Research on Privacy Protection Technology in Federated Learning

Abstract

Abstract: In federated learning, multiple models are trained through parameter coordination without sharing raw data. However, the extensive parameter exchange in this process renders the model vulnerable to threats not only from external users but also from internal participants. Therefore, research on privacy protection techniques in federated learning is crucial. This paper introduces the current research status on privacy protection in federated learning. It classifies the security threats of federated learning into external attacks and internal attacks.Based on this classification, it summarizes external attack techniques such as model inversion attacks, external reconstruction attacks, and external inference attacks, as well as internal attack techniques such as poisoning attacks, internal reconstruction attacks, and internal inference attacks. From the perspective of attack and defense correspondence, this paper summarizes data perturbation techniques such as central differential privacy, local differential privacy, and distributed differential privacy, as well as process encryption techniques such as homomorphic encryption, secret sharing, and trusted execution environment. Finally, the paper analyzes the difficulties of federated learning privacy protection technology and identifies the key directions for its improvement.

Key words: federated learning, privacy attack, differential privacy, homomorphic encryption, privacy protection

摘要： 联邦学习中多个模型在不共享原始数据的情况下通过参数协调进行训练.大量的参数交换使模型不仅容易受到外部使用者的威胁，还会遭到内部参与方的攻击，因此联邦学习中的隐私保护技术研究至关重要.介绍了联邦学习中的隐私保护研究现状；将联邦学习的安全威胁分为外部攻击和内部攻击，并以此分类为基础归纳总结了模型反演攻击、外部重建攻击、外部推断攻击等外部攻击技术和投毒攻击、内部重建攻击、内部推断攻击等内部攻击技术.从攻防对应的角度，归纳总结了中心化差分隐私、本地化差分隐私和分布式差分隐私等数据扰动技术和同态加密、秘密共享和可信执行环境等过程加密技术.最后，分析了联邦学习隐私保护技术的难点，指出了联邦学习隐私保护技术提升的关键方向.

关键词: 联邦学习, 隐私攻击, 差分隐私, 同态加密, 隐私保护

CLC Number:

TP309

刘晓迁, 许飞, 马卓, 袁明, 钱汉伟, . 联邦学习中的隐私保护技术研究[J]. 信息安全研究, 2024, 10(3): 194-.

