Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Unraveling the Connections between Privacy and Certified Robustness in Federated Learning Against Poisoning Attacks (2209.04030v3)

Published 8 Sep 2022 in cs.CR and cs.AI

Abstract: Federated learning (FL) provides an efficient paradigm to jointly train a global model leveraging data from distributed users. As local training data comes from different users who may not be trustworthy, several studies have shown that FL is vulnerable to poisoning attacks. Meanwhile, to protect the privacy of local users, FL is usually trained in a differentially private way (DPFL). Thus, in this paper, we ask: What are the underlying connections between differential privacy and certified robustness in FL against poisoning attacks? Can we leverage the innate privacy property of DPFL to provide certified robustness for FL? Can we further improve the privacy of FL to improve such robustness certification? We first investigate both user-level and instance-level privacy of FL and provide formal privacy analysis to achieve improved instance-level privacy. We then provide two robustness certification criteria: certified prediction and certified attack inefficacy for DPFL on both user and instance levels. Theoretically, we provide the certified robustness of DPFL based on both criteria given a bounded number of adversarial users or instances. Empirically, we conduct extensive experiments to verify our theories under a range of poisoning attacks on different datasets. We find that increasing the level of privacy protection in DPFL results in stronger certified attack inefficacy; however, it does not necessarily lead to a stronger certified prediction. Thus, achieving the optimal certified prediction requires a proper balance between privacy and utility loss.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (86)
  1. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 308–318.
  2. cpSGD: communication-efficient and differentially-private distributed SGD. In Proceedings of the 32nd International Conference on Neural Information Processing Systems. 7575–7586.
  3. Shahab Asoodeh and F Calmon. 2020. Differentially private federated learning: An information-theoretic perspective. In ICML Workshop on Federated Learning for User Privacy and Data Confidentiality.
  4. How to backdoor federated learning. In International Conference on Artificial Intelligence and Statistics. PMLR, 2938–2948.
  5. Hypothesis testing interpretations and renyi differential privacy. In International Conference on Artificial Intelligence and Statistics. PMLR, 2496–2506.
  6. Private empirical risk minimization: Efficient algorithms and tight error bounds. In 2014 IEEE 55th Annual Symposium on Foundations of Computer Science. IEEE, 464–473.
  7. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proceedings of the twentieth annual ACM symposium on Theory of computing. 1–10.
  8. Analyzing Federated Learning through an Adversarial Lens. In International Conference on Machine Learning. 634–643.
  9. Protection against reconstruction and its applications in private federated learning. arXiv preprint arXiv:1812.00984 (2018).
  10. Poisoning attacks against support vector machines. In Proceedings of the 29th International Coference on International Conference on Machine Learning. 1467–1474.
  11. Machine learning with adversaries: Byzantine tolerant gradient descent. In NeurIPS. 118–128.
  12. Towards federated learning at scale: System design. Proceedings of Machine Learning and Systems 1 (2019), 374–388.
  13. Practical secure aggregation for privacy-preserving machine learning. In CCS.
  14. Federated learning of predictive models from federated electronic health records. International journal of medical informatics 112 (2018), 59–67.
  15. Provably secure federated learning against malicious clients. In Proceedings of the AAAI conference on artificial intelligence, Vol. 35. 6885–6893.
  16. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 (2017).
  17. Differentially Private Federated Learning with Local Regularization and Sparsification. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 10122–10131.
  18. Certified adversarial robustness via randomized smoothing. In international conference on machine learning. PMLR, 1310–1320.
  19. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning. PMLR, 1310–1320.
  20. A framework for robustness certification of smoothed classifiers using f-divergences. In International Conference on Learning Representations.
  21. Our data, ourselves: Privacy via distributed noise generation. In Advances in Cryptology – EUROCRYPT.
  22. Cynthia Dwork and Aaron Roth. 2014. The Algorithmic Foundations of Differential Privacy. Foundations and Trends in Theoretical Computer Science 9, 3-4 (2014), 211–407.
  23. The Hidden Vulnerability of Distributed Learning in Byzantium. In International Conference on Machine Learning.
  24. Local model poisoning attacks to Byzantine-robust federated learning. In USENIX Security Symposium. 1605–1622.
  25. Sharpness-aware Minimization for Efficiently Improving Generalization. In International Conference on Learning Representations.
