Chenfei Nie,Qiang Li,Yuxin Yang,Yuede Ji,Binghui Wang

2024-07-29

Abstract:Federated learning (FL) is an emerging distributed learning paradigm without sharing participating clients' private data. However, existing works show that FL is vulnerable to both Byzantine (security) attacks and data reconstruction (privacy) attacks. Almost all the existing FL defenses only address one of the two attacks. A few defenses address the two attacks, but they are not efficient and effective enough. We propose BPFL, an efficient Byzantine-robust and provably privacy-preserving FL method that addresses all the issues. Specifically, we draw on state-of-the-art Byzantine-robust FL methods and use similarity metrics to measure the robustness of each participating client in FL. The validity of clients are formulated as circuit constraints on similarity metrics and verified via a zero-knowledge proof. Moreover, the client models are masked by a shared random vector, which is generated based on homomorphic encryption. In doing so, the server receives the masked client models rather than the true ones, which are proven to be private. BPFL is also efficient due to the usage of non-interactive zero-knowledge proof. Experimental results on various datasets show that our BPFL is efficient, Byzantine-robust, and privacy-preserving.

Cryptography and Security

Ruiguang Yang,Xiaodong Shen,Chang Xu,Liehuang Zhu,Kashif Sharif

DOI: https://doi.org/10.1109/cyberc62439.2024.00037

2024-01-01

Abstract:Personalized Federated Learning (PFL) tackles the challenges of FL on heterogeneous data and provides customized solutions to each client. However, like commonly employed FL settings, PFL is still vulnerable to attacks on privacy and model availability. Existing PFL frameworks focus on either privacy protection or attack defense instead of simultaneously implementing both functionalities. To address this challenge, we design and implement a novel Privacy-preserving and Robust Personalized Federated Learning framework, PR-PFL, which can simultaneously protect data privacy and defend against model availability attacks. Specifically, PR-PFL adopts Mean Regularized Multi-Task Learning (MR-MTL) as the base training paradigm. Clients perform per-sample DP to protect data privacy, and the central server executes a robust aggregation algorithm to filter out potential attackers. After collective training, clients tune their models locally to eliminate malicious injections further. To the best of our knowledge, this is the first PFL framework that protects both clients’ privacy and model availability. The method combining robust aggregation and local tuning we have designed can effectively defend against 5 kinds of attacks. We conduct an extensive empirical evaluation demonstrating that our framework is practical and achieves reasonable robustness under an honest majority setting (attackers <50%).

Zhi Lu,Songfeng Lu,Yongquan Cui,Junjun Wu,Hewang Nie,Jue Xiao,Zepu Yi

DOI: https://doi.org/10.1007/978-3-031-69766-1_19

2024-01-01

Abstract:Federated learning (FL) is a distributed machine learning approach that reduces data transfer by aggregating gradients from multiple users. However, this process raises concerns about user privacy, leading to the emergence of privacy preserving FL. Unfortunately, this development poses new Byzantine-robustness challenges as poisoning attacks become difficult to detect. Existing byzantine-robust algorithms operate primarily in plaintext, and crucially, current byzantine-robust privacy FL methods fail to concurrently defend against adaptive attacks. In response, we propose a lightweight, byzantine-robust, and privacy-preserving federated learning framework (LRFL), employing shuffle functions and encryption masks to ensure privacy. In addition, we comprehensively calculate the similarity of the direction and magnitude of each gradient vector to ensure byzantine-robustness. To the best of our knowledge, LRFL is the first byzantine-robust privacy preserving FL capable of identifying malicious users based on gradient angles and magnitudes. What's more, the theoretical complexity of LRFL is O(dN + dN logN), comparable to byzantine-robust FL with user number N and gradient dimension d. Experimental results demonstrate that LRFL achieves similar accuracy to state-of-the-art methods under multiple attack scenarios.

