Distributed machine learning has spawned a lot of useful applications, such as on-device learning and edge computing [ref-4]. However, due to communication delays and network bandwidth limitations in fourth-generation (4G) networks, mobile users holding smart devices with limited computing power cannot fully participate in distributed machine learning tasks. Fortunately, in the fifth-generation (5G) networks, bottlenecks attributed to communication latency and network bandwidth will be overcome [ref-3]. Therefore, attention can be focused on addressing the performance and efficiency issues of distributed machine learning can be addressed. Consequently, mobile devices will be able to participate in distributed machine learning. However, traditional distributed machine learning techniques require a certain amount of private data to be aggregated and analyzed at central servers during the model training phase [ref-7]. Such a training process would lead to potential privacy leakage for users in 5G networks [ref-1, ref-6].
To address such privacy challenges, McMahan et al. [ref-11] proposed a collaboratively distributed machine learning paradigm for mobile devices called Federated Learning (FL). FL involves the training machine learning models over devices 111We use the term ‘device’ throughout this article to describe entities in 5G networks, such as edge nodes, clients, smartphones, etc. or siloed data centers while maintaining the training datasets locally without sharing raw training data [ref-12]. The procedure of FL execution is divided into three phases: initialization, aggregation, and update phases. In the initialization phase, the central aggregator presents a pre-trained global model on a public dataset (e.g., MNIST222http://yann.lecun.com/exdb/mnist/, CIFAR-10333http://www.cs.toronto.edu/ kriz/cifar.html), to each device. Following that, each device uses 5G networks to train and improve the current global model on the local dataset in each iteration. In the aggregation phase, the central aggregator aggregates local model updates (i.e., gradient information) from the devices. In the update phase, the central aggregator aggregates all local model updates to generate a new global model for the next iteration. Both the devices and the central aggregator repeats the above process until the global model reaches a certain accuracy or optimal convergence. This paradigm significantly reduces the risks of privacy leakage by decoupling the model training from direct access to the raw training data [ref-12].
Although FL brings new application scenarios (e.g., edge computing and on-device learning) to devices in 5G networks, it still suffers from two critical threats: poisoning and membership inference attacks [ref-1-1]. Firstly, if the poisoning attack occurs, an unreliable device submits an “error update”, FL model would be “poisoned.” [ref-10] A vicious attack will cause a failure in FL global model update. Secondly, in the case of the membership inference attack, since the intermediate gradients in training models always contain rich semantic information (e.g., model parameters), adversaries could exploit reverse engineering techniques to access some sensitive information (e.g., raw distribution of training data) [ref-13-13]. Therefore, these vulnerabilities compel the need to develop a secure and privacy-preserving framework for FL, where the global model updates can be aggregated more securely.
In this study, we propose a secure FL framework that exploits the capabilities of smart contracts in blockchain to defend against poisoning attacks and also introduce local differential privacy techniques to mitigate inference attacks. Specifically, smart contracts allow a task publisher to reward participants who can provide well-trained local models for a specific FL task [ref-14]. The proposed framework establishes a marketplace to train FL models in an automated and anonymous manner for each participant (i.e., mobile device) through 5G networks. The local differential privacy technique provides robust defensive measures against membership inference attacks by adding well-designed noises to the model updates during the model training phase [ref-13-13]. Based on the proposed framework, a central aggregator can create a decentralized and trustless marketplace to eliminate the impact of overreliance on participants in FL.
In 5G communication systems, task publishers can be typically deployed on edge nodes with sufficient storage and data processing capabilities, and mobile devices can easily access edge nodes to train local models. The proposed framework creates a marketplace where participants that are skilled in solving FL problems can profit directly from smart contracts [ref-14]. The main contributions of this study are summarized as follows:
We design a blockchain-based federated learning framework to achieve secure and reliable federated learning as well as all-round defense against poisoning attacks.
We introduce the local differential privacy technology as a firewall against membership inference attacks on federated learning models.
We create a marketplace where participants endowed in solving federated learning problems can benefit directly from their skills. This will provide a trustworthy platform to motivate participants to create better federated learning models.
Ii Federated Learning and Its Threats
Ii-a Federated Learning and Its Application Scenarios in 5G Networks
Federated Learning [ref-11, ref-15] is a collaborative machine learning framework that required no centralized training data. In FL, the local devices download the global model through 5G networks from the central aggregator, and then these devices train and improve the current global model by using their local raw data [ref-11]
. Typically, each device trains its local model using Distributed Stochastic Gradient Descent (D-SGD) algorithm[ref-17] and uploads the model updates (i.e., gradient information) to a central aggregator [ref-12]. The aggregator updates a new global model by collecting all local updates and calculating the mean value of these local model updates. Federated learning aims to build machine learning models based on datasets stored locally in distributed devices without compromising privacy.
