Federated Learning in Adversarial Settings

TL;DR

This paper introduces a federated learning scheme that balances robustness, privacy, and efficiency, demonstrating resilience against attacks and a trade-off between privacy and robustness.

Contribution

It proposes a novel biased quantization method for bandwidth-efficient, robust federated learning with a differentially private extension showing comparable performance.

Findings

Robust against backdoor and model degradation attacks.

Bandwidth-efficient due to biased quantization.

Differential privacy extension maintains performance with privacy guarantees.

Abstract

Federated Learning enables entities to collaboratively learn a shared prediction model while keeping their training data locally. It prevents data collection and aggregation and, therefore, mitigates the associated privacy risks. However, it still remains vulnerable to various security attacks where malicious participants aim at degrading the generated model, inserting backdoors, or inferring other participants' training data. This paper presents a new federated learning scheme that provides different trade-offs between robustness, privacy, bandwidth efficiency, and model accuracy. Our scheme uses biased quantization of model updates and hence is bandwidth efficient. It is also robust against state-of-the-art backdoor as well as model degradation attacks even when a large proportion of the participant nodes are malicious. We propose a practical differentially private extension of this scheme which protects the whole dataset of participating entities. We show that this extension performs as efficiently as the non-private but robust scheme, even with stringent privacy requirements but are less robust against model degradation and backdoor attacks. This suggests a possible fundamental trade-off between Differential Privacy and robustness.