Zekai Chen,Shengxing Yu,Mingyuan Fan,Ximeng Liu,Robert H. Deng

DOI: https://doi.org/10.1109/tifs.2023.3326983

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) allows multiple clients to train deep learning models collaboratively while protecting sensitive local datasets. However, FL has been highly susceptible to security for federated backdoor attacks (FBA) through injecting triggers and privacy for potential data leakage from uploaded models in practical application scenarios. FBA defense strategies consider specific and limited attacker models, and a sufficient amount of noise injected can only mitigate rather than eliminate the attack. To address these deficiencies, we introduce a Robust Federated Backdoor Defense Scheme (RFBDS) and Privacy-preserving RFBDS (PrivRFBDS) to ensure the elimination of adversarial backdoors. Our RFBDS to overcome FBA consists of amplified magnitude sparsification, adaptive OPTICS clustering, and adaptive clipping. The experimental evaluation of RFBDS is conducted on three benchmark datasets and an extensive comparison is made with state-of-the-art studies. The results demonstrate the promising defense performance from RFBDS, moderately improved by 31.75% ~ 73.75% in clustering defense methods, and 0.03% ~ 56.90% for Non-IID to the utmost extent for the average FBA success rate over MNIST, FMNIST, and CIFAR10. Besides, our privacy-preserving shuffling in PrivRFBDS maintains is $7.83e^{-5}\,\,\sim \,\,0.42\times $ that of state-of-the-art works.

Zhi Lu,Songfeng Lu,Xueming Tang,Junjun Wu

DOI: https://doi.org/10.1109/tai.2023.3309273

2023-01-01

IEEE Transactions on Artificial Intelligence

Abstract:Federated Learning (FL) safeguards user privacy by uploading gradients instead of raw data. However, inference attacks can reconstruct raw data using gradients uploaded by users in FL. To mitigate this issue, researchers have combined privacy computing techniques with FL. However, these tech-niques may not ensure the Byzantine robustness of aggregation or the integrity of the aggregated outcomes. Most current robust privacy FL methods assess differences between gradients and benchmarks in the direction, allowing adversaries to poison the aggregation against the magnitude. Furthermore, these methods cannot ensure the integrity of the aggregation results. To over-come these challenges, this study proposes a novel algorithm, Robust and Verifiable Privacy Federated Learning(RVPFL), which can more effectively eliminate the poisoning attack of the opponent by measuring the direction and magnitude of the gradient in the ciphertext state. The proposed algorithm guarantees the integrity of server aggregation results while safe-guarding user privacy. In this study, comprehensive theoretical analysis and experimental validation of RVPFL are conducted to demonstrate its superiority. The proposed RVPFL algorithm solves the Byzantine robustness problem of aggregation and the integrity problem of aggregation results, which helps to research and develop more robust and effective privacy-preserving federal learning techniques.

Xicong Shen,Ying Liu,Fu Li,Chunguang Li

DOI: https://doi.org/10.1109/jiot.2023.3288886

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) has attracted widespread attention in the Internet of Things domain recently. With FL, multiple distributed devices can cooperatively train a global model by transmitting model updates without disclosing the original data. However, the distributed nature of FL makes it vulnerable to data poisoning attacks. In practice, malicious clients can launch the label-flipping attack (LFA) by simply tampering with the labels of local data, thus causing the global model to misclassify the samples of a selected class as the target class. Although some defense mechanisms have been proposed, they rely on specific assumptions about data distribution, and their performance degrades significantly when the data on clients are non-IID. Besides, most existing methods require clients to upload model updates in plaintext so that the server can identify and remove the malicious updates. But, direct transmission of model updates may still reveal private information. Considering these issues, we develop a label-flipping-robust and privacy-preserving FL (LFR-PPFL) algorithm, which is applicable to both independent and identically distributed (IID) and non-IID data. We first propose a detection method based on temporal analysis on cosine similarity to distinguish malicious clients from benign clients. Then, we propose a privacy-preserving computation protocol based on homomorphic encryption to implement this detection method and perform federated aggregation while protecting the privacy of clients. Besides, a detailed theoretical analysis is given to demonstrate the privacy guarantee of the proposed protocol. Experimental results on real-world data sets show that the proposed algorithm can effectively defend against LFAs under various data distributions.

Tao Chen,Xiaofen Wang,Hong-Ning Dai

DOI: https://doi.org/10.1007/978-981-97-5101-3_9

2024-01-01

Abstract:Federated Learning (FL), as an emerging distributed machine learning framework, which shares model gradients instead of raw data, can properly coordinate the contradiction between data sharing and data security under the guidance of laws and regulations and overcome the problem of “Data Silo”. However, the state-of-art federated learning schemes are still facing security challenges, such as single point of failure (SPOF), gradient privacy leakage, and byzantine attacks. To address the above issues, this paper proposes a robustness and privacy-preserving decentralized federated learning system (R-PPDFL). Specifically, a decentralized privacy-preserving federated learning framework based on the blockchain is designed and an improved multi-client functional encryption is proposed, which resolves the issues of SPOF and privacy leakage. Then based on functional encryption and cosine similarity we present a dense model detection method, which can properly defend the byzantine attacks in FL. Ultimately, it evaluates the proposed scheme by providing a theoretical analysis and conducting preliminary experiments on real datasets.

