Unraveling the Connections between Privacy and Certified Robustness in Federated Learning Against Poisoning Attacks

TL;DR

This paper explores the intrinsic links between differential privacy and certified robustness in federated learning, proposing methods to leverage privacy for robustness against poisoning attacks and analyzing the trade-offs involved.

Contribution

It provides a formal analysis of privacy and robustness in federated learning, introduces certification criteria, and empirically verifies how privacy levels influence robustness against attacks.

Findings

Increasing privacy enhances attack inefficacy but not prediction robustness.

Formal privacy analysis for user-level and instance-level privacy in FL.

Theoretical bounds on certified robustness based on privacy levels.

Abstract

Federated learning (FL) provides an efficient paradigm to jointly train a global model leveraging data from distributed users. As local training data comes from different users who may not be trustworthy, several studies have shown that FL is vulnerable to poisoning attacks. Meanwhile, to protect the privacy of local users, FL is usually trained in a differentially private way (DPFL). Thus, in this paper, we ask: What are the underlying connections between differential privacy and certified robustness in FL against poisoning attacks? Can we leverage the innate privacy property of DPFL to provide certified robustness for FL? Can we further improve the privacy of FL to improve such robustness certification? We first investigate both user-level and instance-level privacy of FL and provide formal privacy analysis to achieve improved instance-level privacy. We then provide two robustness certification criteria: certified prediction and certified attack inefficacy for DPFL on both user and instance levels. Theoretically, we provide the certified robustness of DPFL based on both criteria given a bounded number of adversarial users or instances. Empirically, we conduct extensive experiments to verify our theories under a range of poisoning attacks on different datasets. We find that increasing the level of privacy protection in DPFL results in stronger certified attack inefficacy; however, it does not necessarily lead to a stronger certified prediction. Thus, achieving the optimal certified prediction requires a proper balance between privacy and utility loss.