A Privacy-Preserving Federated Learning Scheme Against Poisoning Attack

doi:10.19678/j.issn.1000-3428.0069133

Abstract

Abstract:

Federated learning enables participants to collaboratively model without revealing their raw data, thereby effectively addressing the privacy issue of distributed data. However, as research advances, federated learning continues to face security concerns such as privacy inference attacks and malicious client poisoning attacks. Existing improvements to federated learning mainly focus on either privacy protection or against poisoning attacks without simultaneously addressing both types of attacks. To address both inference and poisoning attacks in federated learning, a privacy-preserving against poisoning federated learning scheme called APFL is proposed. This scheme involves the design of a model detection algorithm that utilizes Differential Privacy (DP) techniques to assign corresponding aggregation weights to each client based on the cosine similarity between the models. Homomorphic encryption techniques are employed for the weighted aggregation of the local models. Experimental evaluations of the MNIST and CIFAR10 datasets demonstrate that APFL effectively filters malicious models and defends against poisoning attacks while ensuring data privacy. When the poisoning ratio is no more than 50%, APFL achieves a model performance consistent with the Federated Averaging (FedAvg) scheme in a non-poisoned environment. Compared with the Krum and FLTrust schemes, APFL exhibits average reductions of 19% and 9% in model test error rate, respectively.

Key words: federated learning, Differential Privacy (DP), homomorphic encryption, privacy-preserving, poisoning attack

摘要：

联邦学习实现了各参与方在不泄露原始数据的前提下联合建模，有效解决了分布式数据隐私的问题，但随着研究的深入，联邦学习还存在隐私推断攻击或恶意客户端投毒攻击等安全问题。现有联邦学习改进方案大多仅从隐私保护或抗投毒攻击方面进行改进，不能兼顾两种攻击。为了同时解决联邦学习中的推断攻击和投毒攻击，提出一个隐私保护的抗投毒攻击联邦学习（APFL）方案。设计一个模型检测算法，使用差分隐私（DP）技术，根据模型间余弦相似度赋予各客户端相应聚合权重，使用同态加密技术将本地模型加权聚合。在MNIST和CIFAR10数据集上的实验结果表明，APFL在保证数据隐私的同时能有效筛选恶意模型，抵御投毒攻击，当投毒比例不超过50%时，APFL模型性能与无投毒攻击环境下联邦平均(FedAvg)方案一致，模型测试错误率较Krum方案平均降低19%，较FLTrust方案平均降低9%。

关键词: 联邦学习, 差分隐私, 同态加密, 隐私保护, 投毒攻击

YAO Yupeng, WEI Lifei, ZHANG Lei. A Privacy-Preserving Federated Learning Scheme Against Poisoning Attack[J]. Computer Engineering, 2025, 51(6): 223-235.

姚玉鹏, 魏立斐, 张蕾. 一种隐私保护的抗投毒攻击联邦学习方案[J]. 计算机工程, 2025, 51(6): 223-235.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0069133

https://www.ecice06.com/EN/Y2025/V51/I6/223

Figures/Tables 15

Fig.1 System architecture of the scheme in this paper

Fig.2 Global model accuracy curves for different schemes on different datasets in an attack-free environment

Fig.3 Accuracy curves of scheme with and without MAD algorithm on different datasets

Fig.4 Model accuracy curves of various schemes on the MNIST dataset under LFA poisoning attack environments

Fig.5 Model accuracy curves of various schemes on the MNIST dataset under MAP poisoning attack environment

Fig.6 Model accuracy curves of various schemes on the CIFAR10 dataset under LFA poisoning attack environments

Fig.7 Model accuracy curves of various schemes on the CIFAR10 dataset under MAP poisoning attack environments

Fig.8 The influence of different poisoning rates on the accuracy of the global model of the APFL scheme