Yinuo Chen,Wuzheng Tan,Yijian Zhong,Yulin Kang,Anjia Yang,Jian Weng

DOI: https://doi.org/10.1109/jiot.2024.3434660

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning, as a form of distributed learning, aims to protect local data while utilizing distributed data to train a global model. However, federated learning still faces challenges related to privacy leakage in Internet of Things(IoTs). Researches indicate that server can infer private information from local gradients. Additionally, malicious participants may upload poisoning local models, which contaminate the global model and cause a decline in accuracy. Furthermore, irregular participants with low-quality data in the real world can also impact the performance of the global model. Simultaneously addressing these three issues poses a significant challenge. This is because privacy protection strategies in FL are designed to prevent access to local gradients to avoid information leakage. However, strategies with Byzantine robustness and defense against irregular participants typically require access to local gradients to calculate the reliability of each participant. Therefore, we use secret sharing as the underlying technology to propose a 3PC privacy-preserving federated learning framework BPFL that can resist Byzantine attacks and irregular participants. Compared with previous schemes, our scheme can not only protect data privacy, but also minimize the negative impact of malicious or irregular participants on the global model. We implemented BPFL and compared it with Mkrum and PPFL. Experimental results indicate that our approach maintains high performance when facing malicious attackers and irregular participants.

Meng Hao,Hongwei Li,Guowen Xu,Hanxiao Chen,Tianwei Zhang

DOI: https://doi.org/10.1145/3485832.3488014

2021-12-06

Abstract:Federated learning (FL) has demonstrated tremendous success in various mission-critical large-scale scenarios. However, such promising distributed learning paradigm is still vulnerable to privacy inference and byzantine attacks. The former aims to infer the privacy of target participants involved in training, while the latter focuses on destroying the integrity of the constructed model. To mitigate the above two issues, a few works recently explored unified solutions by utilizing generic secure computation techniques and common byzantine-robust aggregation rules, but there are two major limitations: 1) they suffer from impracticality due to efficiency bottlenecks, and 2) they are still vulnerable to various types of attacks because of model incomprehensiveness. To approach the above problems, in this paper, we present SecureFL, an efficient, private and byzantine-robust FL framework. SecureFL follows the state-of-the-art byzantine-robust FL method (FLTrust NDSS’21), which performs comprehensive byzantine defense by normalizing the updates’ magnitude and measuring directional similarity, adapting it to the privacy-preserving context. More importantly, we carefully customize a series of cryptographic components. First, we design a crypto-friendly validity checking protocol that functionally replaces the normalization operation in FLTrust, and further devise tailored cryptographic protocols on top of it. Benefiting from the above optimizations, the communication and computation costs are reduced by half without sacrificing the robustness and privacy protection. Second, we develop a novel preprocessing technique for costly matrix multiplication. With this technique, the directional similarity measurement can be evaluated securely with negligible computation overhead and zero communication cost. Extensive evaluations conducted on three real-world datasets and various neural network architectures demonstrate that SecureFL outperforms prior art up to two orders of magnitude in efficiency with state-of-the-art byzantine robustness.

Yaowei Han,Yang Cao,Masatoshi Yoshikawa

DOI: https://doi.org/10.48550/arXiv.2106.07033

2021-06-14

Abstract:Federated Learning (FL) is emerging as a promising paradigm of privacy-preserving machine learning, which trains an algorithm across multiple clients without exchanging their data samples. Recent works highlighted several privacy and robustness weaknesses in FL and addressed these concerns using local differential privacy (LDP) and some well-studied methods used in conventional ML, separately. However, it is still not clear how LDP affects adversarial robustness in FL. To fill this gap, this work attempts to develop a comprehensive understanding of the effects of LDP on adversarial robustness in FL. Clarifying the interplay is significant since this is the first step towards a principled design of private and robust FL systems. We certify that local differential privacy has both positive and negative effects on adversarial robustness using theoretical analysis and empirical verification.

