Dual Defense: Enhancing Privacy and Mitigating Poisoning Attacks in Federated Learning
Runhua Xu, Shiqi Gao, Chao Li, James Joshi, Jianxin Li
TL;DR
This paper tackles the dual challenge of privacy leakage and poisoning attacks in Federated Learning by introducing Dual Defense Federated Learning (DDFed). It combines fully homomorphic encryption (FHE) for secure aggregation with a privacy-preserving, similarity-based anomaly-detection pipeline that operates on encrypted updates, avoiding changes to FL topology. Key contributions include a two-phase anomaly detection with perturbation and a clipping mechanism, a CKKS-based secure aggregation scheme, and differential-privacy-based perturbations to protect similarity scores, all implemented without introducing new participants or severing the single-server multi-client structure. Extensive experiments on MNIST and Fashion-MNIST across cross-device and cross-silo settings demonstrate that DDFed effectively protects model privacy while defending against model-poisoning attacks (IPM, ALIE, SCALING), with a modest per-round time overhead (~20%). Overall, the work provides a practical blueprint for privacy-preserving and robust Federated Learning with real-world applicability and scalability considerations, and highlights directions for relaxing attacker-ratio assumptions and extending to dynamic participation scenarios. $r_{attack} < 0.5$, $(\varepsilon, \delta)$-DP, and CKKS-based operations underpin the privacy guarantees while enabling robust aggregation.$
Abstract
Federated learning (FL) is inherently susceptible to privacy breaches and poisoning attacks. To tackle these challenges, researchers have separately devised secure aggregation mechanisms to protect data privacy and robust aggregation methods that withstand poisoning attacks. However, simultaneously addressing both concerns is challenging; secure aggregation facilitates poisoning attacks as most anomaly detection techniques require access to unencrypted local model updates, which are obscured by secure aggregation. Few recent efforts to simultaneously tackle both challenges offen depend on impractical assumption of non-colluding two-server setups that disrupt FL's topology, or three-party computation which introduces scalability issues, complicating deployment and application. To overcome this dilemma, this paper introduce a Dual Defense Federated learning (DDFed) framework. DDFed simultaneously boosts privacy protection and mitigates poisoning attacks, without introducing new participant roles or disrupting the existing FL topology. DDFed initially leverages cutting-edge fully homomorphic encryption (FHE) to securely aggregate model updates, without the impractical requirement for non-colluding two-server setups and ensures strong privacy protection. Additionally, we proposes a unique two-phase anomaly detection mechanism for encrypted model updates, featuring secure similarity computation and feedback-driven collaborative selection, with additional measures to prevent potential privacy breaches from Byzantine clients incorporated into the detection process. We conducted extensive experiments on various model poisoning attacks and FL scenarios, including both cross-device and cross-silo FL. Experiments on publicly available datasets demonstrate that DDFed successfully protects model privacy and effectively defends against model poisoning threats.