Local and Central Differential Privacy for Robustness and Privacy in Federated Learning
This work addresses privacy and robustness issues in federated learning for participants concerned with data security, though it is incremental as it evaluates existing DP techniques in a new context.
The paper investigates the use of local and central differential privacy (LDP/CDP) in federated learning to protect against privacy and robustness vulnerabilities, finding that both variants defend against backdoor attacks and mitigate white-box membership inference attacks, but not property inference, with varying protection-utility trade-offs.
Federated Learning (FL) allows multiple participants to train machine learning models collaboratively by keeping their datasets local while only exchanging model updates. Alas, this is not necessarily free from privacy and robustness vulnerabilities, e.g., via membership, property, and backdoor attacks. This paper investigates whether and to what extent one can use differential Privacy (DP) to protect both privacy and robustness in FL. To this end, we present a first-of-its-kind evaluation of Local and Central Differential Privacy (LDP/CDP) techniques in FL, assessing their feasibility and effectiveness. Our experiments show that both DP variants do d fend against backdoor attacks, albeit with varying levels of protection-utility trade-offs, but anyway more effectively than other robustness defenses. DP also mitigates white-box membership inference attacks in FL, and our work is the first to show it empirically. Neither LDP nor CDP, however, defend against property inference. Overall, our work provides a comprehensive, re-usable measurement methodology to quantify the trade-offs between robustness/privacy and utility in differentially private FL.