No Vandalism: Privacy-Preserving and Byzantine-Robust Federated Learning
This work addresses privacy and security issues in federated learning for applications where data must remain private and models must be robust against malicious participants, though it appears incremental as it builds on existing techniques.
The paper tackles the vulnerabilities of federated learning to poisoning attacks and privacy leakage by proposing a scheme called NoV, which combines a model filter with zero-knowledge proofs and secret sharing to protect against data and model poisoning while ensuring privacy, with experiments showing it effectively addresses attacks like PGD and outperforms other schemes.
Federated learning allows several clients to train one machine learning model jointly without sharing private data, providing privacy protection. However, traditional federated learning is vulnerable to poisoning attacks, which can not only decrease the model performance, but also implant malicious backdoors. In addition, direct submission of local model parameters can also lead to the privacy leakage of the training dataset. In this paper, we aim to build a privacy-preserving and Byzantine-robust federated learning scheme to provide an environment with no vandalism (NoV) against attacks from malicious participants. Specifically, we construct a model filter for poisoned local models, protecting the global model from data and model poisoning attacks. This model filter combines zero-knowledge proofs to provide further privacy protection. Then, we adopt secret sharing to provide verifiable secure aggregation, removing malicious clients that disrupting the aggregation process. Our formal analysis proves that NoV can protect data privacy and weed out Byzantine attackers. Our experiments illustrate that NoV can effectively address data and model poisoning attacks, including PGD, and outperforms other related schemes.