原文标题:Privacy and Robustness in Federated Learning: Attacks and Defenses
本文对联邦学习的攻击防御、隐私性和鲁棒性做了一个全面的调研。
除此以外,本文还提供了以下素材,方便写论文的时候进行参考:
HFL和VFL;同构 Homogeneous Architectures 两种主流 FL 算法:FedSGD 和 FedAvg;异构 Heterogeneous Architectures 主流方法:FL 面临的两种威胁:privacy & robustness;常见的几种 privacy 保护策略:homomorphic encryption (HE,同态加密), secure multiparty computation (SMC,多方安全计算), and differential privacy (DP,差分隐私)。攻击发生的阶段: Training Phase v.s. Inference Phase差分隐私中的 CDP , LDP 和 DDPPoisoning attacks:Untargeted Attacks & targeted Attacks
联邦学习面临的几个问题:
10. privacy attacks and defenses —— privacy leakage
11. poisoning attacks (Inc. backdoor attacks) and defenses—— 统称为 robustness attacks
这里写目录标题
THREAT MODELSPRIVACY ATTACKSPOISONING ATTACKSTargeted AttacksDISCUSSIONS AND PROMISING DIRECTIONSTHREAT MODELS
可以分为:
(1)根据攻击者: Insider v.s. Outsider,主要研究集中于 insider 。
Insider :server and the participants in the FL system
Outsider:eavesdropperson the communication channel between participants and the FL server, and byusersof the final FL model when it is deployed as a service.
(2)根据发生过程:Training Phase v.s. Inference Phase.
Training Phase 的威胁就是大家熟悉的哪几种在训练过程中 窃听、修改更新量的攻击;
Inference Phase 则是在模型训练好后,不会使模型发生变化,但是使他发生预测错误(类似于 evasion attack and adversarial attacks)
(3)根据攻击性质:Privacy: Semi-honest v.s. Malicious
Semi-honest:Adversaries are considered passive or
honest-but-curious. They try to learn the private states of
other participants without deviating from the FL protocol. The adversaries can only observe the received information, i.e., parameters of the global model
Malicious:An active or malicious adversary tries to
learn the private states of honest participants, and deviates arbitrarily from the FL protocol by modifying, re-playing,
or removing messages. This setting allows the adversary to conduct particularly devastating attacks.
(4)根据攻击性质 Robustness: Untargeted v.s. Targeted
Untargeted: Theuntargeted poisoning attackaims to arbitrarily compromise the integrity of the target model.Byzantine attackis one type of the untargeted poisoning attacks that uploads arbitrarily malicious gradients to the server so as to cause the failure of the global model
Targeted:其实就是后门攻击~ The targeted poisoning attack induces the model tooutput the target label specified by the adversary for particular testing examples, while the testing error for other testing examples is unaffected.
PRIVACY ATTACKS
大概有 Inferring Class Representatives 、Membership 、Properties、Training Inputs and Labels。
其对应的三大防御措施有 homomorphic encryption (HE,同态加密), secure multiparty computation (SMC,多方安全计算), and differential privacy (DP,差分隐私)
POISONING ATTACKS
可以分为 Data v.s. model poisoning attacks:
(1)data poisoning attackduring local data collection; and (2)model poisoning attackduring local model training process.
但是他们的目的都是相同的:修改目标模型的一些预测行为。
一个重要的结论:
Baruch et al.提出,梯度下降算法的收敛的条件是:
只要满足这个条件,投毒攻击(导致模型不能够收敛)就能够实现。
Targeted Attacks
有 label-flipping attack、 backdoor poisoning attack (还可以细分为 dirty-label attacks 和 clean-label attacks,根据这些 data 和 label 能够被正确分类决定)
DISCUSSIONS AND PROMISING DIRECTIONS
难点一:
Large models, with high dimensional parameter vectors, are particularly susceptible to privacy and security attacks.
难点二:
很多攻击具有局限性,例如对 client 训练数据的分布有要求;要求攻击者有类似分布的辅助数据;batchsize非常小才能进行攻击,这些都不切实际。
难点三:
目前的研究主要集中在 HFL,VFL的可能还比较欠缺。
难点四:
如何预防 不参与训练贡献的 client 想要白嫖。
可以分为以下三种情况:
(1) the participant dose not have any data to train the local model;
(2) the participant is too concerned about its privacy thus
chooses to release fake updates;
(3) the participant does not want to consume or does not have any local computation power to train the local model.
How to prevent free-riding remains an open challenge.
难点五:
无论是针对隐私还是保护,异构的 FL 框架存在更多的可能性。
难点六:
通信成本,本地训练多少轮再聚合一次?
One-shot FL has recently emerged as a promising approach for communication efficiency. It allows the central server to learn a model in a single communication round.
但是 One-shot FL 也存在一些局限性(这些局限性是 or 的关系而不是 and 的关系):1. public dataset is required (想到pate); 2. participants’ models are homogeneous; 3. additional data/model information needs to be uploaded ; 4. 不理想的效果。
A recent work proposed a more practical data-free approach namedFedSynfor one-shot FL framework with heterogeneity [191]. 这个异构的 one-shot 工作可以去看一下~
难点6:Achieving Multiple Objectives Simultaneously
这一块好像有很大的空缺。具体要实现:: (1) fast algorithmic convergence; (2) good generalization performance; (3) communication efficiency; (4) fault tolerance; (5)privacypreservation; and (6)robustnessto targeted, untargeted poisoning attacks, and free-riders.
It remains largely unexplored and there exist large gaps as for how to simultaneously achieve all the above six objectives.
