SAFHE: Defending Against Backdoor and Gradient Inversion Attacks in Federated Learning

Download PDF

Jordan Barkin, Ratip Emin Berker, Sílvia Casacuberta, Janet Li

23 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX
Keywords: federated learning, fully homomorphic encryption, backdoor attacks, gradient inversion attacks
TL;DR: We present a novel scheme to defend against both backdoor attacks and gradient inversion attacks in federated learning.
Abstract: Federated learning (FL) is an increasingly popular approach in machine learning that enables a set of clients to jointly train a global model without ever sharing their private data, using a central server to aggregate clients' local weight updates. However, previous work has shown that the distributed nature of federated learning makes it susceptible to two major attacks: backdoor attacks, where malicious clients submit large weights that incorrectly change model behavior, and gradient inversion attacks, where a malicious eavesdropper is able to reconstruct the clients' training data by viewing the weight updates sent by clients to the central server. Although various solutions have been proposed in the literature that defend against these two attacks separately, present approaches remain largely incompatible, creating a trade-off between defending against the two types of attacks. This poses a major challenge in deploying FL in privacy-sensitive ML applications. We present SAFHE (Secure Aggregation with Fully Homomorphic Encryption), a novel scheme to defend against both backdoor attacks and gradient inversion attacks. Our secure aggregation method combines the use of fully homomorphic encryption (FHE) and the gradient norm clipping defense to defend against large malicious client updates, by pre-weighting client updates using a function that can be evaluated in the encrypted domain. This allows the server to reject large-magnitude updates without seeing their cleartext values. We demonstrate that Chebyshev approximations of a product of sigmoids work for this purpose, and perform simulations suggesting that such a scheme can defend against backdoor attacks without significantly impacting model accuracy. Additionally, we show that these approximations can be accurately and efficiently computed in the encrypted domain.
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 8210