider an FL scenario where clients are subjected to an adversarial attack that exploits vulnerabilities in the decision-making process of deep learning models to induce misclassification. We observed that adversarial training has a trade-off relationship in which, as classification performance for adversarial examples increases, classification performance for normal samples decreases. To effectively utilize this trade-off relationship in adversarial training, we propose an adaptive selection scheme of the loss function depending on whether the FL client is attacked. The proposed scheme was experimentally proven to achieve the best robust accuracy while minimizing the decrease in natural accuracy. Further, we combined the proposed scheme with Byzantine-robust aggregation. We expected model training to converge stably because Byzantine-robust aggregation prevents highly distorted models from being aggregated, but we obtained experimental results that were contrary to our expectations.

computer science, information systems,telecommunications,engineering, electrical & electronic

Minghong Wu,Minghui Liwang,Yuhan Su,Yuliang Tang,Zhenzhen Jiao,Xianbin Wang

DOI: https://doi.org/10.1109/iccc62479.2024.10681991

2024-01-01

Abstract:Federated Learning (FL) represents a popular distributed learning architecture that facilitates data privacy by enabling clients (e.g., mobile devices) to train a FL model collaboratively without data sharing. Existing efforts mainly focus on accuracy, delay and energy consumption over a rather stable network with certain clients, with less emphasis on the impact of frequent decision-making processes during model training. Inspired by this, this paper considers a dynamic FL network with uncertain participation of clients, while we jointly optimize client selection and communication resource allocation to achieve a balance between energy cost and FL model accuracy, as proved to be NP-hard. To facilitate timely model training, we propose a prediction-based two-stage asynchronous programming mechanism, which decouples the problem in two subproblems, corresponding to two stages. In particular, the former stage determines some long-term clients which are more stable to join in prior to practical model training process, by estimating the online probability of clients. Then, the latter stage can be implemented by involving some temporary clients as backups when long-term ones are not able to show up. Such a well-designed mechanism offers a unique veiw on FL, while enabling a responsive and cost-effective decision-making process. Comprehensive simulations regarding both IID and non-IID data distributions on MNIST and CIFAR-10 datasets can prove our commendable performance on time efficiency, energy cost and accuracy.

Shu Hong,Xiaojun Lin,Lingjie Duan

2024-12-09

Abstract:Federated learning (FL) enables collaborative model training through model parameter exchanges instead of raw data. To avoid potential inference attacks from exchanged parameters, differential privacy (DP) offers rigorous guarantee against various attacks. However, conventional methods of ensuring DP by adding local noise alone often result in low training accuracy. Combining secure multi-party computation (SMPC) with DP, while improving the accuracy, incurs high communication and computation overheads and straggler vulnerability, in either client-to-server or client-to-client links. In this paper, we propose LightDP-FL, a novel lightweight scheme that ensures provable DP against untrusted peers and server, while maintaining straggler-resilience, low overheads and high training accuracy. Our approach incorporates both individual and pairwise noise into each client's parameter, which can be implemented with minimal overheads. Given the uncertain straggler and colluder sets, we utilize the upper bound on the numbers of stragglers and colluders to prove sufficient noise variance conditions to ensure DP in the worst case. Moreover, we optimize the expected convergence bound to ensure accuracy performance by flexibly controlling the noise variances. Using the CIFAR-10 dataset, our experimental results demonstrate that LightDP-FL achieves faster convergence and stronger straggler resilience of our scheme compared to baseline methods of the same DP level.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Yijiang Li,Ying Gao,Haohan Wang

2024-11-21

Abstract:We investigate a specific security risk in FL: a group of malicious clients has impacted the model during training by disguising their identities and acting as benign clients but later switching to an adversarial role. They use their data, which was part of the training set, to train a substitute model and conduct transferable adversarial attacks against the federated model. This type of attack is subtle and hard to detect because these clients initially appear to be benign. The key question we address is: How robust is the FL system to such covert attacks, especially compared to traditional centralized learning systems? We empirically show that the proposed attack imposes a high security risk to current FL systems. By using only 3\% of the client's data, we achieve the highest attack rate of over 80\%. To further offer a full understanding of the challenges the FL system faces in transferable attacks, we provide a comprehensive analysis over the transfer robustness of FL across a spectrum of configurations. Surprisingly, FL systems show a higher level of robustness than their centralized counterparts, especially when both systems are equally good at handling regular, non-malicious data. We attribute this increased robustness to two main factors: 1) Decentralized Data Training: Each client trains the model on its own data, reducing the overall impact of any single malicious client. 2) Model Update Averaging: The updates from each client are averaged together, further diluting any malicious alterations. Both practical experiments and theoretical analysis support our conclusions. This research not only sheds light on the resilience of FL systems against hidden attacks but also raises important considerations for their future application and development.

Machine Learning,Computer Vision and Pattern Recognition

Rong Dai,Li Shen,Fengxiang He,Xinmei Tian,Dacheng Tao

DOI: https://doi.org/10.48550/arXiv.2206.00187

IF: 5.414

2022-06-01

Machine Learning

Abstract:Personalized federated learning is proposed to handle the data heterogeneity problem amongst clients by learning dedicated tailored local models for each user. However, existing works are often built in a centralized way, leading to high communication pressure and high vulnerability when a failure or an attack on the central server occurs. In this work, we propose a novel personalized federated learning framework in a decentralized (peer-to-peer) communication protocol named Dis-PFL, which employs personalized sparse masks to customize sparse local models on the edge. To further save the communication and computation cost, we propose a decentralized sparse training technique, which means that each local model in Dis-PFL only maintains a fixed number of active parameters throughout the whole local training and peer-to-peer communication process. Comprehensive experiments demonstrate that Dis-PFL significantly saves the communication bottleneck for the busiest node among all clients and, at the same time, achieves higher model accuracy with less computation cost and communication rounds. Furthermore, we demonstrate that our method can easily adapt to heterogeneous local clients with varying computation complexities and achieves better personalized performances.

Yichang Xu,Ming Yin,Minghong Fang,Neil Zhenqiang Gong

2024-04-04

Abstract:Recent studies have revealed that federated learning (FL), once considered secure due to clients not sharing their private data with the server, is vulnerable to attacks such as client-side training data distribution inference, where a malicious client can recreate the victim's data. While various countermeasures exist, they are not practical, often assuming server access to some training data or knowledge of label distribution before the attack.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Machine Learning