Xueluan Gong,Yanjiao Chen,Qian Wang,Weihan Kong

DOI: https://doi.org/10.1109/mwc.017.2100714

IF: 12.777

2023-01-01

IEEE Wireless Communications

Abstract:The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.

Joshua C. Zhao,Saurabh Bagchi,Salman Avestimehr,Kevin S. Chan,Somali Chaterji,Dimitris Dimitriadis,Jiacheng Li,Ninghui Li,Arash Nourian,Holger R. Roth

2024-05-07

Abstract:Deep learning has shown incredible potential across a vast array of tasks and accompanying this growth has been an insatiable appetite for data. However, a large amount of data needed for enabling deep learning is stored on personal devices and recent concerns on privacy have further highlighted challenges for accessing such data. As a result, federated learning (FL) has emerged as an important privacy-preserving technology enabling collaborative training of machine learning models without the need to send the raw, potentially sensitive, data to a central server. However, the fundamental premise that sending model updates to a server is privacy-preserving only holds if the updates cannot be "reverse engineered" to infer information about the private training data. It has been shown under a wide variety of settings that this premise for privacy does {\em not} hold.

Cryptography and Security,Machine Learning

Yao Chen,Yijie Gui,Hong Lin,Wensheng Gan,Yongdong Wu

DOI: https://doi.org/10.48550/arXiv.2211.14952

2022-11-27

Cryptography and Security

Abstract:In terms of artificial intelligence, there are several security and privacy deficiencies in the traditional centralized training methods of machine learning models by a server. To address this limitation, federated learning (FL) has been proposed and is known for breaking down ``data silos" and protecting the privacy of users. However, FL has not yet gained popularity in the industry, mainly due to its security, privacy, and high cost of communication. For the purpose of advancing the research in this field, building a robust FL system, and realizing the wide application of FL, this paper sorts out the possible attacks and corresponding defenses of the current FL system systematically. Firstly, this paper briefly introduces the basic workflow of FL and related knowledge of attacks and defenses. It reviews a great deal of research about privacy theft and malicious attacks that have been studied in recent years. Most importantly, in view of the current three classification criteria, namely the three stages of machine learning, the three different roles in federated learning, and the CIA (Confidentiality, Integrity, and Availability) guidelines on privacy protection, we divide attack approaches into two categories according to the training stage and the prediction stage in machine learning. Furthermore, we also identify the CIA property violated for each attack method and potential attack role. Various defense mechanisms are then analyzed separately from the level of privacy and security. Finally, we summarize the possible challenges in the application of FL from the aspect of attacks and defenses and discuss the future development direction of FL systems. In this way, the designed FL system has the ability to resist different attacks and is more secure and stable.

Lingjuan Lyu,Han Yu,Xingjun Ma,Chen Chen,Lichao Sun,Jun Zhao,Qiang Yang,Philip S. Yu

DOI: https://doi.org/10.1109/tnnls.2022.3216981

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:As data are increasingly being stored in different silos and societies becoming more aware of data privacy issues, the traditional centralized training of artificial intelligence (AI) models is facing efficiency and privacy challenges. Recently, federated learning (FL) has emerged as an alternative solution and continues to thrive in this new reality. Existing FL protocol designs have been shown to be vulnerable to adversaries within or outside of the system, compromising data privacy and system robustness. Besides training powerful global models, it is of paramount importance to design FL systems that have privacy guarantees and are resistant to different types of adversaries. In this article, we conduct a comprehensive survey on privacy and robustness in FL over the past five years. Through a concise introduction to the concept of FL and a unique taxonomy covering: 1) threat models; 2) privacy attacks and defenses; and 3) poisoning attacks and defenses, we provide an accessible review of this important topic. We highlight the intuitions, key techniques, and fundamental assumptions adopted by various attacks and defenses. Finally, we discuss promising future research directions toward robust and privacy-preserving FL, and their interplays with the multidisciplinary goals of FL.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Aidmar Wainakh,Ephraim Zimmer,Sandeep Subedi,Jens Keim,Tim Grube,Shankar Karuppayah,Alejandro Sanchez Guinea,Max Mühlhäuser

