Reda Bellafqira

Mohammed Lansari, Reda Bellafqira, Katarzyna Kapusta et al.

Federated Learning (FL) is a technique that allows multiple participants to collaboratively train a Deep Neural Network (DNN) without the need of centralizing their data. Among other advantages, it comes with privacy-preserving properties making it attractive for application in sensitive contexts, such as health care or the military. Although the data are not explicitly exchanged, the training procedure requires sharing information about participants' models. This makes the individual models vulnerable to theft or unauthorized distribution by malicious actors. To address the issue of ownership rights protection in the context of Machine Learning (ML), DNN Watermarking methods have been developed during the last five years. Most existing works have focused on watermarking in a centralized manner, but only a few methods have been designed for FL and its unique constraints. In this paper, we provide an overview of recent advancements in Federated Learning watermarking, shedding light on the new challenges and opportunities that arise in this field.

Mounia Hamidouche, Reda Bellafqira, Gwenolé Quellec et al.

The advances in machine learning (ML) have greatly improved AI-based diagnosis aid systems in medical imaging. However, being based on collecting medical data specific to individuals induces several security issues, especially in terms of privacy. Even though the owner of the images like a hospital put in place strict privacy protection provisions at the level of its information system, the model trained over his images still holds disclosure potential. The trained model may be accessible to an attacker as: 1) White-box: accessing to the model architecture and parameters; 2) Black box: where he can only query the model with his own inputs through an appropriate interface. Existing attack methods include: feature estimation attacks (FEA), membership inference attack (MIA), model memorization attack (MMA) and identification attacks (IA). In this work we focus on MIA against a model that has been trained to detect diabetic retinopathy from retinal images. Diabetic retinopathy is a condition that can cause vision loss and blindness in the people who have diabetes. MIA is the process of determining whether a data sample comes from the training data set of a trained ML model or not. From a privacy perspective in our use case where a diabetic retinopathy classification model is given to partners that have at their disposal images along with patients' identifiers, inferring the membership status of a data sample can help to state if a patient has contributed or not to the training of the model.

Mehdi Ben Ghali, Gouenou Coatrieux, Reda Bellafqira

Federated Learning (FL) enables clients to collaboratively train a global model using their local datasets while reinforcing data privacy, but it is prone to poisoning attacks. Existing defense mechanisms assume that clients' data are independent and identically distributed (IID), making them ineffective in real-world applications where data are non-IID. This paper presents FL-CLEANER, the first defense capable of filtering both byzantine and backdoor attackers' model updates in a non-IID FL environment. The originality of FL-CLEANER is twofold. First, it relies on a client confidence score derived from the reconstruction errors of each client's model activation maps for a given trigger set, with reconstruction errors obtained by means of a Conditional Variational Autoencoder trained according to a novel server-side strategy. Second, it uses an original ad-hoc trust propagation algorithm we propose. Based on previous client scores, it allows building a cluster of benign clients while flagging potential attackers. Experimental results on the datasets MNIST and FashionMNIST demonstrate the efficiency of FL-CLEANER against Byzantine attackers as well as to some state-of-the-art backdoors in non-IID scenarios; it achieves a close-to-zero (<1%) benign client misclassification rate, even in the absence of an attack, and achieves strong performance compared to state of the art defenses.

Reda Bellafqira, Gouenou Coatrieux, Emmanuelle Genin et al.

In this work, we propose an outsourced Secure Multilayer Perceptron (SMLP) scheme where privacy and confidentiality of both the data and the model are ensured during the training and the classification phases. More clearly, this SMLP : i) can be trained by a cloud server based on data previously outsourced by a user in an homomorphically encrypted form; ii) its parameters are homomorphically encrypted giving thus no clues to the cloud; and iii) it can also be used for classifying new encrypted data sent by the user returning him the encrypted classification result encrypted. The originality of this scheme is threefold. To the best of our knowledge, it is the first multilayer perceptron (MLP) secured in its training phase over homomorphically encrypted data with no problem of convergence. And It does not require extra-communications between the server and the user. It is based on the Rectified Linear Unit (ReLU) activation function that we secure with no approximation contrarily to actual SMLP solutions. To do so, we take advantage of two semi-honest non-colluding servers. Experimental results carried out on a binary database encrypted with the Paillier cryptosystem demonstrate the overall performance of our scheme and its convergence.

Reda Bellafqira, Gouenou Coatrieux, Dalel Bouslimi et al.

In this paper, we propose the first homomorphic based proxy re-encryption (HPRE) solution that allows different users to share data they outsourced homomorphically encrypted using their respective public keys with the possibility to process such data remotely. More clearly, this scheme makes possible to switch the public encryption key to another one without the help of a trusted third party. Its originality stands on a method we propose so as to compute the difference between two encrypted data without decrypting them and with no extra communications. Basically, in our HPRE scheme, the two users, the delegator and the delegate, ask the cloud server to generate an encrypted noise based on a secret key, both users previously agreed on. Based on our solution for comparing encrypted data, the cloud computes in clear the differences in-between the encrypted noise and the encrypted data of the delegator, obtaining thus blinded data. By next the cloud encrypts these differences with the public key of the delegate. As the noise is also known of the delegate, this one just has to remove it to get access to the data encrypted with his public key. This solution has been experimented in the case of the sharing of images outsourced into a semihonest cloud server.

Reda Bellafqira, Gouenou Coatrieux, Dalel Bouslimi et al.

In this paper, we present a novel Secured Outsourced Content Based Image Retrieval solution, which allows looking for similar images stored into the cloud in a homomorphically encrypted form. Its originality is fourfold. In a first time, it extracts from a Paillier encrypted image a wavelet based global image signature. In second, this signature is extracted in an encrypted form and gives no clues about the image content. In a third time, its calculation does not require the cloud to communicate with a trusted third party as usually proposed by other existing schemes. More clearly, all computations required in order to look for similar images are conducted by the cloud only with no extra-communications. To make possible such a computation, we propose a new fast way to compare encrypted data, these ones being encrypted by the same public key or not, and using a recursive relationship in-between Paillier random values when computing the different resolution levels of the image wavelet transform. Experiments conducted in two distinct frameworks: medical image retrieval with as purpose diagnosis aid support, and face recognition for user authentication; indicate that the proposed SOCBIR does not change image retrieval performance.