Privacy-Preserving Federated Learning With Backdoor Resilience

Federated learning (FL) has the ability to train a global model across many different clients
with diverse datasets while also preserving privacy. However, federated learning is by design
vulnerable to privacy inference attacks and poisoning attacks, allowing compromised clients
to infer private information about the clients or negatively influence the global model,
respectively. FLAME [26], a state-of-the-art framework, is designed to statistically remove
the influence of poisoning attacks, while being applicable to many attacker models and
keeping the model’s benign performance. To ensure these objectives, the FLAME protocol
introduces a defense framework that estimates the minimum sufficient amount of noise
to be injected into the global model after aggregation, so that backdoors are eliminated
but the benign performance does not deteriorate. To further reduce the amount of noise
and enhance the desired goals, FLAME utilizes adaptive clustering and weight clipping.
However, federated learning systems that implement FLAME still face significant privacy
risks from inference attacks, where malicious aggregators can exploit access to model
... mehr
updates to extract sensitive information about client data. Therefore, it is imperative to also
achieve malicious security.
In this thesis, we propose an implementation of FLAME in combination with secure Multi-
Party Computation (MPC), which provides the primitives to protect federated learning
against inference attacks. We propose two implementations of this combination: private
FLAME- a full-MPC implementation, running the entire FLAME protocol in MPC; and
leaky FLAME, which selectively reveals intermediate statistics to gain efficiency while still
constraining attack surface. The implementation takes advantage of FLAME’s backdoor
resilience and MPC’s secret shared processing, also achieving malicious security. To achieve
this combination, we use MP-SPDZ [20], a framework with 30 variants of MPC protocols
and a Python-based programming interface, which simplifies the comparison of different
protocols and security models.
Building on these designs, our evaluation quantifies the computational and communication
overheads of both modes with varying client counts and model sizes. We find that the
dominant cost arises from the pairwise cosine-similarity in the clustering step, whereas
clipping and noising are comparatively lightweight. Although leaky FLAME’s savings are
noticeable even more so in the bigger cases, they are dominated by the cosine similarity
computation, thus in our opinion not worth the security-efficiency trade-off. Despite this,
our implementation achieves practical runtimes for moderate scales, keeping in mind that
it provides enforcement of FLAME’s defenses under malicious-security settings. Taken
together, our results demonstrate that integrating MPC with FLAME is feasible to an extent
and effective for privacy-preserving, backdoor-resilient FL.