A federated learning framework for two-way defense

doi:10.19678/j.issn.1000-3428.0253081

Abstract

Abstract: Federated learning improves the ability to protect data security by locally training models on distributed devices and sharing parameter updates, but still faces challenges such as privacy leakage and malicious client attacks. Traditional secure aggregation protocols suffer from client privacy leakage caused by server inference attacks. On the other hand, poisoning attacks by malicious clients can lead to performance degradation, reduced convergence, and even targeted misclassification of the global model. To address this issue, a bidirectional defense federated learning framework is proposed: clients upload the fully connected layers from their local models and the ciphertext of local model parameters obtained after adding noise. The fully connected layer parameters are used by the server to detect poisoning attacks, while the encrypted model parameters prevent server inference attacks. The noise added by clients automatically cancels out during the server's aggregation operation, ensuring the correctness of the aggregation result without affecting its accuracy. Under this unified framework, both client privacy protection and defense against malicious client poisoning attacks are achieved. Analysis shows that using an optimized elliptic curve key generation algorithm achieves privacy protection with reduced overhead. Meanwhile, experiments demonstrate that this method achieves high detection accuracy for four types of poisoning attacks on the MNIST and CIFAR-10 datasets, with a false positive rate below 6%. This provides an efficient and robust bidirectional privacy and security defense solution for federated learning.

摘要： :联邦学习通过在分布式设备上本地训练模型并共享参数更新，提高了保护数据安全的能力，但仍面临隐私泄露与恶意客户端攻击的挑战。传统安全聚合协议存在服务器的推理攻击导致的客户端隐私泄露，另一方面，恶意客户端的投毒攻击会导致影响全局模型的性能恶化、收敛性降低，甚至是针对性误分类。针对这个问题，提出一种双向防御联邦学习框架：客户端上传本地模型中的全连接层和通过添加噪声后得到的本地模型参数密文。全连接层参数用于服务器检测投毒攻击，加密后的模型参数用于防止服务器的推理攻击，客户端所添加的噪声在服务器聚合运算中自动抵消，不影响聚合结果的正确性。在统一的框架下，既保护了客户端隐私，也防范了恶意客户端的投毒攻击。分析表明，使用优化的椭圆曲线密钥生成算法，在减少了开销的前提下实现了隐私保护，与此同时，实验发现，该方法在MNIST和CIFAR-10数据集上对四类投毒攻击的检测准确率都达到了较高的水平，误报率低于6%。为联邦学习提供了高效、鲁棒的双向隐私与安全防御方案。

Xuanxuan-Ou , Wenhan-Hou, Xinhao-Hu, Jindong-zhao. A federated learning framework for two-way defense[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0253081.

欧璇璇, 侯文涵, 胡信豪, 赵金东. 一种双向防御的联邦学习框架[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0253081.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0253081

