Project ALVI:�Privacy-Driven Defenses: Federated Learning Security & Authentication

R24-053

Team members

Mr. Kanishka yapa

​

supervisor

Mr. Samadhi Rathnayake

​

dr. Kasun Karunarathne

​

Co-supervisor

External supervisor

• Seasoned expert with 20+ years in Network, Security, and PMO
• Specializes in Technology Strategy and Cybersecurity
• PhD from the University of Colombo
• MSc from the University of Moratuwa
• ISO 27701:2019 PIMS Lead Implementer

Peiris B.L.H.D

J.P.A.S. Pathmendre

Athauda A.M.I.R.B

A.R.W.M.V. Hasaranga

R24-053

01

introduction

R24-053

• What is federated learning?
• What security measures are implemented in federated learning?
• Is security sufficient in federated learning?

R24-053

02

background

R24-053

background

R24-053

Our

objectives

• Implementing detective & preventive security measures within a system that operates on a federated learning

• CodeNexa : A Novel Security Framework for Federated Learning to Mitigate Man-in-the-Middle Attacks
• HydraGuard: Backdoor immunity in FL Environments
• SECUNID: Enhancing Security on Global Model
• S.H.I.E.L.D :CoAE-SMC Enhanced VFL Security

​

main objectives

sub objectives

R24-053

R24-053

System overview

01

02

03

04

CodeNexa

A Novel Security Framework for Federated Learning to Mitigate Man-in-the-Middle Attacks

hydraguard

Backdoor immunity

SECUNID

Enhancing Global Model Security

S.H.I.E.L.D.

Security in VFL

R24-053

System diagram

COMPONENT 1�

CODE NEXA: A NOVEL SECURITY FRAMEWORK FOR FEDERATED LEARNING TO MITIGATE MAN-IN-THE-MIDDLE ATTACKS

R24-053

Peiris B.L.H.D – IT21110184

1. WHAT IS THE FEDERATED LEARNING AND ITS �SECURITY CHALLENGES?�

2. WHAT ARE THE EXSISTING TECHNIQUES FOR THOSE

CHALLENGES?

BACKGROUND

R24-053

Peiris B.L.H.D – IT21110184

Research problem

• Dynamic Nature of Federated Learning (FL)

​

• Continuous Model Integrity Verification

​

• Protection Against MITM Attacks

​

• Efficient Handling of Frequent Model Updates

​

• Scalable and Lightweight Defense Mechanism

R24-053

Peiris B.L.H.D – IT21110184

OBJECTIVE

DEVELOPING A NOVEL SECURITY FRAMEWORK FOR FEDERATED LEARNING TO MITIGATE MAN-IN-THE-MIDDLE ATTACKS

R24-053

Peiris B.L.H.D – IT21110184

SUB-OBJECTIVE

1. Identify gaps in current security techniques for FL systems.
2. Create a method to check and store key model metrics for validation.
3. Improve protection against MITM attacks by verifying only valid model updates.

R24-053

Peiris B.L.H.D – IT21110184

Component diagram

08. PROJECT COMPLETION

R24-053

Peiris B.L.H.D – IT21110184

R24-053

Peiris B.L.H.D – IT21110184

Work done model

The graph plots showcase the performance of multiple local models (from 0 to 8) in federated learning setup

Work done model

Match the metrics are same or not , if metrics are same model is accepted if not model is rejected.

R24-053

Peiris B.L.H.D – IT21110184

FRONTEND

R24-053

Peiris B.L.H.D – IT21110184

requirments

R24-053

Peiris B.L.H.D – IT21110184

Research paper submission

​

ICAC Submission

SNAMS2024 Submission

R24-053

Peiris B.L.H.D – IT21110184

10. REFERENCES

R24-053

Peiris B.L.H.D – IT21110184

REFERENCES

[1] I. Goodfellow, J. Shlens, and C. Szegedy, ”Explaining and Harnessing Adversarial Examples,” in Proc. Int. Conf. Learn. Represent., 2015, pp. 1-11.