Fig.9 Influence of differential privacy noise on global model accuracy

Fig.10 Impact of the number of clients N on the accuracy of the global model

Fig.11 Comparison of homomorphic computation time

Fig.12 Comparison of ciphertext communication time

References 30

1	LI B Y, CHAO X, WANG L G, et al. Dense nested attention network for infrared small target detection. IEEE Transactions on Image Processing, 2023, 32, 1745- 1758. doi: 10.1109/TIP.2022.3199107
2	PENG L T, ZHU C L, BIAN L H. U-shape transformer for underwater image enhancement. IEEE Transactions on Image Processing, 2023, 32, 3066- 3079. doi: 10.1109/TIP.2023.3276332
3	ZHANG R, ZHANG P, WANG Y. Design and implementation of data analysis and retrieval system for Chinese traditional patent medicine[C]//Proceedings of IEEE International Conference on Bioinformatics and Biomedicine (BIBM). Washington D. C., USA: IEEE Press, 2022: 3752-3756. URL
4	ARADI S. Survey of deep reinforcement learning for motion planning of autonomous vehicles. IEEE Transactions on Intelligent Transportation Systems, 2022, 23(2): 740- 759. doi: 10.1109/TITS.2020.3024655
5	MCMAHAN B H, MOORE E, RAMAGE D, et al. Communication-efficient learning of deep networks from decentralized data[EB/OL]. [2023-11-20]. https://arxiv.org/pdf/1602.05629.
6	刘艺璇, 陈红, 刘宇涵, 等. 联邦学习中的隐私保护技术. 软件学报, 2022, 33(3): 1057- 1092. doi: 10.13328/j.cnki.jos.006446
	LIU Y X, CHEN H, LIU Y H, et al. Privacy-preserving techniques in federated learning. Journal of Software, 2022, 33(3): 1057- 1092. doi: 10.13328/j.cnki.jos.006446
7	LEE H, KIM J, HUSSAIN R, et al. On defensive neural networks against inference attack in federated learning[C]//Proceedings of IEEE International Conference on Communications. Washington D. C., USA: IEEE Press, 2021: 1-6. URL
8	LUO X J, WU Y C, XIAO X K, et al. Feature inference attack on model predictions in vertical federated learning[C]//Proceedings of the 37th International Conference on Data Engineering (ICDE). Washington D. C., USA: IEEE Press, 2021: 181-192. URL
9	高莹, 陈晓峰, 张一余, 等. 联邦学习系统攻击与防御技术研究综述. 计算机学报, 2023, 46(9): 1781- 1805.
	GAO Y, CHEN X F, ZHANG Y Y, et al. A survey of attack and defense techniques for federated learning systems. Chinese Journal of Computers, 2023, 46(9): 1781- 1805.
10	STEINHARDT J, KOH P W, LIANG P. Certified defenses for data poisoning attacks[C]//Proceedings of the 31st International Conference on Neural Information Processing Systems. New York, USA: ACM Press, 2017: 3520-3532. URL
11	FANG M H, CAO X Y, JIA J Y, et al. Local model poisoning attacks to Byzantine-robust federated learning[C]//Proceedings of the 29th USENIX Conference on Security Symposium. New York, USA: ACM Press, 2020: 1623-1640. URL
12	BLANCHARD P, EL MHAMDI E M, GUERRAOUI R, et al. Machine learning with adversaries: Byzantine tolerant gradient descent[C]//Proceedings of the 31st International Conference on Neural Information Processing Systems. New York, USA: ACM Press, 2017: 118-128. URL
13	EL MHAMDI E M, GUERRAOUI R, ROUAULT S. The hidden vulnerability of distributed learning in Byzantium[EB/OL]. [2023-11-20]. https://arxiv.org/pdf/1802.07927. URL
14	YIN D, CHEN Y D, KANNAN R, et al. Byzantine-robust distributed learning: towards optimal statistical rates[EB/OL]. [2023-11-20]. https://arxiv.org/pdf/1803.01498.
15	BONAWITZ K, IVANOV V, KREUTER B, et al. Practical secure aggregation for privacy-preserving machine learning[C]//Proceedings of the 24th ACM-SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2017: 1175-1191. URL
