SMTFL: Secure Model Training to Untrusted Participants in Federated Learning

TL;DR

SMTFL tackles the dual challenges of gradient privacy and poisoning in federated learning with untrusted participants. It uses dynamic 3-client groupings and gradient sharing with per-client obfuscation, enabling privacy-preserving aggregation without noise or heavy cryptography. Malicious clients are identified via group-level impact on the global model, and identified gradients are securely stored and forgotten using threshold encryption and federated unlearning. The approach achieves over 95% accuracy in localizing malicious clients, maintains low false positives, and reduces reliance on trusted servers, demonstrating practical robustness across multiple datasets and models.

Abstract

Federated learning is an essential distributed model training technique. However, threats such as gradient inversion attacks and poisoning attacks pose significant risks to the privacy of training data and the model correctness. We propose a novel approach called SMTFL to achieve secure model training in federated learning without relying on trusted participants. To safeguard gradients privacy against gradient inversion attacks, clients are dynamically grouped, allowing one client's gradient to be divided to obfuscate the gradients of other clients within the group. This method incorporates checks and balances to reduce the collusion for inferring specific client data. To detect poisoning attacks from malicious clients, we assess the impact of aggregated gradients on the global model's performance, enabling effective identification and exclusion of malicious clients. Each client's gradients are encrypted and stored, with decryption collectively managed by all clients. The detected poisoning gradients are invalidated from the global model through a unlearning method. We present a practical secure aggregation scheme, which does not require trusted participants, avoids the performance degradation associated with traditional noise-injection, and aviods complex cryptographic operations during gradient aggregation. Evaluation results are encouraging based on four datasets and two models: SMTFL is effective against poisoning attacks and gradient inversion attacks, achieving an accuracy rate of over 95% in locating malicious clients, while keeping the false positive rate for honest clients within 5%. The model accuracy is also nearly restored to its pre-attack state when SMTFL is deployed.

Figures (8)

• Figure 1: The focused FL security issues in this paper
• Figure 2: The framework of SMTFL
• Figure 3: The illustration of gradient aggregation in one group
• Figure 4: The generation and distribution of secret shares
• Figure 5: Effectiveness of SMTFL in defense against gradient inversion attacks on four datasets. (A) the original images; (B) the original attacked images; (C) the reconstructed images obtained through gradient inversion attacks during the 5-th and 10-th epochs of training, which means that very few epochs are needed to successfully reconstruct the images; (D) the reconstructed images obtained through gradient inversion attacks when SMTFL is deployed, where the images are reconstructed through $\{g_{A}^1$, $g_{A}^2+\varepsilon_A$, $g_{A^2,B}$, $g_{A, B, C}$}.

Theorems & Definitions (3)

• Lemma 1
• Lemma 2
• Lemma 3