联邦学习攻击与防御综述

doi:10.11959/j.issn.2096-0271.2022038

摘要/Abstract

摘要：

随着机器学习技术的广泛应用，数据安全问题时有发生，人们对数据隐私保护的需求日渐显现，这无疑降低了不同实体间共享数据的可能性，导致数据难以共享，形成“数据孤岛”。联邦学习可以有效解决“数据孤岛”问题。联邦学习本质上是一种分布式的机器学习，其最大的特点是将用户数据保存在用户本地，模型联合训练过程中不会泄露各参与方的原始数据。尽管如此，联邦学习在实际应用中仍然存在许多安全隐患，需要深入研究。对联邦学习可能受到的攻击及相应的防御措施进行系统性的梳理。首先根据联邦学习的训练环节对其可能受到的攻击和威胁进行分类，列举各个类别的攻击方法，并介绍相应攻击的攻击原理；然后针对这些攻击和威胁总结具体的防御措施，并进行原理分析，以期为初次接触这一领域的研究人员提供详实的参考；最后对该研究领域的未来工作进行展望，指出几个需要重点关注的方向，帮助提高联邦学习的安全性。

关键词: 联邦学习, 攻击, 防御, 隐私保护, 机器学习

Abstract:

With the comprehensive application of machine learning technology, data security problems occur from time to time, and people’s demand for privacy protection is emerging, which undoubtedly reduces the possibility of data sharing between different entities, making it difficult to make full use of data and giving rise to data islands.Federated learning (FL), as an effective method to solve the problem of data islands, is essentially distributed machine learning.Its biggest characteristic is to save user data locally so that the models’ joint training process won’t leak sensitive data of partners.Nevertheless, there are still many security risks in federated learning in reality, which need to be further studied.The possible attack means and corresponding defense measures were investigated in federal learning comprehensively and systematically.Firstly, the possible attacks and threats were classified according to the training stages of federal learning, common attack methods of each category were enumerated, and the attack principle of corresponding attacks was introduced.Then the specific defense measures against these attacks and threats were summarized along with the principle analysis, to provide a detailed reference for the researchers who first contact this field.Finally, the future work in this research area was highlighted, and several areas that need to be focused on were pointed out to help improve the security of federal learning.

Key words: federated learning, attack, defense, privacy protection, machine learning

中图分类号:

TP181

吴建汉, 司世景, 王健宗, 肖京. 联邦学习攻击与防御综述[J]. 大数据, 2022, 8(5): 12-32.

Jianhan WU, Shijing SI, Jianzong WANG, Jing XIAO. Threats and defenses of federated learning: a survey[J]. Big Data Research, 2022, 8(5): 12-32.

