FedDAA: a robust federated learning framework to protect privacy and defend against adversarial attack

doi:10.1007/s11704-023-2283-x

Front. Comput. Sci.

2024, Vol. 18

Issue (2) : 182307 https://doi.org/10.1007/s11704-023-2283-x

Artificial Intelligence

FedDAA: a robust federated learning framework to protect privacy and defend against adversarial attack

Shiwei LU¹, Ruihu LI¹, Wenbin LIU²(

)

¹. Fundamentals Department, Air Force Engineering University, Xi’an 710051, China
². Institute of Advanced Computational Science and Technology, Guangzhou University, Guangzhou 510006, China

Download: PDF(11879 KB) HTML
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks

Abstract

Federated learning (FL) has emerged to break data-silo and protect clients’ privacy in the field of artificial intelligence. However, deep leakage from gradient (DLG) attack can fully reconstruct clients’ data from the submitted gradient, which threatens the fundamental privacy of FL. Although cryptology and differential privacy prevent privacy leakage from gradient, they bring negative effect on communication overhead or model performance. Moreover, the original distribution of local gradient has been changed in these schemes, which makes it difficult to defend against adversarial attack. In this paper, we propose a novel federated learning framework with model decomposition, aggregation and assembling (FedDAA), along with a training algorithm, to train federated model, where local gradient is decomposed into multiple blocks and sent to different proxy servers to complete aggregation. To bring better privacy protection performance to FedDAA, an indicator is designed based on image structural similarity to measure privacy leakage under DLG attack and an optimization method is given to protect privacy with the least proxy servers. In addition, we give defense schemes against adversarial attack in FedDAA and design an algorithm to verify the correctness of aggregated results. Experimental results demonstrate that FedDAA can reduce the structural similarity between the reconstructed image and the original image to 0.014 and remain model convergence accuracy as 0.952, thus having the best privacy protection performance and model training effect. More importantly, defense schemes against adversarial attack are compatible with privacy protection in FedDAA and the defense effects are not weaker than those in the traditional FL. Moreover, verification algorithm of aggregation results brings about negligible overhead to FedDAA.

Keywords federated learning privacy protection adversarial attacks aggregated rule correctness verification

Corresponding Author(s): Wenbin LIU

Just Accepted Date: 14 February 2023 Issue Date: 10 April 2023

Cite this article:

Shiwei LU,Ruihu LI,Wenbin LIU. FedDAA: a robust federated learning framework to protect privacy and defend against adversarial attack[J]. Front. Comput. Sci., 2024, 18(2): 182307.

URL:

https://academic.hep.com.cn/fcs/EN/10.1007/s11704-023-2283-x
https://academic.hep.com.cn/fcs/EN/Y2024/V18/I2/182307

Fig.1 The framework of traditional federated learning

Fig.2 Four common privacy attacks in federated learning

Fig.3 A federated learning framework with model decomposition, aggregation and assembling (FedDAA)

Fig.4 The reconstructed image with DLG algorithm under different proportion

γ

of model gradient information. Image size:

32 × 32

; Model: LeNet

Symbol	Meaning
${C k} k = 1 m$	m clients training local models in each round
${D k} k = 1 m$	Local training dataset of each client
F	The architecture of neural network model
$w G t$	The global model at $t$ -th round
$w k t$ , $g k t$	Local model and local gradient of $k$ -th client at $t$ -th round
$λ$	The proportional threshold of local gradient parameters that can be obtained by a proxy server
L	The number of blocks decomposed by local gradient or the number of proxy servers
$B i k$ , $? B i k$	$i$ -th block of $k$ -th local model or gradient
$? B A i$	Aggregated gradient block of $i$ -th proxy server
$B i G, t$	$i$ -th block of global model at the $t$ -th round