​

[2] N. Papernot, P. McDaniel, A. Sinha, and M. Wellman, ”SoK: Towards the Science of Security and Privacy in Machine Learning,” in Proc. IEEE European Symposium on Security and Privacy (EuroSP), 2018, pp. 399-414.

​

[3] Q. Yang, Y. Liu, T. Chen, and Y. Tong, ”Federated Machine Learning: Concept and Applications,” ACM Trans. Intell. Syst. Technol., vol. 10, no. 2, pp. 1-19, Jan. 2019.

​

[4] Y. Liu, Y. Kang, X. Song, and S. Yu, ”A Comprehensive Survey on Federated Learning: Concept, Applications, and Challenges,” ACM Computing Surveys, vol. 54, no. 5, pp. 1-36, Sep. 2021.

​

[5] X. Zhang, W. Hu, and P. Li, ”Towards Federated Learning Systems: A Survey on Security and Privacy,” IEEE Access, vol. 7, pp. 118096- 118108, Aug. 2019.

​

[6] A. Roy, S. Siddiqui, and D. Gupta, ”A Survey on Federated Learning and its Applications,” Journal of Artificial Intelligence Research, vol. 10, no. 2, pp. 45-55, Feb. 2020.

R24-053

Peiris B.L.H.D – IT21110184

THANK YOU!

R24-053

Peiris B.L.H.D – IT21110184

Component 2 : �HydraGuard: Backdoor immunity in FL Environments.

J.P.A.S.Pathmendre – IT21085376

R24-053

J.P.A.S Pathmendra– IT21085376

BACKGROUND

01

J.P.A.S.Pathmendre – IT21085376

R24-053

BACKGROUND

• What is the main attack that local models commonly face?

​

• What are the main types of backdoor attacks on local models?

​

• What are the main Types of data poisoning attacks?

​

​

​

J.P.A.S.Pathmendre – IT21085376

R24-053

RESEARCH PROBLEM

02

J.P.A.S.Pathmendre – IT21085376

R24-053

RESEARCH PROBLEM

​

​

J.P.A.S.Pathmendre – IT21085376

• Continuous attacks are more aggressive than single-shot attacks.

​

• Detecting and Rejecting malicious weights leads to data loss, and data breaches and reduces module accuracy.

​

• Existing defense mechanisms need big computational power and violate the essence of the FL.

​

• Unreliable Predictions.

​

​

R24-053

RESEARCH GAP

03

J.P.A.S.Pathmendre – IT21085376

R24-053

RESEARCH GAP

Zhang, K., Tao, G., Xu, Q., Cheng, S., An, S., Liu, Y., Feng, S., Shen, G., Chen, P.Y., Ma, S. and Zhang, X., 2022. Flip: A provable defense framework for backdoor mitigation in federated learning. arXiv preprint arXiv:2210.12873.

J.P.A.S.Pathmendre – IT21085376

RESEARCH GAP

J.P.A.S.Pathmendre – IT21085376

R24-053

OBJECTIVES

04

J.P.A.S.Pathmendre – IT21085376

R24-053

OBJECTIVE

Developing a robust preventive and detective mechanism against backdoor attacks in FL systems without Reducing accuracy lost or without computational overhead.

J.P.A.S.Pathmendre – IT21085376

R24-053

SUB OBJECTIVE

• Reducing ASR and gaining ACC in FL local models against backdoor attacks without computational overhead.

​

• Get more performances than SOTA defenses mechanisms .

​

• Trigger the attacks and get the accuracy levels of the implementation and analyze them.