16	ZENG Z, DU Y, FANG Z, et al. FLBooster: a unified and efficient platform for federated learning acceleration[C]//Proceedings of the 39th International Conference on Data Engineering (ICDE). Washington D. C., USA: IEEE Press, 2023: 3140-3153. URL
17	MADI A, STAN O, MAYOUE A, et al. A secure federated learning framework using homomorphic encryption and verifiable computing[C]//Proceedings of Conference on Reconciling Data Analytics, Automation, Privacy, and Security: A Big Data Challenge. Berlin, Germany: Springer, 2021: 1-8. URL
18	任一支, 刘容轲, 王冬, 等. 基于联邦学习的本地化差分隐私机制研究. 电子与信息学报, 2023, 45(3): 784- 792. doi: 10.11999/JEIT221064
	REN Y Z, LIU R K, WANG D, et al. A study of local differential privacy mechanisms based on federated learning. Journal of Electronics & Information Technology, 2023, 45(3): 784- 792. doi: 10.11999/JEIT221064
19	CAO X Y, FANG M H, LIU J, et al. FLTrust: Byzantine-robust federated learning via trust bootstrapping[EB/OL]. [2023-11-20]. https://arxiv.org/abs/2012.13995v3.
20	LIU X Y, LI H W, XU G W, et al. Privacy-enhanced federated learning against poisoning adversaries. IEEE Transactions on Information Forensics and Security, 2021, 16, 4574- 4588. doi: 10.1109/TIFS.2021.3108434
21	DONG Y, CHEN X J, LI K, et al. FLOD: oblivious defender for private Byzantine-robust federated learning with dishonest-majority[C]//Proceedings of European Symposium on Research in Computer Security. Berlin, Germany: Springer, 2021: 497-518.
22	RUAN W, XU M, FANG W, et al. Private, efficient, and accurate: protecting models trained by multi-party learning with differential privacy[C]//Proceedings of IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2023: 1926-1943. URL
23	HIDAYAT M A, NAKAMURA Y, DAWTON B, et al. AGC-DP: differential privacy with adaptive Gaussian clipping for federated learning[C]//Proceedings of the 24th IEEE International Conference on Mobile Data Management (MDM). Washington D. C., USA: IEEE Press, 2023: 199-208. URL
24	周炜, 王超, 徐剑, 等. 基于区块链的隐私保护去中心化联邦学习模型. 计算机研究与发展, 2022, 59(11): 2423- 2436.
	ZHOU W, WANG C, XU J, et al. Privacy-preserving and decentralized federated learning model based on the blockchain. Journal of Computer Research and Development, 2022, 59(11): 2423- 2436.
25	PHONG L T, AONO Y, HAYASHI T, et al. Privacy-preserving deep learning via additively homomorphic encryption. IEEE Transactions on Information Forensics and Security, 2017, 13(5): 1333- 1345. doi: 10.1109/TIFS.2017.2787987
26	WANG S W, HUANG L S, NIE Y W, et al. Local differential private data aggregation for discrete distribution estimation. IEEE Transactions on Parallel and Distributed Systems, 2019, 30(9): 2046- 2059. doi: 10.1109/TPDS.2019.2899097
27	PAILLIER P. Public-key cryptosystems based on composite degree residuosity classes[C]//Proceedings of International Conference on the Theory and Applications of Cryptographic Techniques. Berlin, Germany: Springer, 1999: 223-238. URL
28	GENTRY C, SAHAI A, WATERS B. Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based[C]//Proceedings of the 33rd Annual International Cryptology Conference (CRYPTO). Berlin, Germany: Springer, 2013: 75-92. URL
29	CHEON J H, KIM A, KIM M, et al. Homomorphic encryption for arithmetic of approximate numbers[C]//Proceedings of the 23rd International Conference on the Theory and Applications of Cryptology and Information Security. Berlin, Germany: Springer, 2017: 409-437. URL
30	WEI K, LI J, DING M, et al. User-level privacy-preserving federated learning: analysis and performance optimization. IEEE Transactions on Mobile Computing, 2021, 21(9): 3388- 3401. doi: 10.1109/TMC.2021.3056991

