Dual Defense: Enhancing Privacy and Mitigating Poisoning Attacks in Federated Learning

TL;DR

This paper introduces DDFed, a federated learning framework that simultaneously enhances privacy through homomorphic encryption and defends against poisoning attacks with a novel encrypted anomaly detection mechanism, achieving strong security and robustness.

Contribution

DDFed uniquely combines fully homomorphic encryption with a two-phase anomaly detection for encrypted updates, avoiding complex participant roles and topology disruption.

Findings

DDFed effectively defends against various poisoning attacks.

It maintains privacy while detecting malicious updates.

Experimental results show high robustness and privacy protection.

Abstract

Federated learning (FL) is inherently susceptible to privacy breaches and poisoning attacks. To tackle these challenges, researchers have separately devised secure aggregation mechanisms to protect data privacy and robust aggregation methods that withstand poisoning attacks. However, simultaneously addressing both concerns is challenging; secure aggregation facilitates poisoning attacks as most anomaly detection techniques require access to unencrypted local model updates, which are obscured by secure aggregation. Few recent efforts to simultaneously tackle both challenges offen depend on impractical assumption of non-colluding two-server setups that disrupt FL's topology, or three-party computation which introduces scalability issues, complicating deployment and application. To overcome this dilemma, this paper introduce a Dual Defense Federated learning (DDFed) framework. DDFed simultaneously boosts privacy protection and mitigates poisoning attacks, without introducing new participant roles or disrupting the existing FL topology. DDFed initially leverages cutting-edge fully homomorphic encryption (FHE) to securely aggregate model updates, without the impractical requirement for non-colluding two-server setups and ensures strong privacy protection. Additionally, we proposes a unique two-phase anomaly detection mechanism for encrypted model updates, featuring secure similarity computation and feedback-driven collaborative selection, with additional measures to prevent potential privacy breaches from Byzantine clients incorporated into the detection process. We conducted extensive experiments on various model poisoning attacks and FL scenarios, including both cross-device and cross-silo FL. Experiments on publicly available datasets demonstrate that DDFed successfully protects model privacy and effectively defends against model poisoning threats.