​

J.P.A.S.Pathmendre – IT21085376

R24-053

NOVELTY

05

J.P.A.S.Pathmendre – IT21085376

R24-053

NOVELTY

Componenet Digram

Requirments

J.P.A.S.Pathmendre – IT21085376

R24-053

Component Diagram

J.P.A.S.Pathmendre – IT21085376

R24-053

REQUIREMENTS

06

J.P.A.S.Pathmendre – IT21085376

R24-053

REQUIREMENTS

Non-Funtional

Funtional

Trigger Inversion

Reinitializing Linear Classifier

Measure Class Distance

DATA Set-MNIST

Maintain ACC and reducing ASR

Reduce Computational Overhead

Maintaining Model Accuracy

R24-053

Project Completion

07

J.P.A.S.Pathmendre – IT21085376

R24-053

90%

J.P.A.S.Pathmendre – IT21085376

R24-053

Resource Collection

J.P.A.S.Pathmendre – IT21085376

Connecting With Senior Researchers

Connecting With Industry Experts

R24-053

J.P.A.S.Pathmendre – IT21085376

Model Training Phase

Getting Results

Project Completion�Work Done Final Model

R24-053

J.P.A.S.Pathmendre – IT21085376

Loss Variation

Attack Success Rate

Model Accuracy

Variation

Project Completion�Test Results

R24-053

Project Completion�Research Findings

J.P.A.S.Pathmendre – IT21085376

Zhang, K., Tao, G., Xu, Q., Cheng, S., An, S., Liu, Y., Feng, S., Shen, G., Chen, P.Y., Ma, S. and Zhang, X., 2022. Flip: A provable defense framework for backdoor mitigation in federated learning. arXiv preprint arXiv:2210.12873.

R24-053

J.P.A.S.Pathmendre – IT21085376

Project Completion�Work Done-Frontend

R24-053

J.P.A.S.Pathmendre – IT21085376

Research Paper�

Conference Submissions

R24-053

REFERENCES

08

J.P.A.S.Pathmendre – IT21085376

R24-053

REFERENCES

1. Zhang, K., Tao, G., Xu, Q., Cheng, S., An, S., Liu, Y., Feng, S., Shen, G., Chen, P.Y., Ma, S. and Zhang, X., 2022. Flip: A provable defense framework for backdoor mitigation in federated learning. arXiv preprint arXiv:2210.12873.

​

• Qin, Zeyu, et al. "Revisiting Personalized Federated Learning: Robustness Against Backdoor Attacks." arXiv preprint arXiv:2302.01677 (2023).

​

​

• T. Gu, K. Liu, B. Dolan-Gavitt and S. Garg, "BadNets: Evaluating Backdooring Attacks on Deep Neural Networks," in IEEE Access, vol. 7, pp. 47230-47244, 2019, doi: 10.1109/ACCESS.2019.2909068.keywords: {Training;Machine learning;Perturbation methods;Computational modeling;Biological neural networks;Security;Computer security;machine learning;neural networks}

​

• S. -M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi and P. Frossard, "Universal Adversarial Perturbations," 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Honolulu, HI, USA, 2017, pp. 86-94, doi: 10.1109/CVPR.2017.17. keywords: {Neural networks;Visualization;Optimization;Training;Computer architecture;Correlation;Robustness},

​

​

• Mugunthan, Vaikkunth, Anton Peraire-Bueno, and Lalana Kagal. "Privacyfl: A simulator for privacy-preserving and secure federated learning." Proceedings of the 29th ACM International Conference on Information & Knowledge Management. 2020.

​

​

• Virat Shejwalkar, Amir Houmansadr, Peter Kairouz, and Daniel Ramage. 2022. Back to the drawing board: A critical evaluation of poisoning attacks on production federated learning. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1354–1371.

​

​

J.P.A.S.Pathmendre – IT21085376

R24-053

Athauda A.M.I.R.B - IT21049354�Cyber Security

Component 3�

Athauda A.M.I.R.B – IT21049354

SECUNID:

Enhancing Global Model Security

R24-053

Introduction

01

Athauda A.M.I.R.B – IT21049354

R24-053

• A global model is generated by a global server and multiple clients. The clients store their samples locally and only share the model with other nodes, which protects the privacy of the raw data. The central server then aggregates all the models into a global model, which is then sent back to the clients to improve model performance

​

• Data poisoning & Model poisoning are two significant threats in global model

​

Athauda A.M.I.R.B – IT21049354

R24-053

Research Problem?

02

Athauda A.M.I.R.B – IT21049354

R24-053

​

• Existing defenses, such as distance-based metrics (e.g., Krum, Trimmed-Mean), struggle to detect sophisticated attacks where malicious updates resemble legitimate ones.

​

• Attackers alter their local model updates during training, sending manipulated updates to the central server, which degrades the global model's accuracy and reliability.

​

• Current methods usually require some knowledge of the attacks,�1. Malicious participant ratio

2.Examing local datasets(compromise the privacy of participants)

3.Assuming IID data

​

​

​

​

​

​

​

Athauda A.M.I.R.B – IT21049354

R24-053

What are the limitations in traditional methods?

Research Gap

03

Athauda A.M.I.R.B – IT21049354

R24-053

​

​

Athauda A.M.I.R.B – IT21049354

R24-053

​

Objectives

04

Athauda A.M.I.R.B – IT21049354

R24-053

Main Objectives

​

• Design a Framework for Protect the Global Model in Federated Learning Against Data and Model Poisoning Attacks

​

Sub Objectives

​

• Parameters reserved by the participants are examine in each iteration using LayerCAM Augmented with Autoencoder

​

• Evaluate the performances of the model against poisoning attacks on different datasets

​

​

Athauda A.M.I.R.B – IT21049354

R24-053

Methodology

05

Athauda A.M.I.R.B – IT21049354

R24-053

SECUNID

Athauda A.M.I.R.B – IT21049354

R24-053

Project Completion

06

Athauda A.M.I.R.B – IT21049354

R24-053

Athauda A.M.I.R.B – IT21049354

R24-053

Athauda A.M.I.R.B – IT21049354

R24-053

Project Completion

Training dataset to 50 epochs

Athauda A.M.I.R.B – IT21049354

R24-053

Project Completion

Project Completion

Athauda A.M.I.R.B – IT21049354

R24-053

Heatmap without malicious participants

Heatmap with malicious participants

Research Paper

07

Athauda A.M.I.R.B – IT21049354

R24-053

Research Paper

Athauda A.M.I.R.B – IT21049354

R24-053

ICAC Submission

​

SNAMS2024 Submission

​

References

08

Athauda A.M.I.R.B – IT21049354

R24-053

[1] E. Isik-Polat, G. Polat, and A. Kocyigit, “ARFED: Attack-Resistant Federated averaging based on outlier elimination,” Future Generation Computer Systems, vol. 141, pp. 626–650, Apr. 2023, doi: https://doi.org/10.1016/j.future.2022.12.003.​

​

[2] H. Zhang, Y. Zhang, X. Que, Y. Liang, and J. Crowcroft, “Efficient federated learning under non-IID conditions with attackers,” Oct. 2022, doi: https://doi.org/10.1145/3556557.3557951.​

​

[3] D. Panagoda, C. Malinda, C. Wijetunga, L. Rupasinghe, B. Bandara, and C. Liyanapathirana, “Application of Federated Learning in Health Care Sector for Malware Detection and Mitigation Using Software Defined Networking Approach,” IEEE Xplore, Aug. 01, 2022. https://ieeexplore.ieee.org/document/9909488 (accessed Jun. 10, 2023).​

​

[4] C. Zhou, Y. Sun, D. Wang, and Q. Gao, “Fed-Fi: Federated Learning Malicious Model Detection Method Based on Feature Importance,” Security and Communication Networks, vol. 2022, pp. 1–11, May 2022, doi: https://doi.org/10.1155/2022/7268347.​

​

[5] Z. Zhang, X. Cao, J. Jia, and N. Z. Gong, “FLDetector: Defending Federated Learning Against Model Poisoning Attacks via Detecting Malicious Clients,” Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Aug. 2022, doi: https://doi.org/10.1145/3534678.3539231.​​

Athauda A.M.I.R.B – IT21049354

R24-053

Athauda A.M.I.R.B – IT21049354

R24-053

Thanks!

Securing Vertical Federated Learning Against Label

Inference Attacks Using Confusional Autoencoders,

Noise Addition, and Simplified Secure Multi-Party

Computation.

