Paper 2021/025

FLGUARD: Secure and Private Federated Learning

Thien Duc Nguyen and Phillip Rieger and Hossein Yalame and Helen Möllering and Hossein Fereidooni and Samuel Marchal and Markus Miettinen and Azalia Mirhoseini and Ahmad-Reza Sadeghi and Thomas Schneider and Shaza Zeitouni

Abstract

Recently, federated learning (FL) has been subject to both security and privacy attacks posing a dilemmatic challenge on the underlying algorithmic designs: On the one hand, FL is shown to be vulnerable to backdoor attacks that stealthily manipulate the global model output using malicious model updates, and on the other hand, FL is shown vulnerable to inference attacks by a malicious aggregator inferring information about clients' data from their model updates. Unfortunately, existing defenses against these attacks are insufficient and mitigating both attacks at the same time is highly challenging because while defeating backdoor attacks requires the analysis of model updates, protection against inference attacks prohibits access to the model updates to avoid information leakage. In this work, we introduce FLGUARD, a novel in-depth defense for FL that tackles this challenge. To mitigate backdoor attacks, it applies a multilayered defense by using a Model Filtering layer to detect and reject malicious model updates and a Poison Elimination layer to eliminate any effect of a remaining undetected weak manipulation. To impede inference attacks, we build private FLGUARD that securely evaluates the FLGUARD algorithm under encryption using sophisticated secure computation techniques. We extensively evaluate FLGUARD against state-of-the-art backdoor attacks on several datasets and applications, including image classification, word prediction, and IoT intrusion detection. We show that FLGUARD can entirely remove backdoors with a negligible effect on accuracy and that private FLGUARD is practical.