WW-FL: Secure and Private Large-Scale Federated Learning

TL;DR

WW-FL addresses security and privacy gaps in large-scale federated learning by combining secure multi-party computation with hierarchical FL to protect both client data and the global model. The framework employs a privacy-preserving trimming-based aggregation, including a Bitonic-sort-based CrypTen implementation for a robust trimmed mean variant, and supports a worst-case poison rate of $0.2$ via selective outlier handling. Through extensive experiments (CIFAR-10 with ResNet9, multiple data-poisoning attacks, and MPC-based robustness benchmarks), WW-FL demonstrates improved resilience, faster convergence, and a reduced attack surface relative to standard FL, albeit at higher MPC overhead for certain robust-aggregation schemes. The work provides a PyTorch-based implementation and a practical assessment of trade-offs between security, privacy, and performance, signaling a potential paradigm shift toward secure, private, large-scale FL deployments. Key future directions include more efficient instantiations, stronger security guarantees, and broader evaluations across datasets and configurations.

Abstract

Federated learning (FL) is an efficient approach for large-scale distributed machine learning that promises data privacy by keeping training data on client devices. However, recent research has uncovered vulnerabilities in FL, impacting both security and privacy through poisoning attacks and the potential disclosure of sensitive information in individual model updates as well as the aggregated global model. This paper explores the inadequacies of existing FL protection measures when applied independently, and the challenges of creating effective compositions. Addressing these issues, we propose WW-FL, an innovative framework that combines secure multi-party computation (MPC) with hierarchical FL to guarantee data and global model privacy. One notable feature of WW-FL is its capability to prevent malicious clients from directly poisoning model parameters, confining them to less destructive data poisoning attacks. We furthermore provide a PyTorch-based FL implementation integrated with Meta's CrypTen MPC framework to systematically measure the performance and robustness of WW-FL. Our extensive evaluation demonstrates that WW-FL is a promising solution for secure and private large-scale federated learning.

Figures (11)

• Figure 6: Validation accuracy for FL and WW-FL when training ResNet9 on CIFAR10 with FedAvg, FLTrust, and trimmed mean as aggregation schemes under DLF attack for three different poison rates (top: equally distributed, bottom: focused setting).
• Figure 7: Accuracy of trimmed mean (TM) and our variant (with sample sizes 10, 100, and 1000) against focused DLF attacks on WW-FL at 0.2 poison rate for ResNet9/CIFAR10.
• Figure 8: Validation accuracy for ResNet9/CIFAR10 training with FedAvg, FLTrust, and trimmed mean for 2000 iterations under RLF, SLF, DLF, and TLF attacks in the equally-distributed setting.
• Figure 9: Validation accuracy for ResNet9/CIFAR10 training with FedAvg, FLTrust, and trimmed mean for 2000 iterations under RLF, SLF, DLF, and TLF attacks in the focused setting.
• Figure 10: Validation accuracy for ResNet9/CIFAR10 training with FedAvg, FLTrust, and trimmed mean for 2000 iterations under RLF, SLF, DLF, and TLF attacks in the cluster-focused setting.