References

［1］Li T, Sahu A K, Talwalkar A, et al. Federated learning: Challenges, methods, and future directions［J］. IEEE Signal Processing Magazine, 2020, 37(3): 5060［2］McMahan B, Moore E, Ramage D, et al. Communicationefficient learning of deep networks from decentralized data［C］ Artificial Intelligence and Statistics. New York: PMLR, 2017: 12731282［3］肖雄, 唐卓, 肖斌, 等. 联邦学习的隐私保护与安全防御研究综述［J］. 计算机学报, 2023, 46(5): 10191044［4］Dwork C. Differential privacy［C］ Proc of Int Colloquium on Automata, Languages, and Programming. Berlin: Springer, 2006: 112［5］Yao A C C. How to generate and exchange secrets［C］ Proc of the 27th Annual Symp on Foundations of Computer Science (SFCS 1986). Piscataway, NJ: IEEE, 1986: 162167［6］熊维, 王海洋, 唐祎飞, 等. 安全多方计算应用的隐私度量方法［J］. 信息安全研究, 2024, 10(1): 611［7］Liu B, Ding M, Shaham S, et al. When machine learning meets privacy: A survey and outlook［J］. ACM Computing Surveys, 2021, 54(2): 136［8］钱文君, 沈晴霓, 吴鹏飞, 等. 大数据计算环境下的隐私保护技术研究进展［J］. 计算机学报, 2022, 45(4): 669701［9］冯登国. 机密计算发展现状与趋势［J］. 信息安全研究, 2024, 10(1): 25［10］Mothukuri V, Parizi R M, Pouriyeh S, et al. A survey on security and privacy of federated learning［J］. Future Generation Computer Systems, 2021, 115: 619640［11］周俊, 方国英, 吴楠. 联邦学习安全与隐私保护研究综述［J］. 西华大学学报: 自然科学版, 2020, 39(4): 917［12］陈兵, 成翔, 张佳乐, 等. 联邦学习安全与隐私保护综述［J］. 南京航空航天大学学报, 2020, 52(5): 675684［13］顾育豪, 白跃彬. 联邦学习模型安全与隐私研究进展［J］. 软件学报, 2023, 34(6): 28332864［14］汤凌韬, 陈左宁, 张鲁飞, 等. 联邦学习中的隐私问题研究进展［J］. 软件学报, 2023, 34(1): 197229［15］Wang R, Lai J, Zhang Z, et al. Privacypreserving federated learning for Internet of medical things under edge computing［J］. IEEE Journal of Biomedical and Health Informatics, 2022, 27(2): 854865［16］Yang Q, Liu Y, Chen T, et al. Federated machine learning: Concept and applications［J］. ACM Trans on Intelligent Systems and Technology, 2019, 10(2): 119［17］刘艺璇, 陈红, 刘宇涵, 等. 联邦学习中的隐私保护技术［J］. 软件学报, 2022, 33(3): 10571092［18］Yang Z, Zhang J, Chang E C, et al. Neural network inversion in adversarial setting via background knowledge alignment［C］ Proc of the 2019 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2019: 225240［19］Fredrikson M, Jha S, Ristenpart T. Model inversion attacks that exploit confidence information and basic countermeasures［C］ Proc of the 22nd ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2015: 13221333［20］Fredrikson M, Lantz E, Jha S, et al. Privacy in pharmacogenetics: An endtoend case study of personalized warfarin dosing［C］ Proc of the 23rd USENIX Security Symp (USENIX Security 14). Berkeley, CA: USENIX Association, 2014: 1732［21］Shokri R, Stronati M, Song C, et al. Membership inference attacks against machine learning models［C］ Proc of 2017 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2017: 318［22］Yang M, Cheng H, Chen F, et al. Model poisoning attack in differential privacybased federated learning［J］. Information Sciences, 2023, 630: 158172［23］Biggio B, Nelson B, Laskov P. Poisoning attacks against support vector machines［J］. arXiv preprint, arXiv:1206.6389, 2012［24］Jiang W, Li H, Liu S, et al. A flexible poisoning attack against machine learning［C］ Proc of 2019 IEEE Int Conf on Communications (ICC 2019). Piscataway, NJ: IEEE, 2019: 16［25］Bagdasaryan E, Veit A, Hua Y, et al. How to backdoor federated learning［C］ Proc of Int Conf on Artificial Intelligence and Statistics. New York: PMLR, 2020: 29382948［26］Hitaj B, Ateniese G, PerezCruz F. Deep models under the GAN: Information leakage from collaborative deep learning［C］ Proc of the 2017 ACM SIGSAC Conf on Computer and Communications Security. Piscataway, NJ: IEEE, 2017: 603618［27］Wang Z, Song M, Zhang Z, et al. Beyond inferring class representatives: Userlevel privacy leakage from federated learning［C］ Proc of IEEE Conf on Computer Communications (IEEE INFOCOM 2019). Piscataway, NJ: IEEE, 2019: 25122520［28］Zhu L, Liu Z, Han S. Deep leakage from gradients［C］ Proc of Advances in Neural Information Processing Systems (NeurIPS 2019). Cambridge: MIT Press, 2019: 1477414784［29］Zhao B, Mopuri K R, Bilen H. iDLG: Improved deep leakage from gradients［J］. arXiv preprint, arXiv:2001.02610, 2020［30］Melis L, Song C, De Cristofaro E, et al. Exploiting unintended feature leakage in collaborative learning［C］ Proc of 2019 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2019: 691706［31］Zhang W R, Tople S, Ohrimenko O. Leakage of dataset properties in MultiParty machine learning［C］ Proc of the 30th USENIX Security Symp. Berkeley, CA: USENIX Association, 2021: 26872704［32］Nasr M, Shokri R, Houmansadr A. Comprehensive privacy analysis of deep learning: Passive and active whitebox inference attacks against centralized and federated learning［C］ Proc of 2019 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2019: 739753［33］Naseri M, Hayes J, De Cristofaro E. Local and central differential privacy for robustness and privacy in federated learning［J］. arXiv preprint, arXiv:2009.03561, 2020［34］叶青青, 孟小峰, 朱敏杰, 等. 本地化差分隐私研究综述［J］. 软件学报, 2018, 29(7): 19812005［35］Cormode G, Jha S, Kulkarni T, et al. Privacy at scale: Local differential privacy in practice［C］ Proc of the 2018 Int Conf on Management of Data. 2018: 16551658［36］王雷霞, 孟小峰. ESA: 一种新型的隐私保护框架［J］. 计算机研究与发展, 2022, 59(1): 144171［37］Truex S, Baracaldo N, Anwar A, et al. A hybrid approach to privacypreserving federated learning［C］ Proc of the 12th ACM Workshop on Artificial Intelligence and Security. New York: ACM, 2019: 111［38］余晟兴, 陈钟. 基于同态加密的高效安全联邦学习聚合框架［J］. 通信学报, 2023, 44(1): 1428［39］Shamir A. How to share a secret［J］. Communications of the ACM, 1979, 22(11): 612613［40］Carlini N, Liu C, Kos J, et al. The secret sharer: Measuring unintended neural network memorization & extracting secrets［J］. arXiv preprint, arXiv:1802.08232, 2018［41］Bonawitz K, Ivanov V, Kreuter B, et al. Practical secure aggregation for privacypreserving machine learning［C］ Proc of the 2017 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2017: 11751191［42］Subramanyan P, Sinha R, Lebedev I, et al. A formal foundation for secure remote execution of enclaves［C］ Proc of the 2017 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2017: 24352450［43］Zhang X, Kang Y, Chen K, et al. Trading off privacy, utility, and efficiency in federated learning［J］. ACM Trans on Intelligent Systems and Technology, 2023, 14(6): 132［44］Chen H, Zhu T, Zhang T, et al. Privacy and fairness in federated learning: On the perspective of tradeoff［J］. ACM Computing Surveys, 2023, 56(2): 137［45］WarnatHerresthal S, Schultze H, Shastry K L, et al. Swarm learning for decentralized and confidential clinical machine learning［J］. Nature, 2021, 594(7862): 265270

