Federated learning (FL) enables a set of entities to collaboratively train a machine learning model without sharing their sensitive data, thus, mitigating some privacy concerns. However, an increasing number of works in the literature propose attacks that can manipulate the model and disclose information about the training data in FL. As a result, there has been a growing belief in the research community that FL is highly vulnerable to a variety of severe attacks. Although these attacks do indeed highlight security and privacy risks in FL, some of them may not be as effective in production deployment because they are feasible only under special -- sometimes impractical -- assumptions. Furthermore, some attacks are evaluated under limited setups that may not match real-world scenarios. In this paper, we investigate this issue by conducting a systematic mapping study of attacks against FL, covering 48 relevant papers from 2016 to the third quarter of 2021. On the basis of this study, we provide a quantitative analysis of the proposed attacks and their evaluation settings. This analysis reveals several research gaps with regard to the type of target ML models and their architectures. Additionally, we highlight unrealistic assumptions in the problem settings of some attacks, related to the hyper-parameters of the ML model and data distribution among clients. Furthermore, we identify and discuss several fallacies in the evaluation of attacks, which open up questions on the generalizability of the conclusions. As a remedy, we propose a set of recommendations to avoid these fallacies and to promote adequate evaluations.
翻译:联邦学习(FL)使一组实体能够合作培训机器学习模式,而不必分享其敏感数据,从而减轻某些隐私问题,然而,文献中越来越多的著作提议攻击能够操纵该模式并披露关于FL培训数据的信息。因此,研究界越来越相信FL极易受各种严重攻击的伤害。虽然这些攻击确实突出了FL的安全和隐私风险,但其中一些攻击可能无法有效进行生产部署,因为它们只有在特殊 -- -- 有时不切实际 -- -- 假设下才可行。此外,有些攻击是在有限的组合下评估的,可能不符合真实世界情景。在本文件中,我们通过对FL攻击进行系统测绘研究,调查这一问题,涵盖2016年至2021年第三季度的48份相关文件。根据这项研究,我们对拟议攻击及其评价环境进行了定量分析。这种分析显示,在目标ML模型的类型及其适当结构方面,有些研究差距可能不那么有效,因为它们只有在特殊 -- -- 有时不切实际 -- -- 假设的情况下才可行。我们强调,有些攻击是在有限的组合下评价,可能不符合真实世界情景。我们通过对FL攻击进行系统调查来调查这一问题,从2016年到20年的模型,我们提出一系列攻击结论。我们提出如何评估。