Some typical FL application scenarios in 5G networks are listed as follows.
Internet of Things (IoT): ByteLAKE and Lenovo present a technique called Federated Intelligence IoT444https://becominghuman.ai/theres-a-better-way-of-doing-ai-in-the-iot-era-feabbbc1b589 that not only enables IoT devices in 5G networks to learn from each other but also makes it possible to leverage local machine learning models on IoT devices. In such scenarios, FL could be applied to build a personalized voice assistant without compromising personal privacy.
Internet of Vehicles (IoV): The Shenzhen Municipal Government in China cooperates with commercial organizations such as DiDi Chuxing and HelloBike companies to conduct the real-time traffic flow forecasting [ref-4] based on IoV in 5G networks. Meanwhile, General Data Protection Regulation (GDPR)555https://eugdpr.org/ prohibits any organization from directly trading personal data due to concerns about privacy leakage. Therefore, FL can be applied to build a traffic flow prediction model that not only improves the prediction accuracy but also protects personal privacy.
Ii-B Threats and Countermeasures
Although FL has many promising applications in scenarios related to 5G networks, two threats have been identified as obstacles to its full-scale deployment. Noting that it is assumed that the central aggregator is not compromised or malicious, we enunciate the two threats as follows:
Threat 1: Participants with malicious behaviors. Participants may have intentional or unintentional malicious behaviors during FL training phase [ref-12]. Intentional malicious participants can submit wrong model updates, failing the update of the FL model. Unintentional malicious participants may upload model updates that have a negative effect on global model updates as they utilize low-quality training data. When the central aggregator aggregates these local model updates to update the global model, it eventually makes a poor accuracy or even useless global model. All of these intentional or unintentional malicious behaviors may “poison” the FL model. In a word, the current FL models rely on a trust mechanism, which makes it vulnerable to suffer from poisoning attacks [ref-16].
Threat 2: Disclosure of sensitive information. In FL, each participant uploads the updated parameters of the own local training model to the central aggregator. However, existing studies show that adversaries can still initiate a membership inference attack to obtain sensitive information from the updated parameters associated with the local data. Specially, adversaries can utilize the sensitive information disclosed by network snooping attacks in 5G networks to threaten the privacy of FL model.
To address the poisoning attack, in [ref-12], Kang et al. explored using blockchains to build a decentralized market using identity and reputation systems to deter poisoning attacks. However, such a method favours the gradient direction for updates uploaded from participants with high reputation value, which leads to the poor generalization ability of FL. Moreover, for local sensitive information leakage problems, existing studies show that the differential privacy technique is one of the best solutions [ref-13-13]. Therefore, we introduce a local differential privacy technique to address the poisoning attack issues. Guided by the above considerations, we outline the main objectives in the proposed FL framework.
Establishing fairness trading market for participants in blockchain-based FL framework. Based on Ethereum, the proposed framework can create a market for collaborative training of FL models anonymously. Note that the proposed framework can be also applied to other blockchain platforms. In this marketplace, honest participants can make profits by submitting correct solutions to FL problems. To ensure the security of framework, the central aggregator verifies the updates of local models based on smart contracts. The need for mutual trust between participants in this framework is eliminated because the protocol uses cryptographic authentication to secure all transactions.
Protecting sensitive information in federated learning. In the proposed framework, participants add well-designed noises to their model updates by applying the local differential privacy technique. It utilizes some noise-adding mechanisms (e.g., Gaussian Noise Mechanism or Laplace Noise Mechanism) to secure model parameters. Therefore, even if adversaries gain access to the noise-adding gradient information, they cannot recover the original model parameters and local data.
Iii Secure Federated Learning Framework
We first describe the related concepts and terms used in the proposed Secure Federated Learning (SFL) framework.
Smart contracts: Blockchain-based Ethereum implementation of a smart contract.
Wallet address: an escrow account of Ethereum that stores the rewards.
Task publisher: anyone who can publish FL tasks and interacts with the central aggregator.
Central aggregator: an entity responsible for aggregating model updates uploaded by devices and interacts with the task publishers.
Device: a physical entity in 5G networks involving in FL.
Local model: the model that a device trains with its local data.