References

[1] Mammen, Priyanka Mary. "Federated learning: Opportunities and challenges."arxiv preprint arxiv:2101.05428(2021).
[2] Hasan, Md Mohaiminul. "Federated Learning Models for Privacy-Preserving AI In Enterprise Decision Systems."International Journal of Business and Economics Insights 5.3 (2025): 238-269.
[3] 邱晓慧, et al. "联邦学习中安全防御与隐私保护技术研究."Application Research of Computers/Jisuanji Yingyong Yanjiu39.11 (2022).
Qiu Xiaohui, et al. "Research on Security Defense and Privacy Protection Technologies in Federated Learning." Application Research of Computers / Jisuanji Yingyong Yanjiu 39.11 (2022).
[4] Zhang, Hao, et al. "Survey of federated learning in intrusion detection."Journal of Parallel and Distributed Computing195 (2025): 104976.
[5] Gong, Xueluan, et al. "Private data inference attacks against cloud: Model, technologies, and research directions." IEEE Communications Magazine60.9 (2022): 46-52.
[6] 孙爽, et al. "不同场景的联邦学习的安全与隐私保护研究综述."Application Research of Computers/Jisuanji Yingyong Yanjiu 38.12 (2021). Sun Shuang, et al. "A Review of Security and Privacy Protection in Federated Learning for Different Scenarios." Application Research of Computers/Jisuanji Yingyong Yanjiu 38.12 (2021)
[7] Basak, Santanu, and Kakali Chatterjee. "DPAD: Data Poisoning Attack Defense Mechanism for federated learning-based system."Computers and Electrical Engineering121 (2025): 109893.
[8] Paillier, Pascal. "Paillier encryption and signature schemes."Encyclopedia of Cryptography, Security and Privacy. Cham: Springer Nature Switzerland, 2025. 1757-1759.
[9] Wang, Zhaoqi, et al. "Resisting Poisoning Attacks in Federated Learning via Dual-Domain Distance and Trust Assessment."IEEE Transactions on Information Forensics and Security(2025).
[10] Tolpegin, Vale, et al. "Data poisoning attacks against federated learning systems."Computer security–ESORICs 2020: 25th European symposium on research in computer security, ESORICs 2020, guildford, UK, September 14–18, 2020, proceedings, part i 25. Springer International Publishing, 2020.
[11] Jagielski, Matthew, et al. "Manipulating machine learning: Poisoning attacks and countermeasures for regression learning."2018 IEEE symposium on security and privacy (SP). IEEE, 2018.
[12] Lianga, Junchuan, et al. "A survey on federated learning poisoning attacks and defenses."arxiv preprint arxiv:2306.03397(2023).
[13] Sun, Gan, et al. "Data poisoning attacks on federated machine learning."IEEE Internet of Things Journal9.13 (2021): 11365-11375.
[14] Fang, Minghong, et al. "Local model poisoning attacks to {Byzantine-Robust} federated learning."29th USENIX security symposium (USENIX Security 20). 2020.
[15] Zhou, et al. "Deep model poisoning attack on federated learning."Future Internet13.3 (2021): 73.
[16] 钱汉伟, 孙伟松. "深度神经网络中的后门攻击与防御技术综述."Journal of Frontiers of Computer Science & Technology17.5 (2023). Qian Hanwei, Sun Weisong. "A Review of Backdoor Attacks and Defense Techniques in Deep Neural Networks." Journal of Frontiers of Computer Science & Technology 17.5 (2023).
[17] Basak, Santanu, and Kakali Chatterjee. "DPAD: Data Poisoning Attack Defense Mechanism for federated learning-based system."Computers and Electrical Engineering121 (2025): 109893.
[18] Yazdinejad, Abbas, et al. "A robust privacy-preserving federated learning model against model poisoning attacks." IEEE Transactions on Information Forensics and Security(2024).
[19] Li, Hao, et al. "Review on security of federated learning and its application in healthcare."Future Generation Computer Systems144 (2023): 271-290.
[20] Xu, Runhua, et al. "Hybridalpha: An efficient approach for privacy-preserving federated learning."Proceedings of the 12th ACM workshop on artificial intelligence and security. 2019.
[21] Ma, Zhuoran, et al. "ShieldFL: Mitigating model poisoning attacks in privacy-preserving federated learning."IEEE Transactions on Information Forensics and Security17 (2022): 1639-1654.
[22] Truex, Stacey, et al. "A hybrid approach to privacy-preserving federated learning."Proceedings of the 12th ACM workshop on artificial intelligence and security. 2019.
[23] Yazdinejad, Abbas, Ali Dehghantanha, and Gautam Srivastava. "AP2FL: Auditable privacy-preserving federated learning framework for electronics in healthcare." IEEE Transactions on Consumer Electronics70.1 (2023): 2527-2535.
[24] Wang, Baocang, et al. "Ppefl: Privacy-preserving edge federated learning with local differential privacy." IEEE Internet of Things Journal 10.17 (2023): 15488-15500.
[25] Melis, Luca, et al. "Exploiting unintended feature leakage in collaborative learning." 2019 IEEE symposium on security and privacy (SP). IEEE, 2019.
[26] Zhang Z, Cao X, Jia J, et al. Fldetector: Defending federated learning against model poisoning attacks via detecting malicious clients[C]//Proceedings of the 28th ACM SIGKDD conference on knowledge discovery and data mining. 2022: 2545-2555.

Please choose a citation manager

Content to export