# Attacks on Federated Learning Models
Summarised from “Federated Learning Attacks and Defenses: A Survey.”, Chen et al, 2022

## Poisoning Attacks

### Data Poisoning
 - An attacker tampering with or adding data to the training set maliciously, which eventually leads to the destruction or hijacking of the model.
 - Implemented by the owner of the private data.

### Model Poisoning
 - The attacker changes the parameters of the target model directly, causing errors in the global model or leaving a backdoor.
 - More efficient than data poisoning
 - Perturbing the weights of convolutional neural networks in a targeted manner can be used to insert backdoors
 - By using available bit-flipping techniques, the target model can be converted into the Trojan infection model [

## Inference Attacks
 - Although the data transmitted from the client to the server is not the original data, there is still a risk of leakage
 - Inference attacks indicate that attackers can use the eavesdropped information to infer useful information to a certain extent, which obviously destroys the confidentiality of the model.
 - How to: train a model with similar functions on a specified sample and then judge whether the sample is used for the target model’s training.
 - There have been studies to prove that this attack can infer the accent information of the training set in FL of speech recognition.
 

## Reconstruction Attacks
 - Unlike inference attacks that cannot reveal raw data, reconstruction attacks can obtain the original information of the training dataset by collecting some information such as predicted confidence values, model parameters, and gradients.
 - Confidentiality attack
 - First approach: Shows that when the adversary has white-box access rights, the adversary can use the linear model to estimate the attribute information of the original data.
 - **Generative Adversarial Networks (GAN)**: Points out that attackers can obtain samples of other participants, and this process only requires black-box access.
 - **Deep Leakage from Gradients (DLG)** shows that the attacker could recover the original data by analyzing the gradient information
 - **Improved Deep Leakage from Gradients (DLG)**: Improves the accuracy of data recovery
 - **Inverting gradients based on DLG** were proposed and it broadened the attack scenario to include the actual industrialized scenario rather than being limited to the strong assumption of low-resolution recovery and a shallow network.
 - **Generative Regression Neural Network (GRNN)** based on GAN was proposed to restore the original training data without the need for additional information. It indicated that GRNN has stronger robustness and higher accuracy than previous methods.

## Model Extraction Attack
 - When FL has finished training the model, the global model will serve outsiders in the form of an API. At this time, the user may query the relevant information of the target model through the API loop and finally achieve the effect of extracting the model.
 - Tram` er et al. first demonstrated that this attack will be effective when the attacker has the same distribution of data and model-related information as the model.
 - Another attack proposed can obtain hyperparameters located at the bottom layer of the model
 - Orekondy et al. proposed the Knockoff Net, through which attackers can steal based on the confidence value output by the API, and the stealing effect is positively correlated with the complexity of the target model.

## Evasion Attacks (seem interesting)

 - Evasion attack is a type of attack in which an attacker deceives the target machine learning system by constructing specific input samples without changing the target machine learning system.
 - Usually occurs during the prediction phase, when the model has finished training.
 - The effect of this kind of attack can be summarized as the model extrapolates the original answer “A” to be the wrong answer “B”.
  - Evasion attack is an integrity attack due to the spoofing of the model.
  

## Byzantine Attacks
 - Byzantine attack is a type of attack in which an attacker hides among the participants of FL and arbitrarily uploads malicious data, aiming to destroy the global model
 - To deal with this attack, it is common to combine stochastic gradient descent (SGD) with different robust aggregation rules
 - Similar to this idea, it has been proven that by poisoning the local model, the global model has a large test error rate

# Defences
 - Privacy level and the security level.
 - Privacy refers to private information that a person does not want others to know and invade, focusing on sensitive personal information. The attack on FL is considered at the privacy level, when the attacker tries to infer private information about the participant. Privacy protection methods are used to defend against privacy attacks and to ensure that sensitive data is not leaked to others.
 - Security focuses on confidential data and information assets, not just personal information.
 - The security attack is a malicious action performed by hackers with specialized knowledge to compromise the confidentiality, integrity, and availability of data and models.