DOI: https://doi.org/10.3390/s23010031

2022-12-20

Abstract:Deep learning pervades heavy data-driven disciplines in research and development. The Internet of Things and sensor systems, which enable smart environments and services, are settings where deep learning can provide invaluable utility. However, the data in these systems are very often directly or indirectly related to people, which raises privacy concerns. Federated learning (FL) mitigates some of these concerns and empowers deep learning in sensor-driven environments by enabling multiple entities to collaboratively train a machine learning model without sharing their data. Nevertheless, a number of works in the literature propose attacks that can manipulate the model and disclose information about the training data in FL. As a result, there has been a growing belief that FL is highly vulnerable to severe attacks. Although these attacks do indeed highlight security and privacy risks in FL, some of them may not be as effective in production deployment because they are feasible only given special-sometimes impractical-assumptions. In this paper, we investigate this issue by conducting a quantitative analysis of the attacks against FL and their evaluation settings in 48 papers. This analysis is the first of its kind to reveal several research gaps with regard to the types and architectures of target models. Additionally, the quantitative analysis allows us to highlight unrealistic assumptions in some attacks related to the hyper-parameters of the model and data distribution. Furthermore, we identify fallacies in the evaluation of attacks which raise questions about the generalizability of the conclusions. As a remedy, we propose a set of recommendations to promote adequate evaluations.

Qammar, Attia,Ding, Jianguo,Ning, Huansheng

DOI: https://doi.org/10.1007/s10462-021-10098-w

IF: 9.588

2021-01-01

Artificial Intelligence Review

Abstract:Federated learning (FL) has received a great deal of research attention in the context of privacy protection restrictions. By jointly training deep learning models, a variety of training tasks can be competently performed with the help of invited participants. However, FL is concerned with a large number of attacks involving privacy and security aspects. This paper shows a federated learning workflow process and how a malicious client can exploit vulnerabilities in the FL system to attack the system. A systematic survey of existing research on the taxonomy of federated learning attack surface and the classification is presented. As with the FL attack surface, attackers compromise security, privacy, gain free incentives and abuse the Confidentiality, Integrity, and Availability (CIA) security triad. In addition, state-of-the-art defensive approaches against FL attacks are elaborated which help to protect and minimize the likelihood of attacks. FL models and tools for privacy attacks are explained, along with their best aspects and drawbacks. Finally, technical challenges and possible research guidelines are discussed as future work to build robust FL systems.

Yanli Li,Zhongliang Guo,Nan Yang,Huaming Chen,Dong Yuan,Weiping Ding

2024-07-11

Abstract:Federated Learning (FL) offers innovative solutions for privacy-preserving collaborative machine learning (ML). Despite its promising potential, FL is vulnerable to various attacks due to its distributed nature, affecting the entire life cycle of FL services. These threats can harm the model's utility or compromise participants' privacy, either directly or indirectly. In response, numerous defense frameworks have been proposed, demonstrating effectiveness in specific settings and scenarios. To provide a clear understanding of the current research landscape, this paper reviews the most representative and state-of-the-art threats and defense frameworks throughout the FL service life cycle. We start by identifying FL threats that harm utility and privacy, including those with potential or direct impacts. Then, we dive into the defense frameworks, analyze the relationship between threats and defenses, and compare the trade-offs among different defense strategies. Finally, we summarize current research bottlenecks and offer insights into future research directions to conclude this survey. We hope this survey sheds light on trustworthy FL research and contributes to the FL community.

Distributed, Parallel, and Cluster Computing,Artificial Intelligence

Hangyu Zhu,Liyuan Huang,Zhenping Xie

2024-09-28

Abstract:Federated learning (FL) is an emerging distributed machine learning paradigm proposed for privacy preservation. Unlike traditional centralized learning approaches, FL enables multiple users to collaboratively train a shared global model without disclosing their own data, thereby significantly reducing the potential risk of privacy leakage. However, recent studies have indicated that FL cannot entirely guarantee privacy protection, and attackers may still be able to extract users' private data through the communicated model gradients. Although numerous privacy attack FL algorithms have been developed, most are designed to reconstruct private data from a single step of calculated gradients. It remains uncertain whether these methods are effective in realistic federated environments or if they have other limitations. In this paper, we aim to help researchers better understand and evaluate the effectiveness of privacy attacks on FL. We analyze and discuss recent research papers on this topic and conduct experiments in a real FL environment to compare the performance of various attack methods. Our experimental results reveal that none of the existing state-of-the-art privacy attack algorithms can effectively breach private client data in realistic FL settings, even in the absence of defense strategies. This suggests that privacy attacks in FL are more challenging than initially anticipated.

