Local and Central Differential Privacy for Robustness and Privacy in Federated Learning

TL;DR

This paper evaluates how Local and Central Differential Privacy techniques can protect privacy and robustness in Federated Learning, demonstrating their effectiveness against certain attacks but limitations against property inference.

Contribution

It provides the first comprehensive empirical assessment of LDP and CDP in FL, highlighting their strengths and limitations for privacy and robustness.

Findings

DP defends against backdoor attacks better than other defenses

DP mitigates white-box membership inference attacks in FL

Neither LDP nor CDP defend against property inference

Abstract

Federated Learning (FL) allows multiple participants to train machine learning models collaboratively by keeping their datasets local while only exchanging model updates. Alas, this is not necessarily free from privacy and robustness vulnerabilities, e.g., via membership, property, and backdoor attacks. This paper investigates whether and to what extent one can use differential Privacy (DP) to protect both privacy and robustness in FL. To this end, we present a first-of-its-kind evaluation of Local and Central Differential Privacy (LDP/CDP) techniques in FL, assessing their feasibility and effectiveness. Our experiments show that both DP variants do d fend against backdoor attacks, albeit with varying levels of protection-utility trade-offs, but anyway more effectively than other robustness defenses. DP also mitigates white-box membership inference attacks in FL, and our work is the first to show it empirically. Neither LDP nor CDP, however, defend against property inference. Overall, our work provides a comprehensive, re-usable measurement methodology to quantify the trade-offs between robustness/privacy and utility in differentially private FL.