## Privacy Level


### Data anonymization
 - we can use anonymization techniques to hide or remove sensitive personal attributes, such as personally identifiable information (PII)
 - K-anonymity, L-diversity, and T-closeness are three common anonymization techniques.
 - This type of approach improves privacy by hiding or removing sensitive information, but may reduce the usability of the dataset. In addition, much anonymized data can be easily “de-anonymized”.
 - Data anonymization is often used in conjunction with other ways to protect privacy.

### Differential Privacy (DP)
 - already known :)
 - DP defends against attacks during the training phase and the prediction phase of FL.
 - Those types of attacks that DP defends against are poisoning attack, inference attack, evasion attack, reconstruction attack, and model inversion
 - the utility of the models can be seriously affected if too much noise is added.

### Secure multi-party computation (SMC)
 - Generic cryptographic primitive for solving privacy-preserving collaborative computation problems between a set of mutually distrusting participants
 - does not leak the input and output of the participant to other members participating in the computation.
 - able to defend against inference attacks, reconstruction attacks, model inversion, and leaks from malicious center servers
 - large computational overhead and high performance loss.
 - This may reduce the participants’ interest in cooperating, so SMC is not suitable for large-scale FL scenarios

### Homomorphic encryption (HE)
 - It does not touch the original data. HE first encrypts the data, then processes it, and finally decrypts it.
  - defends against attacks during the training phase and the prediction phase of FL
 - HE incurs a large computational overhead. Therefore, this approach is not suitable for FL scenarios with numerous participants and devices with limited computational resources.

### Trusted execution environment (TEE)
 - Tamper-proof and trusted ecosystem for executing authenticated and verified code.
 - TEE establishes digital trust by protecting devices in FL, which effectively prevents attackers from attacking private information
 - Can defend against attacks such as MIA, PIA, mode inversion, and malicious server. 
 - TEE has limited execution space, which prevents complex transaction logic from being executed.

### Blockchain
 - It is a distributed ledger technology that uses the blockchain to verify and store data, generates and updates data through a consensus mechanism, and involves an intelligent contract and an incentive mechanism
 - blockchain technology is decentralized, tamper-proof, unforgeable, auditable, and accountable
 - a preferred solution to the problem of implementing data security and data validation in a non-centralized FL scenario
 - Drawback that it can’t be used in FL situations with a lot of people and devices with limited computing power.

## Security Level
 - To ensure the security of the FL framework, we want to scan for all vulnerabilities as much as possible.

Three main sources of vulnerabilities: 
 - insecure communication channels
 - malicious clients
 - central parameter servers that are not robust or secure enough.

Defences:
 - **Active**: Detect and mitigate the risk to the FL framework in advance, before it has an impact on the framework.
 - **Passive**: Remediate and mitigate the impact when an attack has already occurred.

The security defense approach is closely related to the CIA

### Confidentiality
 - Inference attack, reconstruction attack, and model extraction attack
 - many defensive approaches have been proposed to ensure the confidentiality of data. 
 - Ex: VerifyNet, a verifiable FL framework, can guarantee the confidentiality of the gradients uploaded by participants using the proposed double masking protocols

### Integrity
 - Poisoning attack and Evasion attack are types of attacks that compromise integrity.
 - Purpose: ensure that once data is collected, it cannot be tampered with.
 - Methods to ensure data integrity are TEE and blockchain
 - Several methods to ensure integrity by screening malicious clients

### Availability
 - The attacks on availability in the FL framework are related to Byzantine attacks.
 - aggregation rule with resilience properties that can be used to defend against Byzantine attacks
 - Incentives in the FL framework is a good way to improve data availability by rewarding or penalizing participants based on the value of their contributions. (interesting)
 - This reduces the possibility of participants sending useless or harmful data, and also improves the usability of the training model.