Byzantine-robust Federated Learning (FL) aims to counter malicious clients and train an accurate global model while maintaining an extremely low attack success rate. Most existing systems, however, are only robust when most of the clients are honest. FLTrust (NDSS '21) and Zeno++ (ICML '20) do not make such an honest majority assumption but can only be applied to scenarios where the server is provided with an auxiliary dataset used to filter malicious updates. FLAME (USENIX '22) and EIFFeL (CCS '22) maintain the semi-honest majority assumption to guarantee robustness and the confidentiality of updates. It is therefore currently impossible to ensure Byzantine robustness and confidentiality of updates without assuming a semi-honest majority. To tackle this problem, we propose a novel Byzantine-robust and privacy-preserving FL system, called MUDGUARD, that can operate under malicious minority \emph{or majority} in both the server and client sides. Based on DBSCAN, we design a new method for extracting features from model updates via pairwise adjusted cosine similarity to boost the accuracy of the resulting clustering. To thwart attacks from a malicious majority, we develop a method called \textit{Model Segmentation}, that aggregates together only the updates from within a cluster, sending the corresponding model only to the clients of the corresponding cluster. The fundamental idea is that even if malicious clients are in their majority, their poisoned updates cannot harm benign clients if they are confined only within the malicious cluster. We also leverage multiple cryptographic tools to conduct clustering without sacrificing training correctness and updates confidentiality. We present a detailed security proof and empirical evaluation along with a convergence analysis for MUDGUARD.

翻译：拜占庭鲁棒联邦学习（FL）旨在对抗恶意客户端并在训练出精确全局模型的同时维持极低的攻击成功率。然而，现有多数系统仅在大部分客户端诚实时才具备鲁棒性。FLTrust（NDSS '21）与Zeno++（ICML '20）虽未假设诚实多数，但仅适用于服务器持有辅助数据集以过滤恶意更新的场景。FLAME（USENIX '22）与EIFFeL（CCS '22）则通过维持半诚实多数假设来保障鲁棒性与更新的机密性。因此，当前在不假设半诚实多数的前提下，无法同时确保拜占庭鲁棒性与更新机密性。为解决此问题，我们提出一种新型拜占庭鲁棒且保护隐私的联邦学习系统MUDGUARD，该系统可在服务器端与客户端均存在恶意少数或多数的场景下运行。基于DBSCAN算法，我们设计了一种新方法：通过成对调整余弦相似度从模型更新中提取特征，以提升聚类结果的准确性。为抵御恶意多数攻击，我们开发了名为“模型分割”（Model Segmentation）的方法：仅聚合同一聚类内的更新，并将对应模型仅发送至该聚类所属的客户端。其核心思想在于：即使恶意客户端占据多数，只要其投毒更新被限制在恶意聚类内部，便不会危害良性客户端。我们还利用多种密码学工具在不牺牲训练正确性与更新机密性的前提下执行聚类。本文为MUDGUARD提供了详细的安全证明、实证评估及收敛性分析。