  26. Attack-resistant federated learning with residual-based reweighting. arXiv preprint arXiv:1912.11464 (2019).
  27. The Limitations of Federated Learning in Sybil Settings. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses ({normal-{\{{RAID}normal-}\}} 2020). 301–316.
  28. Differentially private federated learning: A client level perspective. arXiv preprint arXiv:1712.07557 (2017).
  29. Shuffled model of differential privacy in federated learning. In International Conference on Artificial Intelligence and Statistics. PMLR, 2521–2529.
  30. Twitter sentiment classification using distant supervision. (2009).
  31. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
  32. Badnets: Evaluating backdooring attacks on deep neural networks. IEEE Access 7 (2019), 47230–47244.
  33. Wassily Hoeffding. 1994. Probability inequalities for sums of bounded random variables. In The Collected Works of Wassily Hoeffding. Springer, 409–426.
  34. On the effectiveness of mitigating data poisoning attacks with gradient shaping. arXiv preprint arXiv:2002.11497 (2020).
  35. Measuring the effects of non-identical data distribution for federated visual classification. arXiv preprint arXiv:1909.06335 (2019).
  36. Adversarial machine learning. In Proceedings of the 4th ACM workshop on Security and artificial intelligence. 43–58.
  37. Auditing Differentially Private Machine Learning: How Private is Private SGD? Advances in Neural Information Processing Systems 33 (2020).
  38. Intrinsic certified robustness of bagging against data poisoning attacks. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 35. 7961–7969.
  39. Certified Robustness of Nearest Neighbors against Data Poisoning and Backdoor Attacks. AAAI.
  40. Advances and open problems in federated learning. Foundations and Trends® in Machine Learning 14, 1–2 (2021), 1–210.
  41. Alex Krizhevsky. 2009. Learning multiple layers of features from tiny images. Technical Report.
  42. Certified Robustness to Adversarial Examples with Differential Privacy. In 2019 IEEE Symposium on Security and Privacy (SP). 656–672. https://doi.org/10.1109/SP.2019.00044
  43. Alexander Levine and Soheil Feizi. 2021. Deep partition aggregation: Provable defense against general poisoning attacks. ICLR (2021).
  44. SoK: Certified Robustness for Deep Neural Networks. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 94–115.
  45. Federated optimization in heterogeneous networks. arXiv preprint arXiv:1812.06127 (2018).
  46. Exploring private federated learning with laplacian smoothing. arXiv preprint arXiv:2005.00218 (2020).
  47. Certifiably Robust Interpretation via Rényi Differential Privacy. Artif. Intell. 313, C (dec 2022), 14.
  48. Projected federated averaging with heterogeneous differential privacy. Proceedings of the VLDB Endowment 15, 4 (2021), 828–840.
  49. On privacy and personalization in cross-silo federated learning. Advances in Neural Information Processing Systems 35 (2022), 5925–5940.
  50. Data Poisoning against Differentially-Private Learners: Attacks and Defenses. In International Joint Conference on Artificial Intelligence.
  51. Dopamine: Differentially Private Federated Learning on Medical Data. The Second AAAI Workshop on Privacy-Preserving Artificial Intelligence (PPAI-21) (2021).
  52. Communication-Efficient Learning of Deep Networks from Decentralized Data. In Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, Vol. 54. PMLR, 1273–1282.
  53. Learning Differentially Private Recurrent Language Models. In International Conference on Learning Representations.
  54. Frank D McSherry. 2009. Privacy integrated queries: an extensible platform for privacy-preserving data analysis. In Proceedings of the 2009 ACM SIGMOD International Conference on Management of data. 19–30.
  55. Ilya Mironov. 2017. Rényi differential privacy. In 2017 IEEE 30th Computer Security Foundations Symposium (CSF). IEEE, 263–275.
  56. Local and Central Differential Privacy for Robustness and Privacy in Federated Learning. NDSS (2022).
  57. {{\{{FLAME}}\}}: Taming backdoors in federated learning. In USENIX Security Symposium.
