FedDBG: Privacy-Preserving Dynamic Benchmark Gradient in Federated Learning Against Poisoning Attacks

Abstract

The federated learning's (FL) ability to protect local data privacy while cooperatively training powerful global models has received extensive attention. Although some researchers have carried out researches on gradient privacy disclosure under poisoning attacks, the existing works still ignore the unreliability of initial data, which makes it difficult to obtain the benign initial reference gradient, resulting in a significant decline in the accuracy of the final global model. To solve this problem, we propose a privacy-preserving gradient framework in FL based on homomorphic encryption. The framework can ensure that malicious initial users and subsequent users cannot interfere with the accuracy of the global model by uploading the poisoning gradients. In this process, key parameters such as gradients of local users won't be leaked. We then design a dynamic reference gradient aggregation algorithm to mitigate the poisoning attack in FL, dynamically dividing the sub-gradients of each round of local uploads by clustering the gradients of different local uploads. Furthermore, the malicious and benign gradients are further separated and the optimal global model is obtained by iterative updating. We proved the security of the scheme theoretically, and verified the effectiveness of the scheme through experiments. The accuracy of the proposed scheme is at least 80% higher than that of the scheme without anti-poisoning measures.