A survey on privacy-preserving federated learning against poisoning attacks

Federated learning (FL) is designed to protect privacy of participants by not allowing direct access to the participants’ local datasets and training processes. This limitation hinders the server’s ability to verify the authenticity of the model updates sent by participants, making FL vulnerable to poisoning attacks. In addition, gradients in FL process can reveal private information about the local dataset of the participants. However, there is a contradiction between improving robustness against poisoning attacks and preserving privacy of participants. Privacy-preserving techniques aim to make their data indistinguishable from each other, which hinders the detection of abnormal data based on similarity. It is challenging to enhance both aspects simultaneously. The growing concern for data security and privacy protection has inspired us to undertake this research and compile this survey. In this survey, we investigate existing privacy-preserving defense strategies against poisoning attacks in FL. First, we introduce two important classifications of poisoning attacks: data poisoning attack and model poisoning attack. Second, we study plaintext-based defense strategies and classify them into two categories: poisoning tolerance and poisoning detection. Third, we investigate how the combination of privacy techniques and traditional detection strategies can be achieved to defend against poisoning attacks while protecting the privacy of the participants. Finally, we also discuss the challenges faced in the area of security and privacy.