Global model: an initial global model that is issued by the task publisher for the devices, and global models are updated by the central aggregators during model iterations.
Model update: the gradient information generated by local model training.
Data points: points made up of inputs and outputs.
Data group: a matrix made up of data points.
Fig. 1 further illustrates the pipeline of the proposed SFL framework. In this framework, we introduce the smart contract technique to deter the poisoning attacks (see Fig. 2), and the local differential privacy technique is applied to curtail the inference attacks (see Fig. 3).
Phrase 1, Initialization. A task publisher named Bob creates a smart contract including a testing dataset, an initial global model, evaluation criteria, and a reward amount. The accuracy performance is used as the evaluation criterion to evaluate the training quality of FL model. The reward is a monetary reward, such as “ETH” tokens. The above smart contract is published to the Ethereum blockchain. The central aggregator sends the initial global model to participants in Ethereum.
Phrase 2, Aggregation. Each participant downloads the initial global model to train the local model using its local dataset. When a device succeeds in training a local model, it submits its local model updates to the Ethereum blockchain. All the Ethereum blockchain miners use the evaluation function in the smart contracts to evaluate all uploaded model updates and generate an average value of model quality for each uploaded model. We note that, similar to reference [ref-11], a federated averaging algorithm (i.e., average aggregation) is used in the proposed framework. Participants use a differential privacy technique to add well-designed noise to the uploaded model updates. The high-quality (i.e., high accuracy) model updates with larger values (e.g., if it is larger than a given threshold determined by task publishers) will be sent to the central aggregator.
Phrase 3, Update. The task publisher gets the current global model from the central aggregator, and then prepares for the next round of iterative training.
The proposed SFL framework allows participants in the blockchain to implement local model training for rewards in a trustless manner. Moreover, the participants will be rewarded by the efforts of their high accuracy model updates for FL tasks. As presented in Fig. 2, the detailed steps of the phases mentioned above are described as follows.
Iii-a Initialization Phase
Step 1: The task publisher creates a smart contract with the following operations.
The initialization function init() is called to initialize SFL framwork.
The number of iterations is based on the size of the blocks.
The task publisher hashes the testing dataset into the hashed data groups using a certain hash function.
Step 2: The task publisher hashes the indices of the data groups and sends this hashed result as the seed of random numbers to the central aggregator. The task publisher stores the reward in an encrypted address. Next, the central aggregator calls the init() function to initialize SFL framework.
Step 3: The central aggregator verifies the testing data with the hash value previously provided for the data groups and writes the testing data groups and the random numbers into the smart contracts. The devices in 5G networks call the get_global_model() and get_FL_task() functions to receive the global model and FL task sent by the central aggregator, respectively.
At this point, the smart contracts initialization in SFL framework has been completed. Devices can begin to train their local models for a particular FL task.
Iii-B Aggregation Phase
Step 1: Local model training. In this step, each device calls the local_model_training() function to use its local data to train the local model. Without loss of generality, it is assumed that D-SGD algorithm [ref-17] is used to update the local model updates.
Step 2: Noise Addition. As shown in Fig. 3, each device uses Gaussian Noise Mechanism (GNM) to add noise on the local model updates prior to submission to the central aggregator. To defend against membership inference attacks, each device first perturbs its model updates using a randomized perturbation function based on GNM. Next, sends the perturbed model updates to the aggregator instead of its original model updates . To achieve this goal, we require that the function satisfies the requirement of -local differential privacy (-LDP) [ref-13-13], where is a privacy parameter to make a tradeoff between the security and the availability, and
is defined as the probability that plain-LDP is broken. is denoted as a fixed-scale Gaussian noise added to , and the sensitivity is defined as the maximum absolute distance between and . A device calls the add_noise() function which combines the above -LDP method and D-SGD algorithm to improve the privacy of FL. Meanwhile, the add_noise() function contains two main operations:
Local Update. Let be the total number of devices participate in FL. In each iteration, each device calls the local_model_training() function to compute its local model update. After executing of this function, a device obtains its local models .
GNM Implementation. Each device can enforce a certain sensitivity by using scaled versions instead of the true updates, where , . Dividing the GNM’s output by yields an approximation to the real average of all device updates, while preventing the leakage of crucial information about an individual, as shown in Fig. 3.
Each device executes the submit_model_update() function to submit its model update with both the noise-adding gradient information and the payee address for the task publisher.
Step 3: Evaluation. The central aggregator can evaluate a single local model by the following operations.
