Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Defending Against Poisoning Attacks in Federated Learning with Blockchain

Nanqing Dong, Zhipeng Wang, Jiahao Sun, Michael Kampffmeyer, William Knottenbelt, Eric Xing

TL;DR

This work addresses poisoning defense in federated learning by integrating blockchain with a stake-based majority voting mechanism and on-chain reward-slash incentives. The method replaces the centralized aggregator with a smart-contract-enabled parameter server and uses local validation plus majority voting to approve global updates, while slashing dishonest behavior. A theoretical result shows malicious voting incurs negative expected returns, encouraging honest participation, and extensive experiments on loan-default and chest-X-ray tasks demonstrate robustness against poisoning with competitive convergence and manageable costs. The framework is blockchain-agnostic and scalable to real-world finance and healthcare scenarios, offering a practical path toward trustworthy federated learning.

Abstract

In the era of deep learning, federated learning (FL) presents a promising approach that allows multi-institutional data owners, or clients, to collaboratively train machine learning models without compromising data privacy. However, most existing FL approaches rely on a centralized server for global model aggregation, leading to a single point of failure. This makes the system vulnerable to malicious attacks when dealing with dishonest clients. In this work, we address this problem by proposing a secure and reliable FL system based on blockchain and distributed ledger technology. Our system incorporates a peer-to-peer voting mechanism and a reward-and-slash mechanism, which are powered by on-chain smart contracts, to detect and deter malicious behaviors. Both theoretical and empirical analyses are presented to demonstrate the effectiveness of the proposed approach, showing that our framework is robust against malicious client-side behaviors.

Defending Against Poisoning Attacks in Federated Learning with Blockchain

TL;DR

This work addresses poisoning defense in federated learning by integrating blockchain with a stake-based majority voting mechanism and on-chain reward-slash incentives. The method replaces the centralized aggregator with a smart-contract-enabled parameter server and uses local validation plus majority voting to approve global updates, while slashing dishonest behavior. A theoretical result shows malicious voting incurs negative expected returns, encouraging honest participation, and extensive experiments on loan-default and chest-X-ray tasks demonstrate robustness against poisoning with competitive convergence and manageable costs. The framework is blockchain-agnostic and scalable to real-world finance and healthcare scenarios, offering a practical path toward trustworthy federated learning.

Abstract

In the era of deep learning, federated learning (FL) presents a promising approach that allows multi-institutional data owners, or clients, to collaboratively train machine learning models without compromising data privacy. However, most existing FL approaches rely on a centralized server for global model aggregation, leading to a single point of failure. This makes the system vulnerable to malicious attacks when dealing with dishonest clients. In this work, we address this problem by proposing a secure and reliable FL system based on blockchain and distributed ledger technology. Our system incorporates a peer-to-peer voting mechanism and a reward-and-slash mechanism, which are powered by on-chain smart contracts, to detect and deter malicious behaviors. Both theoretical and empirical analyses are presented to demonstrate the effectiveness of the proposed approach, showing that our framework is robust against malicious client-side behaviors.
Paper Structure (40 sections, 1 theorem, 4 equations, 14 figures, 4 tables, 2 algorithms)

This paper contains 40 sections, 1 theorem, 4 equations, 14 figures, 4 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Blockchain
  4. Federated Learning with Blockchain
  5. Problem Formulation
  6. Setup
  7. Malicious Behaviors
  8. Assumptions
  9. Method
  10. Federated Aggregation
  11. Local Validation
  12. Majority Voting
  13. Asset Redistribution
  14. Theoretical Analysis on Malicious Votes
  15. Training
  16. ...and 25 more sections

Key Result

Theorem 1

When all clients are rational, a malicious client should not make a malicious vote.

Figures (14)

  • Figure 1: A stake-based aggregation mechanism for FL with blockchain. In each round, the proposers are randomly selected from the participating clients to perform local training and upload local updates to the blockchain. Then, voters download the aggregated local updates from the blockchain, perform local validation, and vote for acceptance or rejection. If the majority of voters vote for accepting the global aggregation, the global model will be updated, and the proposers and the voters who vote for acceptance will be rewarded. Conversely, if the majority of voters vote for rejection, the global model will not be updated, and the proposers and the voters who vote for acceptance will be slashed.
  • Figure 2: Blockchain workflow overview. The sender broadcasts the issued transaction to the P2P network, which will be confirmed by the miners. The confirmed transaction will be stored on a public blockchain and can be read by the recipient. Blockchain miners typically adopt a consensus mechanism to achieve an agreement on the state of the blockchain.
  • Figure 3: A round-based training process. In the initial state (indexed as ①), both honest (black) and malicious (red) clients exist in an FL system. In the final state (indexed as ⑥), all malicious clients are expected to be removed from the system. To reach the final state from the initial state, multiple rounds of training are required. Here are two possible scenarios, the proposed aggregation is either approved (the upper branch) or denied (the lower branch) by the voters. In each round (within the dotted blue line), a subset of clients are randomly selected as proposers, and another subset of clients are randomly selected as voters. The proposers and voters interact with the blockchain following the order of orange arrows (from ② to ⑤).
  • Figure 4: Token distribution results for malicious voters when all proposers are honest. The malicious voters' tokens decrease quickly as the number of epochs increases and a large $\gamma_p$ leads to a high decreasing rate. This empirically validates our proof of Theorem \ref{['thm:vote']}. The solid line denotes the mean over 5 runs with different random seeds and the shaded region denotes 1 standard deviation around the mean.
  • Figure 5: Federated training under different values of the ratio of malicious clients ($\eta$). Each subfigure shows the training AUROCs when the training time ( the number of epochs) increases. The solid lines are the mean AUROCs and the shaded regions are 1 standard deviation around the means. We compare the performances of FedAVG with blockchain (i.e., w/ Block), FedAVG with malicious clients (i.e., w/ mal), and FedAVG without malicious clients (i.e., w/o mal). We observe that FedAVG w/ Block significantly outperforms FedAVG w/ mal, while being comparable with FedAVG w/o mal, the performance upper bound under this setup.
  • ...and 9 more figures

Theorems & Definitions (2)

  • Theorem 1: Honest Voting Hypothesis
  • proof