Go to OpenReview Public Article ORCID homepageSMTFL: Secure Model Training to Untrusted Participants in Federated Learning
Abstract: Federated learning is an essential distributed model training technique. However, threats such as gradient inversion attacks and poisoning attacks pose significant risks to both privacy of training data and model correctness. We propose SMTFL, a novel approach for secure model training in federated learning. To safeguard gradients privacy against gradient inversion attacks, clients are dynamically grouped, allowing one client's gradient to be divided to obfuscate the gradients of other clients within the group. This method incorporates checks and balances to reduce the collusion for inferring specific client data. To detect poisoning attacks from malicious clients, we assess the impact of aggregated gradients on the global model's performance, enabling effective identification and exclusion of malicious clients. Each client's gradients are encrypted and stored, with decryption collectively managed by all clients. The detected poisoning gradients are invalidated from the global model through an unlearning method. Compared to related work, SMTFL does not rely on trusted participants, avoids the performance degradation caused with traditional noise-injection, and avoids complex homomorphic encryption during gradient aggregation. SMTFL is evaluated on five datasets, and these results demonstrate its effectiveness in defending against gradient inversion and poisoning attacks. The model accuracy is nearly restored to its pre-attack state when SMTFL is deployed. Furthermore, SMTFL achieves over 95% accuracy in identifying malicious clients while maintaining a false positive rate for honest clients within 5%, which is 6% lower than the latest methods.
External IDs:doi:10.1109/tmc.2026.3664822
Loading