Federated Learning (FL) allows multiple participating clients to train machine learning models collaboratively while keeping their datasets local and only exchanging the gradient or model updates with a coordinating server. Existing FL protocols are vulnerable to attacks that aim to compromise data privacy and/or model robustness. Recently proposed defenses focused on ensuring either privacy or robustness, but not both. In this paper, we focus on simultaneously achieving differential privacy (DP) and Byzantine robustness for cross-silo FL, based on the idea of learning from history. The robustness is achieved via client momentum, which averages the updates of each client over time, thus reducing the variance of the honest clients and exposing the small malicious perturbations of Byzantine clients that are undetectable in a single round but accumulate over time. In our initial solution DP-BREM, DP is achieved by adding noise to the aggregated momentum, and we account for the privacy cost from the momentum, which is different from the conventional DP-SGD that accounts for the privacy cost from the gradient. Since DP-BREM assumes a trusted server (who can obtain clients' local models or updates), we further develop the final solution called DP-BREM+, which achieves the same DP and robustness properties as DP-BREM without a trusted server by utilizing secure aggregation techniques, where DP noise is securely and jointly generated by the clients. Both theoretical analysis and experimental results demonstrate that our proposed protocols achieve better privacy-utility tradeoff and stronger Byzantine robustness than several baseline methods, under different DP budgets and attack settings.

翻译：联邦学习（FL）允许多个参与客户端协作训练机器学习模型，同时保持其数据集本地化，仅与协调服务器交换梯度或模型更新。现有FL协议易受旨在破坏数据隐私和/或模型鲁棒性的攻击。最近提出的防御措施侧重于确保隐私或鲁棒性，但未能同时实现两者。本文基于从历史中学习的思想，专注于在跨孤岛FL中同时实现差分隐私（DP）和拜占庭鲁棒性。鲁棒性通过客户端动量实现，该动量对每个客户端随时间变化的更新进行平均，从而降低诚实客户端的方差，并暴露拜占庭客户端在单轮中不可检测但随时间累积的小恶意扰动。在我们的初始解决方案DP-BREM中，DP通过向聚合动量添加噪声实现，我们考虑了来自动量的隐私成本，这与考虑来自梯度的隐私成本的传统DP-SGD不同。由于DP-BREM假设存在可信服务器（该服务器可获取客户端的本地模型或更新），我们进一步开发了最终解决方案DP-BREM+，该方案利用安全聚合技术，在无可信服务器情况下实现与DP-BREM相同的DP和鲁棒性属性，其中DP噪声由客户端安全联合生成。理论分析和实验结果均表明，在不同DP预算和攻击设置下，我们提出的协议相比几种基线方法，实现了更优的隐私-效用权衡和更强的拜占庭鲁棒性。