Cryptography and Security,Machine Learning

Tao Qi,Huili Wang,Yongfeng Huang

DOI: https://doi.org/10.1609/aaai.v38i18.29967

2024-01-01

Abstract:Robustness and privacy protection are two important factors of trustworthy federated learning (FL). Existing FL works usually secure data privacy by perturbing local model gradients via the differential privacy (DP) technique, or defend against poisoning attacks by filtering the local gradients in the outlier of the gradient distribution before aggregation. However, these two issues are often addressed independently in existing works, and how to secure federated learning in both privacy and robustness still needs further exploration. In this paper, we unveil that although DP noisy perturbation can improve the learning robustness, DP-FL frameworks are not inherently robust and are vulnerable to a carefully-designed attack method. Furthermore, we reveal that it is challenging for existing robust FL methods to defend against attacks on DP-FL. This can be attributed to the fact that the local gradients of DP-FL are perturbed by random noise, and the selected central gradients inevitably incorporate a higher proportion of poisoned gradients compared to conventional FL. To address this problem, we further propose a new defense method for DP-FL (named Robust-DPFL), which can effectively distinguish poisoned and clean local gradients in DP-FL and robustly update the global model. Experiments on three benchmark datasets demonstrate that baseline methods cannot ensure task accuracy, data privacy, and robustness simultaneously, while Robust-DPFL can effectively enhance the privacy protection and robustness of federated learning meanwhile maintain the task performance.

Zeyu Qin,Liuyi Yao,Daoyuan Chen,Yaliang Li,Bolin Ding,Minhao Cheng

2023-06-05

Abstract:In this work, besides improving prediction accuracy, we study whether personalization could bring robustness benefits to backdoor attacks. We conduct the first study of backdoor attacks in the pFL framework, testing 4 widely used backdoor attacks against 6 pFL methods on benchmark datasets FEMNIST and CIFAR-10, a total of 600 experiments. The study shows that pFL methods with partial model-sharing can significantly boost robustness against backdoor attacks. In contrast, pFL methods with full model-sharing do not show robustness. To analyze the reasons for varying robustness performances, we provide comprehensive ablation studies on different pFL methods. Based on our findings, we further propose a lightweight defense method, Simple-Tuning, which empirically improves defense performance against backdoor attacks. We believe that our work could provide both guidance for pFL application in terms of its robustness and offer valuable insights to design more robust FL methods in the future. We open-source our code to establish the first benchmark for black-box backdoor attacks in pFL: <a class="link-external link-https" href="https://github.com/alibaba/FederatedScope/tree/backdoor-bench" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security

Honghong Zeng,Jie Li,Jiong Lou,Shijing Yuan,Chentao Wu,Wei Zhao,Sijin Wu,Zhiwen Wang

DOI: https://doi.org/10.1109/tc.2024.3404102

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:Federated learning (FL) is a technique that enables clients to collaboratively train a model by sharing local models instead of raw private data. However, existing reconstruction attacks can recover the sensitive training samples from the shared models. Additionally, the emerging poisoning attacks also pose severe threats to the security of FL. However, most existing Byzantine-robust privacy-preserving federated learning solutions either reduce the accuracy of aggregated models or introduce significant computation and communication overheads. In this paper, we propose a novel B lockchain-based S ecure and R obust F ederated L earning (BSR-FL) framework to mitigate reconstruction attacks and poisoning attacks. BSR-FL avoids accuracy loss while ensuring efficient privacy protection and Byzantine robustness. Specifically, we first construct a lightweight non-interactive functional encryption (NIFE) scheme to protect the privacy of local models while maintaining high communication performance. Then, we propose a privacy-preserving defensive aggregation strategy based on NIFE, which can resist encrypted poisoning attacks without compromising model privacy through secure cosine similarity and incentive-based Byzantine-tolerance aggregation. Finally, we utilize the blockchain system to assist in facilitating the processes of federated learning and the implementation of protocols. Extensive theoretical analysis and experiments demonstrate that our new BSR-FL has enhanced privacy security, robustness, and high efficiency.

