Federated Learning Attacks Revisited: A Critical Discussion of Gaps, Assumptions, and Evaluation Setups.

Autor: Wainakh A; Telecooperation Lab, Technical University of Darmstadt, 64289 Darmstadt, Germany., Zimmer E; Telecooperation Lab, Technical University of Darmstadt, 64289 Darmstadt, Germany., Subedi S; Telecooperation Lab, Technical University of Darmstadt, 64289 Darmstadt, Germany., Keim J; Telecooperation Lab, Technical University of Darmstadt, 64289 Darmstadt, Germany., Grube T; Telecooperation Lab, Technical University of Darmstadt, 64289 Darmstadt, Germany., Karuppayah S; National Advanced IPv6 Centre (NAv6), University of Science Malaysia, Penang 11800, Malaysia., Sanchez Guinea A; Telecooperation Lab, Technical University of Darmstadt, 64289 Darmstadt, Germany., Mühlhäuser M; Telecooperation Lab, Technical University of Darmstadt, 64289 Darmstadt, Germany.
Jazyk: angličtina
Zdroj: Sensors (Basel, Switzerland) [Sensors (Basel)] 2022 Dec 20; Vol. 23 (1). Date of Electronic Publication: 2022 Dec 20.
DOI: 10.3390/s23010031
Abstrakt: Deep learning pervades heavy data-driven disciplines in research and development. The Internet of Things and sensor systems, which enable smart environments and services, are settings where deep learning can provide invaluable utility. However, the data in these systems are very often directly or indirectly related to people, which raises privacy concerns. Federated learning (FL) mitigates some of these concerns and empowers deep learning in sensor-driven environments by enabling multiple entities to collaboratively train a machine learning model without sharing their data. Nevertheless, a number of works in the literature propose attacks that can manipulate the model and disclose information about the training data in FL. As a result, there has been a growing belief that FL is highly vulnerable to severe attacks. Although these attacks do indeed highlight security and privacy risks in FL, some of them may not be as effective in production deployment because they are feasible only given special-sometimes impractical-assumptions. In this paper, we investigate this issue by conducting a quantitative analysis of the attacks against FL and their evaluation settings in 48 papers. This analysis is the first of its kind to reveal several research gaps with regard to the types and architectures of target models. Additionally, the quantitative analysis allows us to highlight unrealistic assumptions in some attacks related to the hyper-parameters of the model and data distribution. Furthermore, we identify fallacies in the evaluation of attacks which raise questions about the generalizability of the conclusions. As a remedy, we propose a set of recommendations to promote adequate evaluations.
Databáze: MEDLINE
Nepřihlášeným uživatelům se plný text nezobrazuje