  58. Differentially private federated learning on heterogeneous data. In International Conference on Artificial Intelligence and Statistics. PMLR, 10110–10145.
  59. PyTorch: An Imperative Style, High-Performance Deep Learning Library. In NeurIPS. 8024–8035.
  60. Glove: Global vectors for word representation. In Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP). 1532–1543.
  61. Robust aggregation for federated learning. arXiv preprint arXiv:1912.13445 (2019).
  62. PyTorch. 2021. Opacus – Train PyTorch models with Differential Privacy. (2021). https://opacus.ai/
  63. Google Research. 2023. Distributed differential privacy for federated learning. https://ai.googleblog.com/2023/03/distributed-differential-privacy-for.html. (2023). Accessed: 2023-08-16.
  64. MIT Technology Review. 2019. How Apple personalizes Siri without hoovering up your data. https://www.technologyreview.com/2019/12/11/131629/apple-ai-personalizes-siri-federated-learning/. (2019). Accessed: 2023-08-16.
  65. Certified robustness to label-flipping attacks via randomized smoothing. In International Conference on Machine Learning. PMLR, 8230–8241.
  66. DeepSecure: Scalable provably-secure deep learning. In Proceedings of the 55th Annual Design Automation Conference. 1–6.
  67. Virat Shejwalkar and Amir Houmansadr. 2021. Manipulating the byzantine: Optimizing model poisoning attacks and defenses for federated learning. In NDSS.
  68. Make Landscape Flatter in Differentially Private Federated Learning. CVPR (2023).
  69. Can you really backdoor federated learning? arXiv preprint arXiv:1911.07963 (2019).
  70. Spectral Signatures in Backdoor Attacks. In Advances in Neural Information Processing Systems, S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, and R. Garnett (Eds.), Vol. 31.
  71. Stephen Tu. 2013. Lecture 20: Introduction to Differential Privacy. (2013). https://stephentu.github.io/writeups/6885-lec20-b.pdf
  72. Attack of the tails: Yes, you really can backdoor federated learning. NeurIPS (2020).
  73. Improved certified defenses against data poisoning with (deterministic) finite aggregation. In International Conference on Machine Learning. PMLR, 22769–22783.
  74. Certified robustness to word substitution attack with differential privacy. In Proceedings of the 2021 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. 1102–1112.
  75. Subsampled rényi differential privacy and analytical moments accountant. In The 22nd International Conference on Artificial Intelligence and Statistics. PMLR, 1226–1235.
  76. Rab: Provable robustness against backdoor attacks. IEEE Symposium on Security and Privacy (SP) (2023).
  77. Mitigating Backdoor Attacks in Federated Learning. arXiv preprint arXiv:2011.01767 (2020).
  78. Crfl: Certifiably robust federated learning against backdoor attacks. In International Conference on Machine Learning. PMLR, 11372–11382.
  79. Dba: Distributed backdoor attacks against federated learning. In International Conference on Learning Representations.
  80. ZenoPS: A Distributed Learning System Integrating Communication Efficiency and Security. Algorithms 15, 7 (2022), 233.
  81. FFD: a federated learning based method for credit card fraud detection. In International Conference on Big Data. Springer, 18–32.
  82. PRIVATEFL: Accurate, Differentially Private Federated Learning via Personalized Data Transformation. In USENIX Security Symposium.
  83. Byzantine-robust distributed learning: Towards optimal statistical rates. In International Conference on Machine Learning. PMLR, 5650–5659.
  84. Differentially private model publishing for deep learning. In 2019 IEEE symposium on security and privacy (SP). IEEE, 332–349.
  85. Deep Leakage from Gradients. In NeurIPS, H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett (Eds.), Vol. 32. Curran Associates, Inc.
  86. Voting-based Approaches For Differentially Private Federated Learning. (2021).
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (7)
  1. Chulin Xie (27 papers)
  2. Yunhui Long (12 papers)
  3. Pin-Yu Chen (311 papers)
  4. Qinbin Li (25 papers)
  5. Arash Nourian (6 papers)
  6. Sanmi Koyejo (111 papers)
  7. Bo Li (1107 papers)
Citations (10)
View on Semantic Scholar
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets