Federated Learning (FL) allows multiple participating clients to train machine learning models collaboratively by keeping their datasets local and only exchanging the gradient or model updates with a coordinating server. Existing FL protocols were shown to be vulnerable to attacks that aim to compromise data privacy and/or model robustness. Recently proposed defenses focused on ensuring either privacy or robustness, but not both. In this paper, we focus on simultaneously achieving differential privacy (DP) and Byzantine robustness for cross-silo FL, based on the idea of learning from history. The robustness is achieved via client momentum, which averages the updates of each client over time, thus reduces the variance of the honest clients and exposes the small malicious perturbations of Byzantine clients that are undetectable in a single round but accumulate over time. In our initial solution DP-BREM, the DP property is achieved via adding noise to the aggregated momentum, and we account for the privacy cost from the momentum, which is different from the conventional DP-SGD that accounts for the privacy cost from gradient. Since DP-BREM assumes a trusted server (who can obtain clients' local models or updates), we further develop the final solution called DP-BREM+, which achieves the same DP and robustness properties as DP-BREM without a trusted server by utilizing secure aggregation techniques, where DP noise is securely and jointly generated by the clients. Our theoretical analysis on the convergence rate and experimental results under different DP guarantees and attack settings demonstrate that our proposed protocols achieve better privacy-utility tradeoff and stronger Byzantine robustness than several baseline methods.

翻译：联邦学习（FL）允许多个参与客户端通过保持数据集本地化、仅与协调服务器交换梯度或模型更新来协作训练机器学习模型。现有FL协议已被证明易受旨在破坏数据隐私和/或模型鲁棒性的攻击。近期提出的防御措施仅关注隐私性或鲁棒性，但未能同时兼顾两者。本文基于从历史中学习的思想，专注于实现跨孤岛FL的差分隐私（DP）与拜占庭鲁棒性。鲁棒性通过客户端动量实现：该方法对每个客户端的更新进行时间平均，从而降低诚实客户端的方差，并暴露拜占庭客户端在单轮中不可检测但随时间累积的微小恶意扰动。在我们的初始方案DP-BREM中，通过向聚合动量添加噪声实现DP属性，并计算来自动量的隐私成本（这与传统DP-SGD计算来自梯度的隐私成本不同）。由于DP-BREM假设存在可信服务器（该服务器可获取客户端的局部模型或更新），我们进一步开发最终方案DP-BREM+：该方案利用安全聚合技术（其中DP噪声由客户端安全联合生成），在无需可信服务器的情况下实现与DP-BREM相同的DP和鲁棒性属性。我们在不同DP保证和攻击设置下的收敛率理论分析及实验结果表明，与多种基线方法相比，我们提出的协议实现了更优的隐私-效用权衡和更强的拜占庭鲁棒性。