[1]	SHI Yonghui, DAI Qi, CHEN Lifang, HAN Yang. Federated Aggregation Algorithm Based on Natural Nearest Neighbors [J]. Computer Engineering, 2025, 51(6): 236-244.
[2]	TANG Yingying, CHEN Yuling, LUO Yun, LI Zaidong. Verifiable Multi-Keyword Ciphertext Retrieval Scheme Based on Fully Homomorphic Encryption [J]. Computer Engineering, 2025, 51(4): 188-197.
[3]	WU Xiaohong, LI Pei, GU Yonggen, TAO Jie. Hierarchical Federated Learning Algorithm Based on EMD Optimal Matching [J]. Computer Engineering, 2025, 51(2): 170-178.
[4]	WU Ruolan, CHEN Yuling, DOU Hui, ZHANG Yangwen, LONG Zhong. Privacy Preserving Algorithm Using Federated Learning Against Attacks [J]. Computer Engineering, 2025, 51(2): 179-187.
[5]	WANG Yuanyuan, WANG Shiqian, WANG Han, GUO Zhengbin, HU Xiancheng. Cross-Border Intelligent Analysis of Energy Emission Based on Vertical Federated Learning [J]. Computer Engineering, 2025, 51(1): 164-173.
[6]	CHEN Xianyi, DING Sizhe, WANG Kang, YAN Leiming, FU Zhangjie. An Watermarking Framework of Active Protection Model for Secure Federated Learning [J]. Computer Engineering, 2025, 51(1): 138-147.
[7]	PAN Enyuan, ZHONG Yuan, LI Ping. Semi-Supervised Cervical Spine MRI Segmentation Model in Federated Heterogeneous Data [J]. Computer Engineering, 2024, 50(9): 367-376.
[8]	Hongjiao LI, Baojin WANG, Zhaohui WANG, Renhao HU. Dual-Client Selection Algorithm Based on Model Similarity and Local Loss [J]. Computer Engineering, 2024, 50(8): 153-164.
[9]	GU Yonggen, GAO Lingxuan, WU Xiaohong, TAO Jie. Research on Data Sharing of Federated Semi-Supervised Learning with Non-IID [J]. Computer Engineering, 2024, 50(6): 188-196.
[10]	WANG Yiliang, ZHOU Peng, YE Wei, QI Weiqiang. Non-Intrusive Load Monitoring and Its Privacy-Preserving Scheme Based on Pyramid Network [J]. Computer Engineering, 2024, 50(5): 182-189.
[11]	XIONG Shiqiang, HE Daojing, WANG Zhendong, DU Runmeng. Review of Federated Learning and Its Security and Privacy Protection [J]. Computer Engineering, 2024, 50(5): 1-15.
[12]	GU Yonggen, LI Guoxiao, WU Xiaohong, TAO Jie, ZHANG Yanqiong. Incentive Mechanism for Multi-Task Federated Learning Under Budget Constraints [J]. Computer Engineering, 2024, 50(5): 149-157.
[13]	Huawei SONG, Shengqi LI, Fangjie WAN, Yuping WEI. Federated Learning Optimization Method in Non-IID Scenarios [J]. Computer Engineering, 2024, 50(3): 166-172.
[14]	Shaojie LIU, Bin WEN, Zexu WANG. Multi-Technology Fused Data Trading Method Based on Federated Learning [J]. Computer Engineering, 2024, 50(3): 182-190.
[15]	Xiaojun ZHANG, Xingpeng LI, Wei TANG, Yunpu HAO, Jingting XUE. Cloud-Edge Fusion Verifiable Privacy-Preserving Cross-Domain Federated Learning Scheme [J]. Computer Engineering, 2024, 50(3): 148-155.

Please choose a citation manager

Content to export