Cryptography and Security,Artificial Intelligence

Junpeng Zhang,Hui Zhu,Fengwei Wang,Jiaqi Zhao,Qi Xu,Hui Li

DOI: https://doi.org/10.1155/2022/2886795

IF: 1.968

2022-09-30

Security and Communication Networks

Abstract:Federated learning (FL) has nourished a promising method for data silos, which enables multiple participants to construct a joint model collaboratively without centralizing data. The security and privacy considerations of FL are focused on ensuring the robustness of the global model and the privacy of participants' information. However, the FL paradigm is under various security threats from the adversary aggregator and participants. Therefore, it is necessary to comprehensively identify and classify potential threats to provide a theoretical basis for FL with security guarantees. In this paper, a unique classification of attacks, which reviews state-of-the-art research on security and privacy issues for FL, is constructed from the perspective of malicious threats based on different computing parties. Specifically, we categorize attacks with respect to performed by aggregator and participant, highlighting the Deep Gradients Leakage attacks and Generative Adversarial Networks attacks. Following an overview of attack methods, we discuss the primary mitigation techniques against security risks and privacy breaches, especially the application of blockchain and Trusted Execution Environments. Finally, several promising directions for future research are discussed.

computer science, information systems,telecommunications

Xianghua Xie,Chen Hu,Hanchi Ren,Jingjing Deng

DOI: https://doi.org/10.1016/j.neucom.2023.127225

IF: 6

2024-01-10

Neurocomputing

Abstract:Federated Learning (FL) has emerged as a powerful paradigm for training Machine Learning (ML), particularly Deep Learning (DL) models on multiple devices or servers while maintaining data localized at owners' sites. Without centralizing data, FL holds promise for scenarios where data integrity, privacy and security and are critical. However, this decentralized training process also opens up new avenues for opponents to launch unique attacks, where it has been becoming an urgent need to understand the vulnerabilities and corresponding defense mechanisms from a learning algorithm perspective. This review paper takes a comprehensive look at malicious attacks against FL, categorizing them from new perspectives on attack origins and targets, and providing insights into their methodology and impact. In this survey, we focus on threat models targeting the learning process of FL systems. Based on the source and target of the attack, we categorize existing threat models into four types, Data to Model (D2M), Model to Data (M2D), Model to Model (M2M) and composite attacks. For each attack type, we discuss the defense strategies proposed, highlighting their effectiveness, assumptions and potential areas for improvement. Defense strategies have evolved from using a singular metric to excluding malicious clients, to employing a multifaceted approach examining client models at various phases. In this survey paper, our research indicates that the to-learn data, the learning gradients, and the learned model at different stages all can be manipulated to initiate malicious attacks that range from undermining model performance, reconstructing private local data, and to inserting backdoors. We have also seen these threat are becoming more insidious. While earlier studies typically amplified malicious gradients, recent endeavors subtly alter the least significant weights in local models to bypass defense measures. This literature review provides a holistic understanding of the current FL threat landscape and highlights the importance of developing robust, efficient, and privacy-preserving defenses to ensure the safe and trusted adoption of FL in real-world applications. The categorized bibliography can be found at: https://github.com/Rand2AI/Awesome-Vulnerability-of-Federated-Learning .

computer science, artificial intelligence

Gorka Abad,Stjepan Picek,Víctor Julio Ramírez-Durán,Aitor Urbieta

DOI: https://doi.org/10.48550/arXiv.2112.05423

2021-12-10

Cryptography and Security

Abstract:Recent privacy awareness initiatives such as the EU General Data Protection Regulation subdued Machine Learning (ML) to privacy and security assessments. Federated Learning (FL) grants a privacy-driven, decentralized training scheme that improves ML models' security. The industry's fast-growing adaptation and security evaluations of FL technology exposed various vulnerabilities that threaten FL's confidentiality, integrity, or availability (CIA). This work assesses the CIA of FL by reviewing the state-of-the-art (SoTA) and creating a threat model that embraces the attack's surface, adversarial actors, capabilities, and goals. We propose the first unifying taxonomy for attacks and defenses and provide promising future research directions.

