Recently, federated learning (FL) has been subject to both security and privacy attacks posing a dilemmatic challenge on the underlying algorithmic designs: On the one hand, FL is shown to be vulnerable to backdoor attacks that stealthily manipulate the global model output using malicious model updates, and on the other hand, FL is shown vulnerable to inference attacks by a malicious aggregator inferring information about clients' data from their model updates. Unfortunately, existing defenses against these attacks are insufficient and mitigating both attacks at the same time is highly challenging because while defeating backdoor attacks requires the analysis of model updates, protection against inference attacks prohibits access to the model updates to avoid information leakage. In this work, we introduce FLGUARD, a novel in-depth defense for FL that tackles this challenge. To mitigate backdoor attacks, it applies a multilayered defense by using a Model Filtering layer to detect and reject malicious model updates and a Poison Elimination layer to eliminate any effect of a remaining undetected weak manipulation. To impede inference attacks, we build private FLGUARD that securely evaluates the FLGUARD algorithm under encryption using sophisticated secure computation techniques. We extensively evaluate FLGUARD against state-of-the-art backdoor attacks on several datasets and applications, including image classification, word prediction, and IoT intrusion detection. We show that FLGUARD can entirely remove backdoors with a negligible effect on accuracy and that private FLGUARD is practical.
翻译:最近,联谊会学习(FL)受到安全和隐私攻击,给基本的算法设计带来了两难的挑战:一方面,FL被证明容易受到幕后攻击,而后者利用恶意模型更新来秘密操纵全球模型输出;另一方面,FL被显示容易受到恶意聚合器从模型更新中推断客户数据信息的恶意聚合攻击。不幸的是,现有的针对这些攻击的防御不够充分,同时减轻这两种攻击都是极具挑战性的,因为击败后门攻击需要分析模型更新,防止推断攻击则禁止获取模型更新以避免信息泄漏。在这项工作中,我们引入FLGURARD,这是应对这一挑战的FLL的新型深入防御。为了减轻后门攻击,它使用模型过滤层来检测和拒绝恶意模型更新,以及消除毒物层层,以消除仍然未察觉的薄弱操纵的任何影响。为了阻止攻击,我们建立私人FLARDRD, 以便彻底评估精密的FGUARDA-L的磁力分析, 并用FLRD的加密数据在FGUR的加密数据中展示。