Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Robust Federated Learning via Byzantine Filtering over Encrypted Updates

Adda Akram Bendoukha, Aymen Boudguiga, Nesrine Kaaniche, Renaud Sirdey, Didem Demirag, Sébastien Gambs

TL;DR

The paper addresses the dual challenge of privacy-preserving aggregation and Byzantine resilience in Federated Learning by introducing encrypted property filtering. It uses CKKS-based Fully Homomorphic Encryption to securely aggregate encrypted updates and trains SVM-based meta-classifiers on shadow update data (including backdoor, gradient-inversion, label-flipping, and shuffling attacks) to assign weights that down-weight Byzantine components during aggregation. A CKKS-friendly pipeline is developed, featuring SPCA-driven dimensionality reduction, grid-searched SVM kernels, and Newton-Raphson-based normalization, achieving $F1$ scores of $90\%-94\%$ for Byzantine detection with modest overhead (encrypted inference in seconds) and maintaining competitive model utility. The approach is validated on FEMNIST, CIFAR10, GTSRB, and ACSIncome with various networks, demonstrating robust convergence under multiple attack types and resilience even when differential privacy is applied. This work offers a practical pathway to jointly reconcile privacy and integrity in FL, with potential for broader HE scheme support and hardware acceleration.

Abstract

Federated Learning (FL) aims to train a collaborative model while preserving data privacy. However, the distributed nature of this approach still raises privacy and security issues, such as the exposure of sensitive data due to inference attacks and the influence of Byzantine behaviors on the trained model. In particular, achieving both secure aggregation and Byzantine resilience remains challenging, as existing solutions often address these aspects independently. In this work, we propose to address these challenges through a novel approach that combines homomorphic encryption for privacy-preserving aggregation with property-inference-inspired meta-classifiers for Byzantine filtering. First, following the property-inference attacks blueprint, we train a set of filtering meta-classifiers on labeled shadow updates, reproducing a diverse ensemble of Byzantine misbehaviors in FL, including backdoor, gradient-inversion, label-flipping and shuffling attacks. The outputs of these meta-classifiers are then used to cancel the Byzantine encrypted updates by reweighting. Second, we propose an automated method for selecting the optimal kernel and the dimensionality hyperparameters with respect to homomorphic inference, aggregation constraints and efficiency over the CKKS cryptosystem. Finally, we demonstrate through extensive experiments the effectiveness of our approach against Byzantine participants on the FEMNIST, CIFAR10, GTSRB, and acsincome benchmarks. More precisely, our SVM filtering achieves accuracies between $90$% and $94$% for identifying Byzantine updates at the cost of marginal losses in model utility and encrypted inference runtimes ranging from $6$ to $24$ seconds and from $9$ to $26$ seconds for an overall aggregation.

Robust Federated Learning via Byzantine Filtering over Encrypted Updates

TL;DR

The paper addresses the dual challenge of privacy-preserving aggregation and Byzantine resilience in Federated Learning by introducing encrypted property filtering. It uses CKKS-based Fully Homomorphic Encryption to securely aggregate encrypted updates and trains SVM-based meta-classifiers on shadow update data (including backdoor, gradient-inversion, label-flipping, and shuffling attacks) to assign weights that down-weight Byzantine components during aggregation. A CKKS-friendly pipeline is developed, featuring SPCA-driven dimensionality reduction, grid-searched SVM kernels, and Newton-Raphson-based normalization, achieving scores of for Byzantine detection with modest overhead (encrypted inference in seconds) and maintaining competitive model utility. The approach is validated on FEMNIST, CIFAR10, GTSRB, and ACSIncome with various networks, demonstrating robust convergence under multiple attack types and resilience even when differential privacy is applied. This work offers a practical pathway to jointly reconcile privacy and integrity in FL, with potential for broader HE scheme support and hardware acceleration.

Abstract

Federated Learning (FL) aims to train a collaborative model while preserving data privacy. However, the distributed nature of this approach still raises privacy and security issues, such as the exposure of sensitive data due to inference attacks and the influence of Byzantine behaviors on the trained model. In particular, achieving both secure aggregation and Byzantine resilience remains challenging, as existing solutions often address these aspects independently. In this work, we propose to address these challenges through a novel approach that combines homomorphic encryption for privacy-preserving aggregation with property-inference-inspired meta-classifiers for Byzantine filtering. First, following the property-inference attacks blueprint, we train a set of filtering meta-classifiers on labeled shadow updates, reproducing a diverse ensemble of Byzantine misbehaviors in FL, including backdoor, gradient-inversion, label-flipping and shuffling attacks. The outputs of these meta-classifiers are then used to cancel the Byzantine encrypted updates by reweighting. Second, we propose an automated method for selecting the optimal kernel and the dimensionality hyperparameters with respect to homomorphic inference, aggregation constraints and efficiency over the CKKS cryptosystem. Finally, we demonstrate through extensive experiments the effectiveness of our approach against Byzantine participants on the FEMNIST, CIFAR10, GTSRB, and acsincome benchmarks. More precisely, our SVM filtering achieves accuracies between % and % for identifying Byzantine updates at the cost of marginal losses in model utility and encrypted inference runtimes ranging from to seconds and from to seconds for an overall aggregation.
Paper Structure (51 sections, 7 theorems, 54 equations, 33 figures, 9 tables, 4 algorithms)

This paper contains 51 sections, 7 theorems, 54 equations, 33 figures, 9 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Related work
  3. Outlier exclusion
  4. Limitations
  5. Privacy-preserving outliers exclusion
  6. Proof-based verification
  7. Limitations
  8. Privacy-preserving proof-based verification
  9. Property Inference attacks (PIA)
  10. PIA for ML auditing
  11. PIA in FL
  12. Overall positioning
  13. Background
  14. Federated learning with model averaging
  15. Fully Homomorphic Encryption (FHE)
  16. ...and 36 more sections

Key Result

Lemma 1

At round $t$, let $\theta^{t+1}_{\mathrm{ideal}}$ denote the ideal aggregated update, and $\theta^{t+1}_{\mathrm{real}}$ the actual update. The filtering noise $\delta_t := \mid \theta^{t+1}_{\mathrm{real}} - \theta^{t+1}_{\mathrm{ideal}} \mid$ satisfies: in which:

Figures (33)

  • Figure 1: Examples of $\mathsf{GTSRB}$ samples embedded with the trigger and labeled as "End of speed limit".
  • Figure 2: Illustration of the effect our filtering approach in a 2-dimensional parameter space with 6 workers and 3 Byzantines.
  • Figure 3: Feasibility regions for different Byzantine proportions according to $(\mu_b, \sigma_b)$ and fixed system parameters ($\epsilon, \epsilon_{base}, \eta, \mu, L, C_g, D_{byz}$). As $q$ grows, the space of filters that provide convergence guarantees to $\epsilon$ linearly shrinks towards the ($\mu_b = 0, \sigma_b=0$) filter.
  • Figure 4: (a) Unsupervised PCA (53 support vectors)
  • Figure 5: (b) Supervised PCA (38 support vectors)
  • ...and 28 more figures

Theorems & Definitions (12)

  • Definition 1: Ideal filtering
  • Definition 2: Real filtering
  • Lemma 1: Expected Filtering Error
  • Lemma 2: Variance of the filtering error
  • Theorem 3: Convergence under filtering and base errors
  • Corollary 4: Byzantine proportion and filter quality
  • Lemma 5: Expected Filtering Error
  • proof
  • Lemma 6: Variance of the Filtering Error
  • proof
  • ...and 2 more