Yinbin Miao,Rongpeng Xie,Xinghua Li,Zhiquan Liu,Kim-Kwang Raymond Choo,Robert H. Deng

DOI: https://doi.org/10.1109/tdsc.2024.3354736

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Due to the powerful representation ability and superior performance of Deep Neural Networks (DNN), Federated Learning (FL) based on DNN has attracted much attention from both academic and industrial fields. However, its transmitted plaintext data causes privacy disclosure. FL based on Local Differential Privacy (LDP) solutions can provide privacy protection to a certain extent, but these solutions still cannot achieve adaptive perturbation in DNN model. In addition, this kind of schemes cause high communication overheads due to the curse of dimensionality of DNN, and are naturally vulnerable to backdoor attacks due to the inherent distributed characteristic. To solve these issues, we propose an Efficient and Secure Federated Learning scheme (ESFL) against backdoor attacks by using adaptive LDP and compressive sensing. Formal security analysis proves that ESFL satisfies $\epsilon$-LDP security. Extensive experiments using three datasets demonstrate that ESFL can solve the problems of traditional LDP-based FL schemes without a loss of model accuracy and efficiently resist the backdoor attacks.

computer science, information systems, software engineering, hardware & architecture

Ting Zhou,Ning Liu,Bo Song,Hongtao Lv,Deke Guo,Lei Liu

DOI: https://doi.org/10.1109/icde60146.2024.00076

2024-01-01

Abstract:In recent years, the integration of federated learning and deep learning technologies has become increasingly prevalent in privacy-preserved scenarios, such as smart health applications and automatic financial support. However, the inherent robustness issue in deep learning poses potential risks to federated learning systems when subjected to various attack methods. These attacks can inflict damage during the training and testing phases, perturbing models and inputs. To enhance the robustness of existing federated learning systems, we propose a novel framework called RobFL. This framework incorporates a unique feature learning module - feature center separation learning - that is specifically designed to increase the margins between different classes in the feature space, thereby augmenting the difficulty of attacks employing imperceptible perturbations on inputs. Furthermore, we design a malicious center detection method to detect malicious clients and mitigate their adverse impact. Extensive experiments substantiate the robustness of our proposed framework, RobFL, demonstrating its resilience against both evasion attacks and poisoning attacks.

Yong Li,Gaochao Xu,Xutao Meng,Wei Du,Xianglin Ren

DOI: https://doi.org/10.3390/e26050353

IF: 2.738

2024-04-24

Entropy

Abstract:In the realm of federated learning (FL), the exchange of model data may inadvertently expose sensitive information of participants, leading to significant privacy concerns. Existing FL privacy-preserving techniques, such as differential privacy (DP) and secure multi-party computing (SMC), though offering viable solutions, face practical challenges including reduced performance and complex implementations. To overcome these hurdles, we propose a novel and pragmatic approach to privacy preservation in FL by employing localized federated updates (LF3PFL) aimed at enhancing the protection of participant data. Furthermore, this research refines the approach by incorporating cross-entropy optimization, carefully fine-tuning measurement, and improving information loss during the model training phase to enhance both model efficacy and data confidentiality. Our approach is theoretically supported and empirically validated through extensive simulations on three public datasets: CIFAR-10, Shakespeare, and MNIST. We evaluate its effectiveness by comparing training accuracy and privacy protection against state-of-the-art techniques. Our experiments, which involve five distinct local models (Simple-CNN, ModerateCNN, Lenet, VGG9, and Resnet18), provide a comprehensive assessment across a variety of scenarios. The results clearly demonstrate that LF3PFL not only maintains competitive training accuracies but also significantly improves privacy preservation, surpassing existing methods in practical applications. This balance between privacy and performance underscores the potential of localized federated updates as a key component in future FL privacy strategies, offering a scalable and effective solution to one of the most pressing challenges in FL.

physics, multidisciplinary

Yongkang Wang,Dihua Zhai,Yufeng Zhan,Yuanqing Xia

DOI: https://doi.org/10.48550/arxiv.2201.03772

2022-01-01

Abstract: Federated learning (FL) is a distributed machine learning paradigm where enormous scattered clients (e.g. mobile devices or IoT devices) collaboratively train a model under the orchestration of a central server (e.g. service provider), while keeping the training data decentralized. Unfortunately, FL is susceptible to a variety of attacks, including backdoor attack, which is made substantially worse in the presence of malicious attackers. Most of algorithms usually assume that the malicious at tackers no more than benign clients or the data distribution is independent identically distribution (IID). However, no one knows the number of malicious attackers and the data distribution is usually non identically distribution (Non-IID). In this paper, we propose RFLBAT which utilizes principal component analysis (PCA) technique and Kmeans clustering algorithm to defend against backdoor attack. Our algorithm RFLBAT does not bound the number of backdoored attackers and the data distribution, and requires no auxiliary information outside of the learning process. We conduct extensive experiments including a variety of backdoor attack types. Experimental results demonstrate that RFLBAT outperforms the existing state-of-the-art algorithms and is able to resist various backdoor attack scenarios including different number of attackers (DNA), different Non-IID scenarios (DNS), different number of clients (DNC) and distributed backdoor attack (DBA).