The central aggregator calls the disclosure_test_data() function that applies the testing dataset for local model evaluation. If the central aggregator fails to calls the disclosure_test_data() function, the central aggregator uses its training dataset to evaluate the local model.
At this point, we note that once the evaluation begins to perform in the central aggregator, it no longer accepts model updates from devices. The central aggregator calls the evaluate_local_model() function to select the qualified devices whose model updates meet the evaluation criteria. It supports the central aggregator to observe the model aggregation results of each round before deciding whether to stop training, thereby reducing the consumption of computing resources and gas. Next, the central aggregator calls the aggregate_model_update() function to aggregate all local model parameters in the qualified devices to update the current global model. A new global model is allocated by adding this approximation to the current glocal model (see Fig. 2). Finally, the central aggregator calls the evaluate_model() function to evaluate the updated global model and send the results to the task publisher to complete the current iteration.
Iii-C Update Phase
After the convergence of the global model update or the number of iterations reaches the upper limit, the qualified device calls the finalize_contract() function to obtain a reward from the Ethereum blockchain. The central aggregator calls the post_evaluation() function post the results of this FL task. Finally, the task publisher obtains a new better global model.
Iv Solutions to potential issues
Trust and fairness are critical to any marketplaces, which make it paramount to design a FL framework where no user can cheat or gain an advantage over other users. Therefore, we further present the following solutions to potential issues related to the proposed framework.
Iv-a Overfitting Problems
Overfitting is one of the most common problems in machine learning. It reduces the generalization ability of machine learning models. Our proposed framework is not immune since overfitting problems could occur when (i) the local training data contains additional noises; (ii) the local training data is insufficient; (iii) the local model is over-trained; (iv) the task publisher releases the testing dataset in advance.
For problems (i), (ii), (iii), the central aggregator can call the evaluate_local_model() function based on the testing dataset to solve. For problem (iv), the task publisher and the central aggregator should keep the testing dataset unreleased during the model update phase.
Iv-B Gas Costs Problems
Participants are compensated for the costs of executing transactions in the blockchain. These costs are called “gas” [ref-14] in the Ethereum blockchain. To avoid missing the mining block tasks, participants set the limit of gas themselves. Therefore, the upper limit of the gas in SFL framework will result in many devices missing the evaluation of the central aggregator. It means that the smart contracts would never be finalized [ref-5].
To solve this problem, we perform the following two steps: (i) We allow participants to call evaluation functions locally for evaluating their models. This approach reduces the computation required to evaluate the model, thus avoiding the problem of insufficient gas costs. (ii) The accuracy of the model needed for the device to receive rewards is announced in real-time. Therefore, the device can decide whether to submit a model update based on its local model evaluation result.
V Performance Evaluation and Analysis
V-a Experiment Setting
To evaluate the performance of the proposed SFL framework, we use Google Tensorflow for the simulation experiments on MNIST dataset and CIFAR-10 dataset, respectively. Without loss of generality, we assume that the task publisher releases the classification tasks on MNIST and CIFAR-10, respectively. For the two tasks, the participants work together to train the FL model, i.e., AlexNet.666http://papers.nips.cc/paper/4824-imagenet-classification-with-deep-convolutional-neural-networks
The size of participant set . It is assumed that
contains 20% malicious participants that launched a poisoning attack, 20% unreliable participants with low-quality data, and 60% well-behaved participants. The training set of well-behaved participants are randomly selected by a uniform distribution of 10 categories. It is assumed that malicious participants mislead the training model by modifying the labels of the training samples to carry out a poisoning attack. We useas the percentage of the modified labels that indicate the strength of poisoning attack, where in the experiments is set as , respectively. The Earth Mover’s Distance (EMD) represents the probability distance between a participant’s data distribution and the actual distribution for the whole population, which is used as a metric to measure training data quality of the unreliable participants [ref-12].
We deploy the proposed SFL framework on the Ethereum blockchain. Further, each participant applies D-SGD algorithm to update model parameters iteratively. In the experiments, mini-batch size , learning rate , and dropout rate . Like in [ref-13-13], we adopt a privacy budget of , to apply the -LDP method, where is the acceptable probability when the differential privacy is unbroken [ref-17].