Qingdi Han,Siqi Lu,Wenhao Wang,Haipeng Qu,Jingsheng Li,Yang Gao

DOI: https://doi.org/10.1002/cpe.8084

2024-03-20

Concurrency and Computation Practice and Experience

Abstract:Summary Federated learning (FL) has emerged as a promising solution to address the challenges posed by data silos and the need for global data fusion. It offers a distributed machine learning framework with privacy‐preserving features, allowing model training without the need to collect user data. However, FL also presents significant security and privacy threats that hinder its widespread adoption. The requirements of privacy and security in FL are inherently conflicting. Privacy necessitates the concealment of individual client updates, while security requires the disclosure of client updates to detect anomalies. While most existing research focused on the privacy and security aspects of FL, very few studies have addressed the compatibility of these two demands. In this work, we aim to bridge this gap by proposing a comprehensive defense scheme that ensures privacy, security, and compatibility in FL. We categorize the existing literature into two key directions: privacy defense and security defense. Privacy defense includes methods based on additive masks, differential privacy, homomorphic encryption, and trusted execution environment, whereas security defense encompasses distance‐, performance‐, clustering‐, and similarity‐based anomaly detection techniques and statistical information‐based anomaly update bypassing techniques when the server is trusted and privacy‐compatible anomaly update detection techniques when the server is not trusted. In addition, this article presents decentralized FL solutions based on blockchain. For each direction, we discuss specific technical solutions, their advantages, and disadvantages. By evaluating various defense methods, we identify the most suitable approach to address the primary challenge of "achieving a secure and robust FL system against malicious adversaries while protecting users' privacy." We then propose a theoretical reference framework for end‐to‐end protection of privacy and security in FL for the key problem, which summarizes the attack surface of FL systems from the client to the server under the security model where the client and server are malicious. Leveraging the strengths and characteristics of existing schemes, our proposed framework integrates multiple techniques to strike a balance between privacy, usability, and efficiency. This framework serves as a valuable reference and provides insights for future work in the field. Finally, we also provide recommendations for future research directions in this field.

computer science, theory & methods, software engineering

Jahid Hasan

2023-07-23

Abstract:Federated Learning (FL) has emerged as a promising approach to address data privacy and confidentiality concerns by allowing multiple participants to construct a shared model without centralizing sensitive data. However, this decentralized paradigm introduces new security challenges, necessitating a comprehensive identification and classification of potential risks to ensure FL's security guarantees. This paper presents a comprehensive taxonomy of security and privacy challenges in Federated Learning (FL) across various machine learning models, including large language models. We specifically categorize attacks performed by the aggregator and participants, focusing on poisoning attacks, backdoor attacks, membership inference attacks, generative adversarial network (GAN) based attacks, and differential privacy attacks. Additionally, we propose new directions for future research, seeking innovative solutions to fortify FL systems against emerging security risks and uphold sensitive data confidentiality in distributed learning environments.

Cryptography and Security,Artificial Intelligence

Chang Zhang,Shunkun Yang,Lingfeng Mao,Huansheng Ning

DOI: https://doi.org/10.1007/s10462-024-10796-1

IF: 9.588

2024-05-24

Artificial Intelligence Review

Abstract:In recent years, deep learning methods based on a large amount of data have achieved substantial success in numerous fields. However, with increases in regulations for protecting private user data, access to such data has become restricted. To overcome this limitation, federated learning (FL) has been widely utilized for training deep learning models without centralizing data. However, the inaccessibility of FL data and heterogeneity of the client data render difficulty in providing security and protecting the privacy in FL. In addition, the security and privacy anomalies in the corresponding systems significantly hinder the application of FL. Numerous studies have been proposed aiming to maintain the model security and mitigate the leakage of private training data during the FL training phase. Existing surveys categorize FL attacks from a defensive standpoint, but lack the efficiency of pinpointing attack points and implementing timely defenses. In contrast, our survey comprehensively categorizes and summarizes detected anomalies across client, server, and communication perspectives, facilitating easier identification and timely defense measures. Our survey provides an overview of the FL system and briefly introduces the FL security and privacy anomalies. Next, we detail the existing security and privacy anomalies and the methods of detection and defense from the perspectives of the client, server, and communication process. Finally, we address the security and privacy anomalies in non-independent identically distributed cases during FL and summarize the related research progress. This survey aims to provide a systematic and comprehensive review of security and privacy research in FL to help understand the progress and better apply FL in additional scenarios.

computer science, artificial intelligence

Lingjuan Lyu,Han Yu,Qiang Yang

DOI: https://doi.org/10.48550/arXiv.2003.02133

2020-03-04

Cryptography and Security

Abstract:With the emergence of data silos and popular privacy awareness, the traditional centralized approach of training artificial intelligence (AI) models is facing strong challenges. Federated learning (FL) has recently emerged as a promising solution under this new reality. Existing FL protocol design has been shown to exhibit vulnerabilities which can be exploited by adversaries both within and without the system to compromise data privacy. It is thus of paramount importance to make FL system designers to be aware of the implications of future FL algorithm design on privacy-preservation. Currently, there is no survey on this topic. In this paper, we bridge this important gap in FL literature. By providing a concise introduction to the concept of FL, and a unique taxonomy covering threat models and two major attacks on FL: 1) poisoning attacks and 2) inference attacks, this paper provides an accessible review of this important topic. We highlight the intuitions, key techniques as well as fundamental assumptions adopted by various attacks, and discuss promising future research directions towards more robust privacy preservation in FL.