Tab.1 The meaning of main notations

Fig.5 SSIM between original image and reconstructed image under different

γ

Fig.6 Block verification defense in FedDAA against untargeted attack

Fig.7 Classification accuracy of the trained model in FedDAA and traditional FL. (a) MNIST; (b) CIFAR10

Method	Parameter setting	Model accuracy	SSIM
DP with Gaussian noise[ 24]	$N ～$ (0,0.01)	0.934	0.176
DP with Gaussian noise[ 24]	$N ～$ (0,0.05)	0.902	0.037
DP with Laplace noise[ 25]	$L ～$ (0,0.01)	0.927	0.138
DP with Laplace noise[ 25]	$L ～$ (0,0.05)	0.883	0.018
FedDAA(ours)	$λ = 0.8$	0.952	0.924
	$λ = 0.7$	0.954	0.857
	$λ = 0.6$	0.952	0.014

Tab.2 The performance comparison of differential privacy and FedDAA on privacy protection

Tab.3 The performance of defense schemes on untargeted attacks

Tab.4 The communication time of one round of training

Fig.8 Similarity measurements of the two defense schemes in FedDAA. The figures in the first row show the result of baseline method

cos ? (? B 1 k, B 1 G, t)

and those in second row show the result of

cos ? (? B 1 A, ? B 1 k)

. The two figures in the first, second and third column respectively give the similarities under no attack, attack at the 100th round, and attack at the 300th round, where 100th round is non-convergence round and 300th round is convergence round. (a) No attack; (b) attack at the 100th round; (c) attack at the 300th round