V-B Performance Analysis
Fig. 4 illustrates the accuracy performances of AlexNet model with different and EMDs on MNIST dataset and CIFAR-10 dataset, respectively, when . It means that the three factors , EMD, and the number of attackers influence the accuracy performances. The increase in the accuracy of the model is accompanied by a decrease in any one of the above factors. The results show that the proposed framework can deter poisoning attacks. Specifically, as the attack intensity increases, the accuracy of the proposed framework remains unchanged. As shown in Fig. 4, for example, the learning accuracy is 65.2% for CIFAR-10 classification task with 20% malicious participants exhibiting the strongest poisoning attack on the AlexNet model (i.e., , EMD ). The central aggregator without defensive measures aggregates a large number of low-quality model updates as the attack intensity increases, thereby reducing the accuracy of the model. It implies that AlexNet model in FL fails to perform image classification tasks under the poisoning attacks.
Meanwhile, the well-behaved participants call the add_noise() function to add noises to the gradient information, resulting in the loss of the model accuracy. So, these well-behaved participants may be misidentified as malicious participants because they degrade the accuracy performance of the model. To avoid the confusion of these well-behaved participants, there is a need to distinguish them from malicious participants in the proposed SFL framework. Fig. 5 presents the highest accuracy (HA), minimum accuracy (MA), and average accuracy (AA) by 10 simulations on MNIST dataset and CIFAR-10 dataset, respectively. We adopt AA as the evaluation criteria to determine malicious participants in a FL task. For example, as presented in Fig. 5, when , the lowest is obtained as 90.32% that is the same as the accuracy of model in Fig. 4 with and EMD . Here, (i.e., , EMD ) can be used as the threshold to determine malicious participants. The central aggregator calls the evaluate_local_model() function on the testing dataset to evaluate the local model uploaded by the participants. If the result of the above function is lower than , a reward will not be paid to the participant who may be a malicious participant. If not, the participant calls the finalize_contract() function to get a reward.
For Fig. 5, we compare the accuracy of the proposed framework with that of a typical FL framework (i.e., non-differentially private (Non-DP) model) at different defense strengths of inference attacks. Numerical results show a trade-off between the protection from inference attacks and the accuracy of the model. Specifically, the accuracies of Non-DP model are 99.21% and 93.72% on MNIST and CIFAR-10 datasets, respectively. When , , Fig. 5 illustrates that the accuracy of the proposed framework is close to that of the scheme without defensive measures, which indicates that the local differential privacy mechanism prevents inference attacks while sacrificing some accuracy. Besides, the central aggregator uses a batch average aggregation mechanism (see Fig. 2) to mitigate the influence of noises on the accuracy of the model. Therefore, within a threshold of a certain number of participants (i.e., in this study, the threshold is set as 300), the more participants involved in the FL, the better performance achieved.
Vi Conclusions and Future Directions
In this article, we addressed data privacy leakage issues related to ensuring secure FL in 5G networks. We proposed a blockchain-based framework to defend against poisoning attacks. In the proposed framework, a market is created to trade model updates based on smart contracts in blockchain to validate the model updates against poisoning attacks automatically. Additionally, we introduce the local differential privacy technique in smart contracts to prevent the membership inference attacks. Specifically, we add well-designed Gaussian noises to the model updates uploaded by the participants to defend against membership inference attacks. We validate our proposed security framework on two datasets, which yielded secure FL to 5G networks. The study has several open questions that need to be further investigated. First, because the federated averaging algorithm is used to aggregate the model updates, we encounter unfair usage to certain devices. Second, efficiency issues arise since the use of deep learning algorithms increases the computational demands of the proposed system. Third, the more participants in the proposed framework, the greater the communication overhead, which in turn reduces the accuracy of FL. These are among the many issues that need to be addressed in the road to fair and efficient blockchain-based FL frameworks of the future.
This work is supported in part by the Science and Technology Project of State Grid Corporation of China (Grant No. SGHL0000DKJS1900883), in part by AMI acknowledges funding from the Prince Sattam Bin Abdulaziz University, Saudi Arabia via the Deanship for Scientific Research funding for the Advanced Computational Intelligence & Intelligent Systems Engineering (ACIISE) Research Group Project Number 2019/01/9862, in part by the National Research Foundation (NRF), Singapore, Singapore Energy Market Authority (EMA), Energy Resilience, NRF2017EWT-EP003-041, Singapore NRF2015-NRF-ISF001-2277, Singapore NRF National Satellite of Excellence, Design Science and Technology for Secure Critical Infrastructure NSoE DeST-SCI2019-0007, A*STAR-NTU-SUTD Joint Research Grant on Artificial Intelligence for the Future of Manufacturing RGANS1906, WASP/NTU M4082187 (4080), Singapore MOE Tier 2 MOE2014-T2-2-015 ARC4/15, and MOE Tier 1 2017-T1-002-007 RG122/17.