In this book, the authors highlight the latest research findings on the security and privacy of federated learning systems. The main attacks and counterattacks in this booming field are presented to readers in connection with inference, poisoning, generative adversarial networks, differential privacy, secure multi-party computation, homomorphic encryption, and shuffle, respectively. The book offers an essential overview for researchers who are new to the field, while also equipping them to explore this “uncharted territory.” For each topic, the authors first present the key concepts, followed by the most important issues and solutions, with appropriate references for further reading. The book is self-contained, and all chapters can be read independently. It offers a valuable resource for master’s students, upper undergraduates, Ph.D. students, and practicing engineers alike. Preface 6 Acknowledgments 8 Contents 9 1 Introduction to Federated Learning 13 1.1 Federated Learning Paradigm 13 1.1.1 Deep Learning 13 1.1.2 Federated Learning 16 1.1.3 Categories of Federated Learning 18 1.1.4 Challenges in Federated Learning 18 1.2 Security and Privacy in Federated Learning 19 1.2.1 Source of Vulnerabilities 19 1.2.2 Attacks in Federated Learning 20 1.2.3 Defense Techniques in Federated Learning 21 1.3 Structure of the Book 22 2 Inference Attacks and Counterattacks in Federated Learning 24 2.1 What Is Inference Attack? 24 2.2 Inference Attack Categories 26 2.3 Threat from Inference Attacks 28 2.4 Inference Attacks in Federated Learning 29 2.4.1 Model Inversion Attacks 29 2.4.2 Property Inference Attacks 36 2.4.3 Membership Inference Attacks 40 2.4.4 Model Inference Attacks 44 2.5 Counter-Inference Attacks 44 2.6 Summary of the Chapter 47 3 Poisoning Attacks and Counterattacks in Federated Learning 48 3.1 What Is Poisoning Attack? 48 3.2 Poisoning Attack Basics 49 3.3 Classification of Poisoning Attacks 51 3.3.1 Untargeted Poisoning Attacks 52 3.3.2 Targeted Poisoning Attacks 53 3.3.3 Backdoor Poisoning Attacks 53 3.4 Techniques for Poisoning Attacks 54 3.4.1 Label Manipulation 55 3.4.2 Data Manipulation 56 3.4.3 Other Technologies 58 3.5 Poisoning Attacks in Federated Learning 58 3.5.1 The Basics of Poisoning Attacks in Federated Learning 58 3.5.2 Efficiency and Stealth of Poisoning Attacks in Federated Learning 60 3.6 Counter Poisoning Attacks in Federated Learning 61 3.6.1 Counterattacks from Data Perspective 62 3.6.2 Counterattacks from Behavior Perspective 63 3.6.3 Other Countermeasures 64 3.7 Summary of the Chapter 64 4 GAN Attacks and Counterattacks in Federated Learning 66 4.1 What Are Generative Adversarial Networks (GANs) 66 4.2 The Original GAN 68 4.2.1 Architecture and Working Flow 68 4.2.2 Games and Objective Functions 69 4.3 Variants of GAN 69 4.3.1 Conditional GAN 70 4.3.2 InfoGAN 71 4.3.3 Deep Convolutional GAN 72 4.3.4 WGAN 73 4.4 GAN-Based Attacks in Federated Learning 74 4.4.1 GAN-Based Security Threats 74 4.4.2 GAN-Based Poisoning Attacks 75 4.4.2.1 GAN-Based Poisoning Attacks in Federated Learning 76 4.4.3 GAN-Based Privacy Threats 77 4.4.3.1 GAN-Based Inference Attacks 78 4.4.3.2 GAN-Based Inference Attacks in Federated Learning 78 4.4.4 GAN-Based Attacks from Insiders 81 4.4.5 GAN-Based Attacks from Clients 82 4.4.6 GAN-Based Attacks from Central Server 82 4.4.7 GAN-Based Attacks from Outsiders 83 4.5 Counter GAN-Based Attacks 83 4.5.1 Passive Defense Against GAN-Based Attacks 84 4.5.2 Active Defense Against GAN-Based Attacks 85 4.6 Summary of the Chapter 86 5 Differential Privacy in Federated Learning 87 5.1 What Is Differential Privacy? 87 5.2 Differential Privacy Definition and Terms 88 5.2.1 Mathematical Model of Differential Privacy 89 5.2.2 Differential Privacy Using Laplace Noise 90 5.2.3 Differential Privacy Using Gaussian Noise 91 5.3 Differential Privacy in Federated Learning 91 5.4 Main Differential Privacy Methods in Federated Learning 92 5.4.1 Centralized Differential Privacy 92 5.4.2 Local Differential Privacy 93 5.4.3 Distributed Differential Privacy 95 5.5 Application of Differential Privacy in Federated Learning 95 5.5.1 The Applications of Variant Differential Privacy 96 5.5.2 The Combination of Differential Privacy and Other Methods 96 5.6 Future Discussion 97 5.6.1 Reduce the Cost of Privacy Protection 97 5.6.2 Customized Privacy Restrictions 97 5.7 Summary of the Chapter 98 6 Secure Multi-party Computation in Federated Learning 99 6.1 What Is Secure Multi-party Computation 99 6.2 Building Blocks for Secure Multi-party Computing 101 6.2.1 Oblivious Transfer 101 6.2.2 Garbled Circuit 101 6.2.3 Secret Sharing 102 6.2.4 Homomorphic Encryption 104 6.2.5 Trusted Execution Environment 105 6.3 Secure Multi-party Computation in Federated Learning 105 6.3.1 Masking for Data Aggregation 105 6.3.2 Secret Sharing in Federated Learning 106 6.4 Summary of the Chapter 107 7 Secure Data Aggregation in Federated Learning 109 7.1 What Is Homomorphic Encryption 109 7.2 Popular Homomorphic Encryption Schemes in Federated Learning 111 7.2.1 The Paillier Scheme 111 7.2.2 The ElGamal Scheme 112 7.2.3 The Goldwasser–Micali Scheme 113 7.3 Homomorphic Encryption for Data Aggregation in Federated Learning 113 7.3.1 Multiple Server Data Aggregation 113 7.3.2 Zero Knowledge Proof of Data Aggregation 115 7.4 Verification of Data Aggregation 116 7.5 Summary of the Chapter 117 8 Anonymous Communication and Shuffle Model in Federated Learning 118 8.1 What Is Anonymous Communication? 118 8.2 Onion Routing and Tor 119 8.3 The Shuffle Model 120 8.4 Privacy Amplification in Federated Learning 122 8.5 Anonymous Communication and Shuffle Model in Federated Learning 123 8.6 Summary of the Chapter 123 9 The Future Work 124 9.1 The Related Landscape in the Near Future 124 9.2 The Challenges on Security in the Near Future 125 9.2.1 Existing Attacks 126 9.2.2 Digital Forensics 126 9.2.3 New Attacks 126 9.3 The Challenges on Privacy in the Near Future 127 9.3.1 Privacy Measurement 127 9.3.2 Big Data Modelling 128 9.3.3 Privacy Tools 129 9.3.4 Personalized Privacy 129 9.3.5 AI Ethics 130 9.4 Summary of the Chapter 130 References 132