[1]	. Multi-party Shuffling Protocol Based on Elastic Secret Sharing [J]. Journal of Information Security Reserach, 2024, 10(4): 347-.
[2]	. Malicious Client Detection and Defense Method for Federated Learning [J]. Journal of Information Security Reserach, 2024, 10(2): 163-.
[3]	. Practical Dilemmas and Response Paths for Personal Information Protection Policy of APPs [J]. Journal of Information Security Reserach, 2024, 10(2): 177-.
[4]	. Security and Privacy Protection in 6G Network: A Survey [J]. Journal of Information Security Reserach, 2023, 9(9): 822-.
[5]	. Face Recognition Privacy Protection Method Based on Homomorphic Encryption#br# [J]. Journal of Information Security Reserach, 2023, 9(9): 843-.
[6]	. Research and Application of Blockchain Based Medical Data Security Sharing Model [J]. Journal of Information Security Reserach, 2023, 9(9): 884-.
[7]	. Key Technologies and Research Prospects of Privacy Computing [J]. Journal of Information Security Reserach, 2023, 9(8): 714-.
[8]	. Research on Malicious Location Attack Detection of VANET Based on Federated Learning [J]. Journal of Information Security Reserach, 2023, 9(8): 754-.
[9]	. Civil Aviation Passenger Privacy Data Protection Method Based on Multiparty Security Attack and Defense Game [J]. Journal of Information Security Reserach, 2023, 9(8): 799-.
[10]	. Research on the Integration of Full Lifecycle Data Security Management and Artificial Intelligence Technology#br# [J]. Journal of Information Security Reserach, 2023, 9(6): 543-.
[11]	. Towards a Privacy-preserving Research for AI and Blockchain Integration [J]. Journal of Information Security Reserach, 2023, 9(6): 557-.
[12]	. Research on Image Steganography and Extraction Scheme Based on Implicit Symmetric Generative Adversarial Network [J]. Journal of Information Security Reserach, 2023, 9(6): 566-.
[13]	. K-anonymity Mechanism Based on Iterative Binary Clustering [J]. Journal of Information Security Reserach, 2023, 9(5): 402-.
[14]	. Research on Security Risk Response for Internet of Body Applications [J]. Journal of Information Security Reserach, 2023, 9(5): 433-.
[15]	. A Novel Blockchain Privacy Preserving Scheme Based on Paillier and FO Commitment [J]. Journal of Information Security Reserach, 2023, 9(4): 306-.