DBFL: Dynamic Byzantine-Robust Privacy Preserving Federated Learning in Heterogeneous Data Scenario

Privacy Preserving Federated Learning (PPFL) protects the clients' local data privacy by uploading encrypted gradients to the server. However, in real-world scenarios, the heterogeneous distribution of client data makes it challenging to identify poisoning gradients. During local iterations, the models continuously move in different directions, which causes the boundary between benign and malicious gradients to persistently shift. To address these challenges, we design a Dynamic Byzantine-robust Federated Learning (DBFL) defense strategy based on Two-trapdoor Homomorphic Encryption (THE), which enables the detection of encrypted poisoning attacks in heterogeneous data scenarios. Specifically, we introduce a secure Manhattan distance method that accurately measures the differences between elements in two encrypted gradients, allowing for precise detection of poisoning attacks in heterogeneous data scenarios while maintaining privacy. Furthermore, we design a Byzantine-tolerant aggregation mechanism based on dynamic threshold, where the threshold is capable of adapting to the continuously changing boundary between poisoning gradients and benign gradients in heterogeneous data scenarios. This ensures DBFL to effectively exclude poisoning gradients even when 70% of the clients are malicious and controlled by Byzantine attackers. Security analysis demonstrates that DBFL achieves IND-CPA security. Extensive evaluations on two benchmark datasets (i.e., MNIST and CIFAR-10) show that DBFL outperforms existing defense strategies. In particular, DBFL achieves a 7%-40% accuracy improvement in the non-IID setting compared to existing solutions for defending against untargeted and targeted attacks.