Tab.5 The additional time for correctness verification in FedDAA

1	H B, McMahan E, Moore D, Ramage B A Y Arcas . Federated learning of deep networks using model averaging. 2016, arXiv preprint arXiv: 1602.05629
2	H B, McMahan E, Moore D, Ramage S, Hampson B A Y Arcas . Communication-efficient learning of deep networks from decentralized data. In: Proceedings of the 20th International Conference on Artificial Intelligence and Statistics. 2017, 1273−1282
3	J, Geiping H, Bauermeister H, Dröge M Moeller . Inverting gradients-how easy is it to break privacy in federated learning?. In: Proceedings of the 34th International Conference on Neural Information Processing Systems. 2020, 1421
4	J, Jeon J, Kim K, Lee S, Oh J Ok . Gradient inversion with generative image prior. In: Proceedings of the 35th Conference on Neural Information Processing Systems. 2021, 29898−29908
5	H, Yin A, Mallya A, Vahdat J M, Alvarez J, Kautz P Molchanov . See through gradients: image batch recovery via gradInversion. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2021, 16332−16341
6	B, Zhao K R, Mopuri H Bilen . iDLG: improved deep leakage from gradients. 2020, arXiv preprint arXiv: 2001.02610
7	L, Zhu Z, Liu S Han . Deep leakage from gradients. In: Proceedings of the 33rd International Conference on Neural Information Processing Systems. 2019, 1323
8	A N, Bhagoji S, Chakraborty P, Mittal S B Calo . Analyzing federated learning through an adversarial lens. In: Proceedings of the 36th International Conference on Machine Learning. 2019, 634−643
9	C, Fung C J M, Yoon I Beschastnikh . Mitigating sybils in federated learning poisoning. 2018, arXiv preprint arXiv: 1808.04866
10	L, Lyu H, Yu Q Yang . Threats to federated learning: a survey. 2020, arXiv preprint arXiv: 2003.02133
11	V, Tolpegin S, Truex M E, Gursoy L Liu . Data poisoning attacks against federated learning systems. In: Proceedings of the 25th European Symposium on Research in Computer Security. 2020, 480−501
12	Bagdasaryan E, Veit A, Hua Y, Estrin D, Shmatikov V. How to backdoor federated learning. In: Proceedings of the 23rd International Conference on Artificial Intelligence and Statistics. 2020, 2938−2948
13	Z, Sun P, Kairouz A T, Suresh H B McMahan . Can you really backdoor federated learning?. 2019, arXiv preprint arXiv: 1911.07963
14	H, Wang K, Sreenivasan S, Rajput H, Vishwakarma S, Agarwal J Y, Sohn K, Lee D Papailiopoulos . Attack of the tails: yes, you really can backdoor federated learning. In: Proceedings of the 34th International Conference on Neural Information Processing Systems. 2020, 1348
15	M, Fang X, Cao J, Jia N Z Gong . Local model poisoning attacks to byzantine-robust federated learning. In: Proceedings of the 29th USENIX Conference on Security Symposium (USENIX Security 20). 2020, 92
16	S, Li Y, Cheng W, Wang Y, Liu T Chen . Learning to detect malicious clients for robust federated learning. 2020, arXiv preprint arXiv: 2002.00211
17	J, So B, Güler A S Avestimehr . Byzantine-resilient secure federated learning. IEEE Journal on Selected Areas in Communications, 2021, 39( 7): 2168–2181
18	H, Fang Q Qian . Privacy preserving machine learning with homomorphic encryption and federated learning. Future Internet, 2021, 13( 4): 94
19	S, Hardy W, Henecka H, Ivey-Law R, Nock G, Patrini G, Smith B Thorne . Private federated learning on vertically partitioned data via entity resolution and additively homomorphic encryption. 2017, arXiv preprint arXiv: 1711.10677
20	Z, Jiang W, Wang Y Liu . FLASHE: additively symmetric homomorphic encryption for cross-silo federated learning. 2021, arXiv preprint arXiv: 2109.00675
21	A, Girgis D, Data S, Diggavi P, Kairouz A T Suresh . Shuffled model of differential privacy in federated learning. In: Proceedings of the 24th International Conference on Artificial Intelligence and Statistics. 2021, 2521−2529
22	Sun L, Qian J, Chen X. LDP-FL: practical private aggregation in federated learning with local differential privacy. In: Proceedings of the 30th International Joint Conference on Artificial Intelligence. 2021, 1571−1578
23	Truex S, Liu L, Chow K H, Gursoy M E, Wei W. LDP-Fed: federated learning with local differential privacy. In: Proceedings of the 3rd ACM International Workshop on Edge Systems, Analytics and Networking. 2020, 61−66
24	K, Wei J, Li M, Ding C, Ma H H, Yang F, Farokhi S, Jin T Q S, Quek H V Poor . Federated learning with differential privacy: algorithms and performance analysis. IEEE Transactions on Information Forensics and Security, 2020, 15: 3454–3469
25	Y, Zhao J, Zhao M, Yang T, Wang N, Wang L, Lyu D, Niyato K Y Lam . Local differential privacy-based federated learning for internet of things. IEEE Internet of Things Journal, 2021, 8( 11): 8836–8853
26	K, Bonawitz V, Ivanov B, Kreuter A, Marcedone H B, McMahan S, Patel D, Ramage A, Segal K Seth . Practical secure aggregation for federated learning on user-held data. 2016, arXiv preprint arXiv: 1611.04482
27	B, Choi J Y, Sohn D J, Han J Moon . Communication-computation efficient secure aggregation for federated learning. 2020, arXiv preprint arXiv: 2012.05433