Zeinab Alebouyeh,Amir Jalaly Bidgoly

DOI: https://doi.org/10.1016/j.future.2024.01.009

IF: 7.307

2024-01-29

Future Generation Computer Systems

Abstract:Federated learning (FL) is a machine learning framework that enables the use of user data for training without the need to share the data with the central server. FL's decentralized structure can lead to security and privacy issues, as it allows malicious or curious users to potentially participate in the training process. One limitation of most defense methods presented in FL is that they typically focus on only one aspect, either security or privacy. Therefore, the unintended effects of defensive methods in one field on another field are not clear. The purpose of this article is to examine security and privacy threats and defensive strategies in FL. In addition, the article investigates the performance of seven robust aggregators against three security attacks in both IID and non-IID settings. Furthermore, the impact of security and privacy defensive methods on each other is explored in the remainder of the article. To investigate the effect of security methods on the success rate of privacy attacks, the performance of seven robust aggregation methods against the membership inference attack is studied. The experiments reveal that the degree of privacy leakage is inversely related to the aggregator's robustness to security attacks. In other words, the greater the aggregator algorithm's robustness to security attacks, the greater the risk of privacy leakage. The impact of privacy-preserving methods on the performance of robust aggregation algorithms was investigated by studying the effect of the adversarial regularization method on their performance. The results indicate that while the adversarial regularization method can help protect user data privacy in FL, it can also disrupt the performance of robust aggregation methods. This can make it difficult for aggregators to accurately identify malicious users and reduce the overall accuracy of the global model.

computer science, theory & methods

Lingjuan Lyu,Han Yu,Xingjun Ma,Chen Chen,Lichao Sun,Jun Zhao,Qiang Yang,Philip S. Yu

DOI: https://doi.org/10.1109/tnnls.2022.3216981

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:As data are increasingly being stored in different silos and societies becoming more aware of data privacy issues, the traditional centralized training of artificial intelligence (AI) models is facing efficiency and privacy challenges. Recently, federated learning (FL) has emerged as an alternative solution and continues to thrive in this new reality. Existing FL protocol designs have been shown to be vulnerable to adversaries within or outside of the system, compromising data privacy and system robustness. Besides training powerful global models, it is of paramount importance to design FL systems that have privacy guarantees and are resistant to different types of adversaries. In this article, we conduct a comprehensive survey on privacy and robustness in FL over the past five years. Through a concise introduction to the concept of FL and a unique taxonomy covering: 1) threat models; 2) privacy attacks and defenses; and 3) poisoning attacks and defenses, we provide an accessible review of this important topic. We highlight the intuitions, key techniques, and fundamental assumptions adopted by various attacks and defenses. Finally, we discuss promising future research directions toward robust and privacy-preserving FL, and their interplays with the multidisciplinary goals of FL.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Ying Lin,Shengfu Ning,Jianpeng Hu,Jiansong Liu,Yifan Cao,Junyuan Zhang,Huan Pi

DOI: https://doi.org/10.1007/978-3-031-10989-8_4

2022-01-01

Abstract:As a distributed machine learning framework, federated learning enables a multitude of participants to train a joint model privately by keeping training data locally. The federated learning is emerging as a promising alternative to solve data privacy protection, but it has been proven that federated learning is vulnerable to attacks from malicious clients, especially Byzantine attackers sending poisoned parameters during the training phase. To address this problem, several aggregation approaches against Byzantine failures have been proposed. However, these existing aggregation methods are only of limited utility in the setting of privacy protection. This paper proposes a privacy-preserving and Byzantine-robust federated learning framework (PPBR-FL) which achieves the objective to satisfy privacy and robustness simultaneously. We use the local differential privacy mechanism to realize privacy protection for the clients and propose a Byzantine-robust aggregation rule named as TPM (Trimmed Padding Mean) to realize robustness. Extensive experiments on two benchmark datasets demonstrate that the TPM outperforms the classical aggregation approaches in terms of robustness and privacy. When less than half of the workers are Byzantine attackers, the final global model not only achieves satisfactory performance against Byzantine attack, but also provide privacy protection on parameters to prevent privacy disclosure.