Liu Pengrui,Xu Xiangrui,Wang Wei

DOI: https://doi.org/10.1186/s42400-021-00105-6

2022-01-01

Abstract:Empirical attacks on Federated Learning (FL) systems indicate that FL is fraught with numerous attack surfaces throughout the FL execution. These attacks can not only cause models to fail in specific tasks, but also infer private information. While previous surveys have identified the risks, listed the attack methods available in the literature or provided a basic taxonomy to classify them, they mainly focused on the risks in the training phase of FL. In this work, we survey the threats, attacks and defenses to FL throughout the whole process of FL in three phases, including Data and Behavior Auditing Phase , Training Phase and Predicting Phase . We further provide a comprehensive analysis of these threats, attacks and defenses, and summarize their issues and taxonomy. Our work considers security and privacy of FL based on the viewpoint of the execution process of FL. We highlight that establishing a trusted FL requires adequate measures to mitigate security and privacy threats at each phase. Finally, we discuss the limitations of current attacks and defense approaches and provide an outlook on promising future research directions in FL.

Kai Hu,Sheng Gong,Qi Zhang,Chaowen Seng,Min Xia,Shanshan Jiang

DOI: https://doi.org/10.1007/s10462-024-10846-8

IF: 9.588

2024-07-13

Artificial Intelligence Review

Abstract:Federated learning has received a great deal of research attention recently,with privacy protection becoming a key factor in the development of artificial intelligence. Federated learning is a special kind of distributed learning framework, which allows multiple users to participate in model training while ensuring that their privacy is not compromised; however, this paradigm is still vulnerable to security and privacy threats from various attackers. This paper focuses on the security and privacy threats related to federated learning. First, we analyse the current research and development status of federated learning through use of the CiteSpace literature search tool. Next, we describe the basic concepts and threat models, and then analyse the security and privacy vulnerabilities within current federated learning architectures. Finally, the directions of development in this area are further discussed in the context of current advanced defence solutions, for which we provide a summary and comparison.

computer science, artificial intelligence

Juan Mao,Chunjie Cao,LongJuan Wang,Jun Ye,WenJie Zhong

DOI: https://doi.org/10.1088/1742-6596/1757/1/012192

2021-01-01

Journal of Physics Conference Series

Abstract:With the emergence of data islands and the popular awareness of privacy, federated learning, as an emerging data sharing and exchange model, can realize multi-party collaboration under the premise of protecting data privacy and security because the data distributed in multiple devices cannot be sent locally. To achieve benefits for all parties involved, it has been widely used in many fields such as finance, medical care, and education. However, FL also has various security and privacy issues. Starting from the overview of federated learning, this article describes in detail the threat model and existing security issues, including replay attacks, poisoning attacks, reasoning attacks, etc., and then makes a certain analysis of FL privacy protection security technologies. Compared with SMC and HE, differential privacy is excellent in terms of efficiency. Finally, we discussed the challenges of privacy protection and security issues and future research directions.

Alberto Blanco-Justicia,Josep Domingo-Ferrer,Sergio Martínez,David Sánchez,Adrian Flanagan,Kuan Eeik Tan

DOI: https://doi.org/10.48550/arXiv.2012.06810

2020-12-12

Abstract:Federated learning (FL) allows a server to learn a machine learning (ML) model across multiple decentralized clients that privately store their own training data. In contrast with centralized ML approaches, FL saves computation to the server and does not require the clients to outsource their private data to the server. However, FL is not free of issues. On the one hand, the model updates sent by the clients at each training epoch might leak information on the clients' private data. On the other hand, the model learnt by the server may be subjected to attacks by malicious clients; these security attacks might poison the model or prevent it from converging. In this paper, we first examine security and privacy attacks to FL and critically survey solutions proposed in the literature to mitigate each attack. Afterwards, we discuss the difficulty of simultaneously achieving security and privacy protection. Finally, we sketch ways to tackle this open problem and attain both security and privacy.

Cryptography and Security,Artificial Intelligence