28	H, Fereidooni S, Marchal M, Miettinen A, Mirhoseini H, Möllering T D, Nguyen P, Rieger A R, Sadeghi T, Schneider H, Yalame S Zeitouni . SAFELearn: secure aggregation for private FEderated learning. In: Proceedings of 2021 IEEE Security and Privacy Workshops (SPW). 2021, 56–62
29	S, Truex N, Baracaldo A, Anwar T, Steinke H, Ludwig R, Zhang Y Zhou . A hybrid approach to privacy-preserving federated learning. In: Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security. 2019, 1–11
30	G, Xu H, Li S, Liu K, Yang X D Lin . VerifyNet: secure and verifiable federated learning. IEEE Transactions on Information Forensics and Security, 2020, 15: 911–926
31	Y, Dong X, Chen L, Shen D Wang . EaSTFLy: efficient and secure ternary federated learning. Computers & Security, 2020, 94: 101824
32	C, Fang Y, Guo N, Wang A Ju . Highly efficient federated learning with strong privacy preservation in cloud computing. Computers & Security, 2020, 96: 101889
33	P, Blanchard Mhamdi E M, El R, Guerraoui J Stainer . Machine learning with adversaries: byzantine tolerant gradient descent. In: Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017, 118–128
34	Mhamdi E M, El R, Guerraoui S Rouault . The hidden vulnerability of distributed learning in Byzantium. In: Proceedings of the 35th International Conference on Machine Learning. 2018, 3521–3530
35	D, Yin Y, Chen R, Kannan P Bartlett . Byzantine-robust distributed learning: towards optimal statistical rates. In: Proceedings of the 35th International Conference on Machine Learning. 2018, 5650–5659
36	S, Andreina G A, Marson H, Möllering G Karame . BaFFle: backdoor detection via feedback-based federated learning. In: Proceedings of the 41st International Conference on Distributed Computing Systems (ICDCS). 2021, 852–863
37	C, Chen J, Zhang A K H, Tung M, Kankanhalli G Chen . Robust federated recommendation system. 2020, arXiv preprint arXiv: 2006.08259
38	L, Melis C, Song Cristofaro E, De V Shmatikov . Exploiting unintended feature leakage in collaborative learning. In: Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). 2019, 691–706
39	R, Shokri M, Stronati C, Song V Shmatikov . Membership inference attacks against machine learning models. In: Proceedings of the IEEE Symposium on Security and Privacy (SP). 2017, 3–18
40	Yang D, Zhang D, Yu Z, Yu Z. Fine-grained preference-aware location search leveraging crowdsourced digital footprints from LBSNs. In: Proceedings of 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing. 2013, 479–488
41	G B, Huang M, Mattar T, Berg E Learned-Miller . Labeled faces in the wild: a database for studying face recognition in unconstrained environments. In: Proceedings of the Workshop on Faces in ’Real-Life’ Images: detection, Alignment, and Recognition. 2008
42	M, Fredrikson S, Jha T Ristenpart . Model inversion attacks that exploit confidence information and basic countermeasures. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015, 1322–1333
43	I, Goodfellow J, Pouget-Abadie M, Mirza B, Xu D, Warde-Farley S, Ozair A, Courville Y Bengio . Generative adversarial networks. Communications of the ACM, 2020, 63( 11): 139–144
44	L T, Phong Y, Aono T, Hayashi L, Wang S Moriai . Privacy-preserving deep learning via additively homomorphic encryption. IEEE Transactions on Information Forensics and Security, 2018, 13( 5): 1333–1345
45	Y, Lin S, Han H, Mao Y, Wang W J Dally . Deep gradient compression: reducing the communication bandwidth for distributed training. In: Proceedings of the 6th International Conference on Learning Representations. 2018
46	Y, Tsuzuku H, Imachi T Akiba . Variance-based gradient compression for efficient distributed deep learning. In: Proceedings of the 6th International Conference on Learning Representations. 2018
47	P, Kairouz H B, McMahan B, Avent A, Bellet M, Bennis . et al.. Advances and open problems in federated learning. Foundations and Trends® in Machine Learning, 2021, 14( 1−2): 1–210
48	J, Stallkamp M, Schlipsing J, Salmen C Igel . Man vs. computer: benchmarking machine learning algorithms for traffic sign recognition. Neural Networks, 2012, 32: 323–332
49	L, Li W, Xu T, Chen G B, Giannakis Q Ling . RSA: byzantine-robust stochastic aggregation methods for distributed learning from heterogeneous datasets. In: Proceedings of the 33rd AAAI Conference on Artificial Intelligence. 2019, 1544–1551
50	Z, Wu Q, Ling T, Chen G B Giannakis . Federated variance-reduced stochastic gradient descent with robustness to byzantine attacks. IEEE Transactions on Signal Processing, 2020, 68: 4583–4596
51	E N Lorenz . Section of planetary sciences: the predictability of hydrodynamic flow. Transactions of the New York Academy of Sciences, 1963, 25(4 Series II): 409−432
52	R M May . Simple mathematical models with very complicated dynamics. In: Hunt B R, Li T Y, Kennedy J A, Nusse H E, eds. The Theory of Chaotic Attractors. New York: Springer, 2004, 85–93
53	T M H, Hsu H, Qi M Brown . Measuring the effects of non-identical data distribution for federated visual classification. 2019, arXiv preprint arXiv: 1909.06335
54	K, He X, Zhang S, Ren J Sun . Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2016, 770–778