A.R.W.M.V.Hasaranga�IT21051548

�

�

�

�

�

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Table Of Contents

Introduction

&�Background�

Research Problems &�Research Gap

​

Objectives�

System Design

Novelty Of The Approach

Research progress�

Research Completion

A.R.W.M.V.Hasaranga– IT21051548

R24-053

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Background

​

Definition of VFL:

• Vertical Federated Learning (VFL) involves multiple parties collaboratively learning a predictive model while keeping their training data local, particularly useful when datasets are split vertically among different entities.

​

Importance of Security in VFL:

• Security is paramount as VFL involves sensitive data across various domains, making it susceptible to cyber attacks such as data breaches, eavesdropping, and inference attacks.

​

Security Challenges:

• Despite advancements, VFL systems are vulnerable to sophisticated cyber threats, particularly label inference attacks which aim to infer sensitive information from the model outputs.

​

A.R.W.M.V.Hasaranga– IT21051548

R24-053

​

Limited Defense Mechanisms:

• Current VFL security protocols are not robust enough to fully prevent label inference attacks, leading to potential data breaches. Lack of scalable solutions that balance privacy and performance.

​

Insufficient Mitigation Strategies:

• Existing solutions may not effectively address all types of label inference attacks, especially sophisticated passive and active forms.

​

• Existing methods for defending against label inference attacks in VFL are computationally expensive (e.g., Secure Multi-Party Computation).

​

• Insufficient focus on lightweight mechanisms for privacy preservation in collaborative learning environments.

Research Problem

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Objectives And Sub Objectives

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Component diagram

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Novelty of the Approach

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Research Progress

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Research Completion

Trained autoencoder

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Research Completion

• Auto-encoder Dataset

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Research Completion

• Trained 5 folds

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Research Completion

Results

Five folds Results

Combined confusion matrices

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Front end

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Research Paper

Research Paper

Conference submission

A.R.W.M.V.Hasaranga– IT21051548

R24-053

References

• 1]C. Fu, X. Zhang, S. Ji, J. Chen, J. Wu, S. Guo, J. Zhou, A. X. Liu, and T. Wang, “Label Inference Attacks Against Vertical Federated Learning,” in 2021 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, May 2021, pp. 1-17, doi: 10.1109/SP40001.2021.00001.
• [2]H. Shi, Y. Xu, Y. Jiang, H. Yu and L. Cui, "Efficient Asynchronous Multi-Participant Vertical Federated Learning," in IEEE Transactions on Big Data, 2022, doi: 10.1109/TBDATA.2022.3201729.keywords: {Computational modeling;Stochastic processes;Training;Data models;Collaborative work;Privacy;Servers;Federated learning;privacy-preserving;asynchronous distributed computation},
• [3]Y. Liu et al., “Batch Label Inference and Replacement Attacks in Black-Boxed Vertical Federated Learning,” arXiv:2112.05409 [cs.LG], Feb. 2022. [Online]. Available: 1
• [4]H. Shi et al., “MVFLS: Multi-participant Vertical Federated Learning based on Secret Sharing,” in AAAI, vol. 35, no. 4, pp. 379-393, Feb. 2021, doi: 10.1609/aaai.v35i4.7010.

​

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Athauda A.M.I.R.B – IT21049354

R24-053

Thank You

A.R.W.M.V.Hasaranga– IT21051548

R24-053

This Photo by Unknown Author is licensed under CC BY-SA

A.R.W.M.V.Hasaranga– IT21051548

R24-053

Commercialization

​

​

​

• Project ALVI is a four separate solutions for Securing federated learning eco-system.
• CodeNexa
• Hydraguard
• SECUNID
• S.H.I.E.L.D.
• Target user – Privacy precerving organizations (Banks, Hospitals)
• Marketing approach – Business conferences and awareness sessions

TECHNOLOGIES

PYTHON

docker

ML

PyTorch

GITHUB

TensorFlow

Jupyter Notebook

WORK�BREAKDOWN�STRUCTURE

Gantt chart

Thank

YOU