# Security in NVIDIA FLARE Federated Computing Systems 


### Critical Security Concerns in Federated Learning System

#### Data Privacy
* Model inversion attacks (reconstructing training data from model parameters)
* Membership inference attacks (determining if specific data was used in training)
* Property inference attacks (learning properties about training data)
* Gradient leakage during parameter sharing

#### System Security
* Authentication of participants
* Man-in-the-middle attacks
* Sybil attacks (malicious entities creating multiple fake identities)
* Denial of Service (DoS) attacks
* Network security during model/gradient transmission

#### Model Security
* Model poisoning attacks
* Backdoor attacks
* Model stealing/extraction
* Adversarial attacks on the trained model

#### Participant Privacy
* Protection of participant identities
* Confidentiality of participation in the FL system
* Protection of organizational intellectual property

#### Computation Integrity
* Verification of correct computation by participants
* Detection of malicious or faulty updates
* Ensuring honest execution of the FL protocol

#### Access Control
* Role-based access control
* Resource usage control
* Model access permissions
* Data access restrictions

#### Regulatory Compliance
* Adherence to data protection regulations (GDPR, HIPAA, etc.)
* Cross-border data governance
* Audit trails and accountability

#### Infrastructure Security
* Edge device security
* Server security
* Communication channel security
* Storage security for model checkpoints

#### Trust Management
* Reputation systems for participants
* Trust establishment between parties
* Verification of participant legitimacy

#### Aggregation Security
* Secure aggregation protocols
* Protection against colluding participants
* Byzantine-robust aggregation

----------

### Security Mechanisms in Federated Learning System

A Federated Computing System requires robust security mechanisms to ensure that only legitimate and trusted participants can contribute, while also protecting communication channels and enforcing authorization policies. Below are the critical security components of an Federated Learning system:


* **Authentication**

Ensures communicating parties have sufficient confidence about each other's identities: everyone is who they claim to be.

* **Authorization** 

Ensures that users can only perform actions they are authorized to do.

Due to the distributed nature of federated computing systems, additional authentication and authorization are needed for each participating organization. 

You can learn how NVIDIA FLARE implements these through event-based Federated Authentication and Authorization.

* **Privacy Protection**: 


Privacy protection in Federated Learning (FL) refers to techniques and mechanisms that ensure sensitive user data remains private while enabling collaborative model training across decentralized devices or servers. Since FL involves training models without sharing raw data, privacy protection is crucial to prevent information leakage from model updates.


We have introduced different privacy-enhancing technologies (PETs) in [Chapter 5](../../chapter-5_Privacy_In_Federated_Learning/05.0_introduction/introduction.ipynb). Here, we are going to explore privacy protection mechanisms at the organization level. 

* **Trust-based Security** 

Trust-based mechanisms add another layer of protection to the security system by leveraging confidential computing's VM-based trusted execution environment (TEE). NVIDIA FLARE will enable end-to-end confidential federated AI. We will briefly touch on this topic in this chapter, with more details to be added in the future. 

* **Communication Security**

Uses secure protocols – TLS for secure transmission. FLARE supports both mutual TLS (mTLS) as well as normal TLS with signed messages.


# NVIDIA FLARE Security Architecture

NVFLARE is an application that runs in the IT environment of each participating site. The overall security of this application is a combination of security measures implemented within the application and those provided by the site's IT infrastructure.


NVFLARE implements security measures in the following areas:

* **Identity Security**: the authentication and authorization of communicating parties

* **Site Policy Management**: the policies for resource management, authorization, and privacy protection defined by each site

* **Communication Security**: the confidentiality of data communication messages

* **Message Serialization**: techniques for ensuring safe serialization/deserialization process between communicating parties

* **Data Privacy Protection**: techniques for preventing local data from being leaked and/or reverse-engineered


All other security concerns must be handled by the site’s IT security infrastructure. The security framework does not operate in vacuum; we assume that physical security is already in place for all participating server and client machines. TLS provides the authentication mechanism within the trusted environments.


--- 

## Terminologies and Roles
### Terminologies
NVIDIA FLARE uses the following terminology:

* Project: A federated learning study with identified participants
* Org: An organization that participates in the study
* Site: The computing system that runs NVIDIA FLARE application as part of the study. There are two kinds of sites: Server and Clients. Each site belongs to an organization.
* FL Server: An application running on a Server site responsible for client coordination based on federation workflows
* FL Client: An application running on a client site that responds to the Server's task assignments and performs learning actions based on its local data
* User: A human that participates in the FL project

### Roles

A role defines a type of users that have certain privileges of system operations. Each user is assigned a role in the project. There are four defined roles: Project Admin, Org Admin, Lead Researcher, and Member Researcher.

* Project Admin Role: The Project Admin is responsible for provisioning the participants and coordinating personnel from all sites for the project. There is only one Project Admin for each project.

* Org Admin Role: This role is responsible for the management of the sites of his/her organization.

* Lead Researcher Role: This role can be configured with a higher level of privileges for a scientist within an organization who collaborates with other researchers to ensure the project's success.

* Member Researcher Role: This role can be configured with a lower level of privileges for a scientist who works with the Lead Researcher to ensure their site is properly prepared for the project

* FLARE Console: A console application running on a user’s machine that allows the user to perform NVFLARE system operations with a command line interface.


## Security Architecture

NVIDIA FLARE uses PKI for identity authentication and TLS for data transmission, in addition to the following security mechanisms:

* Filter mechanism and local organization privacy policy
* Federated Authorization - allows local control of authorization rules
* Site-specific authentication - each site can have custom local authenticators
* Privacy Algorithms:
    * Differential privacy
    * Homomorphic Encryption
    * Multi-party computing (Private Set Intersection)
* Confidential Computing

<img src="./federated_policy.png" alt="Security Architecture" width="60%"/>  


<img src="./filters_and_privacy_policy.png" alt="Security Architecture" width="60%"/>



In this chapter, we will cover all these security mechanisms

[6.1 Identity Security](../06.1_identity_security/identity_security.ipynb)
 
[6.2 site security and privacy Policy](../06.2_site_security_privacy_policy/site_policy.ipynb)
  
[6.3 Customized site security](../06.3_customized_site_security/customized_site_security.ipynb) 

[6.4 Communication Security](../06.4_communication_security/communication_security.ipynb)   

[6.5 Message Serialization](../06.5_message_serialization/message_serialization.ipynb)

[6.6 Trust-based Security](../06.6_trust_based_security/trust_based_security.ipynb)


 