[1]

FCS-22283-OF-SL_suppl_1

Download

[1]	Yupei ZHANG, Yuxin LI, Yifei WANG, Shuangshuang WEI, Yunan XU, Xuequn SHANG. Federated learning-outcome prediction with multi-layer privacy protection[J]. Front. Comput. Sci., 2024, 18(6): 186604-.
[2]	Xinwen GAO, Shaojing FU, Lin LIU, Yuchuan LUO. BVDFed: Byzantine-resilient and verifiable aggregation for differentially private federated learning[J]. Front. Comput. Sci., 2024, 18(5): 185810-.
[3]	Nan SUN, Wei WANG, Yongxin TONG, Kexin LIU. Blockchain based federated learning for intrusion detection for Internet of Things[J]. Front. Comput. Sci., 2024, 18(5): 185328-.
[4]	Fengxia LIU, Zhiming ZHENG, Yexuan SHI, Yongxin TONG, Yi ZHANG. A survey on federated learning: a perspective from multi-party computation[J]. Front. Comput. Sci., 2024, 18(1): 181336-.
[5]	Xianfeng LIANG, Shuheng SHEN, Enhong CHEN, Jinchang LIU, Qi LIU, Yifei CHENG, Zhen PAN. Accelerating local SGD for non-IID data using variance reduction[J]. Front. Comput. Sci., 2023, 17(2): 172311-.
[6]	Changbo KE, Fu XIAO, Zhiqiu HUANG, Fangxiong XIAO. A user requirements-oriented privacy policy self-adaption scheme in cloud computing[J]. Front. Comput. Sci., 2023, 17(2): 172203-.
[7]	Kaiyue ZHANG, Xuan SONG, Chenhan ZHANG, Shui YU. Challenges and future directions of secure federated learning: a survey[J]. Front. Comput. Sci., 2022, 16(5): 165817-.
[8]	Xingyue CHEN, Tao SHANG, Feng ZHANG, Jianwei LIU, Zhenyu GUAN. Dynamic data auditing scheme for big data storage[J]. Front. Comput. Sci., 2020, 14(1): 219-229.
[9]	Xuan LI, Jin LI, Siuming YIU, Chongzhi GAO, Jinbo XIONG. Privacy-preserving edge-assisted image retrieval and classification in IoT[J]. Front. Comput. Sci., 2019, 13(5): 1136-1147.
[10]	Xianxian LI, Peipei SUI, Yan BAI, Li-E WANG. M-generalization for multipurpose transactional data publication[J]. Front. Comput. Sci., 2018, 12(6): 1241-1254.
[11]	Xiao PAN,Weizhang CHEN,Lei WU,Chunhui PIAO,Zhaojun HU. Protecting personalized privacy against sensitivity homogeneity attacks over road networks in mobile services[J]. Front. Comput. Sci., 2016, 10(2): 370-386.

Viewed

Full text

Abstract

Cited

Shared

Discussed