Privacy-Preserving Federated Learning With Backdoor Resilience

252 / BBB

2025-12-02

Y. Y.

15:45

Federated learning (FL) has the ability to train a global model across many different clients with diverse datasets while also preserving privacy. However, federated learning is by design vulnerable to privacy inference attacks and poisoning attacks, allowing compromised clients to infer private information about the clients or negatively influence the global model, respectively. FLAME [26], a state-of-the-art framework, is designed to statistically remove  the influence of poisoning attacks, while being applicable to many attacker models and keeping the model’s benign performance. To ensure these objectives, the FLAME protocol introduces a defense framework that estimates the minimum sufficient amount of noise to be injected into the global model after aggregation, so that backdoors are eliminated but the benign performance does not deteriorate. To further reduce the amount of noise and enhance the desired goals, FLAME utilizes adaptive clustering and weight clipping.
However, federated learning systems that implement FLAME still face significant privacy risks from inference attacks, where malicious aggregators can exploit access to model updates to extract sensitive information about client data. Therefore, it is imperative to also achieve malicious security.

In this thesis, we propose an implementation of FLAME in combination with secure Multi-Party Computation (MPC), which provides the primitives to protect federated learning against inference attacks. We propose two implementations of this combination: private FLAME- a full-MPC implementation, running the entire FLAME protocol in MPC; and leaky FLAME, which selectively reveals intermediate statistics to gain efficiency while still constraining attack surface. The implementation takes advantage of FLAME’s backdoor resilience and MPC’s secret shared processing, also achieving malicious security. To achieve this combination, we use MP-SPDZ [20], a framework with 30 variants of MPC protocols and a Python-based programming interface, which simplifies the comparison of different protocols and security models. Building on these designs, our evaluation quantifies the computational and communication overheads of both modes with varying client counts and model sizes. We find that the dominant cost arises from the pairwise cosine-similarity in the clustering step, whereas clipping and noising are comparatively lightweight. Although leaky FLAME’s savings are noticeable even more so in the bigger cases, they are dominated by the cosine similarity computation, thus in our opinion not worth the security-efficiency trade-off. Despite this, our implementation achieves practical runtimes for moderate scales, keeping in mind that it provides enforcement of FLAME’s defenses under malicious-security settings. Taken together, our results demonstrate that integrating MPC with FLAME is feasible to an extent and effective for privacy-preserving, backdoor-resilient FL.