图/表 8

图1

图2

表1

图3

图4

表2

表3

表4

参考文献 91

[12]	LIU Y , KANG Y , XING C P ,et al. A secure federated transfer learning framework[J]. IEEE Intelligent Systems, 2020,35(4): 70-82.
[13]	KAIROUZ P , MCMAHAN H B , AVENT B ,et al. Advances and open problems in federated learning[J]. arXiv preprint,2019,arXiv:1912.04977.
[14]	ZHAO S H , MA X J , ZHENG X ,et al. Clean-label backdoor attacks on video recognition models[C]// Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2020: 14431-14440.
[15]	BHAGOJI A N , CHAKRABORTY S , MITTAL P ,et al. Analyzing federated learning through an adversarial lens[C]// Proceedings of the 36th International Conference On Machine Learning.[S.l.:s.n.], 2019: 634-643.
[16]	SHAFAHI A , HUANG W R , NAJIBI M ,et al. Poison frogs! targeted clean-label poisoning attacks on neural networks[C]// Proceedings of the 32nd International Conference on Neural Information Processing Systems.Red Hook:Curran Associates Inc. , 2018: 6106-6116.
[17]	BIGGIO B , NELSON B , LASKOV P . Poisoning attacks against support vector machines[J]. arXiv preprint,2012,arXiv:1206.6389.
[18]	CHEN X Y , LIU C , LI B ,et al. Targeted backdoor attacks on deep learning systems using data poisoning[J]. arXiv preprint,2017,arXiv:1712.05526.
[19]	TOLPEGIN V , TRUEX S , GURSOY M E ,et al. Data poisoning attacks against federated learning systems[C]// Proceedings of 2020 European Symposium on Research in Computer Security. Cham:Springer, 2020: 480-501.
[20]	BAGDASARYAN E , VEIT A , HUA Y Q ,et al. How to backdoor federated learning[J]. arXiv preprint,2018,arXiv:1807.00459.
[21]	JERE M S , FARNAN T , KOUSHANFAR F . A taxonomy of attacks on federated learning[J]. IEEE Security ＆ Privacy, 2021,19(2): 20-28.
[22]	ZHOU X C , XU M , WU Y M ,et al. Deep model poisoning attack on federated learning[J]. Future Internet, 2021,13(3): 73.
[23]	FANG M H , CAO X Y , JIA J Y ,et al. Local model poisoning attacks to byzantinerobust federated learning[C]// Proceedings of the 29th USENIX Conference on Security Symposium. Berkeley:USENIX Association, 2020: 1623-1640.
[24]	BERNSTEIN J , ZHAO J W , AZIZZADENESHELI K ,et al. signSGD with majority vote is communication efficient and fault tolerant[J]. arXiv preprint,2018,arXiv:1810.05291.
[25]	XIE C , KOYEJO S , GUPTA I . Fall of empires:breaking Byzantine-tolerant SGD by inner product manipulation[J]. arXiv preprint,2019,arXiv:1903.03936.
[26]	SHEJWALKAR V , HOUMANSADR A . Manipulating the Byzantine:optimizing model poisoning attacks and defenses for federated learning[C]// Proceedings of 2021 Network and Distributed System Security Symposium. Reston:Internet Society, 2021:18.
[27]	LIU Y F , MA X J , BAILEY J ,et al. Reflection backdoor:a natural backdoor attack on deep neural networks[C]// Proceedings of 2020 European Conference on Computer Vision. Cham:Springer, 2020: 182-199.
[28]	COSTA G , PINELLI F , SODERI S ,et al. Covert channel attack to federated learning systems[J]. arXiv preprint,2021,arXiv:2104.10561.
[29]	LEE H , KIM J , HUSSAIN R ,et al. On defensive neural networks against inference attack in federated learning[C]// Proceedings of 2021 IEEE International Conference on Communications. Piscataway:IEEE Press, 2021: 1-6.
[30]	AONO Y , HAYASHI T , PHONG L T ,et al. Scalable and secure logistic regression via homomorphic encryption[C]// Proceedings of the 6th ACM Conference on Data and Application Security and Privacy. New York:ACM Press, 2016: 142-144.
[31]	LUO X J , WU Y C , XIAO X K ,et al. Feature inference attack on model predictions in vertical federated learning[C]// Proceedings of 2021 IEEE 37th International Conference on Data Engineering. Piscataway:IEEE Press, 2021: 181-192.
[32]	WAINAKH A , VENTOLA F , Mü?IG T , ,et al. User label leakage from gradients in federated learning[J]. arXiv preprint,2021,arXiv:2105.09369.
[33]	NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 739-753.
[34]	DONG Y P , SU H , WU B Y ,et al. Efficient decision-based black-box adversarial attacks on face recognition[C]// Proceedings of 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2019: 7706-7714.
[35]	YIN Z Y , YUAN Y , GUO P F ,et al. Backdoor attacks on federated learning with lottery ticket hypothesis[J]. arXiv preprint,2021,arXiv:2109.10512.
[1]	ZHANG C , XIE Y , BAI H ,et al. A survey on federated learning[J]. KnowledgeBased Systems, 2021,216: 106775.
[2]	ALEDHARI M , RAZZAK R , PARIZI R M ,et al. Federated learning:a survey on enabling technologies,protocols,and applications[J]. IEEE Access:Practical Innovations,Open Solutions, 2020,8: 140699-140725.
[36]	CHENG M H , LE T , CHEN P Y ,et al. Query-efficient hard-label black-box attack:an optimization-based approach[J]. arXiv preprint,2018,arXiv:1807.04457.
[37]	LI Y D , LI L J , WANG L Q ,et al. NATTACK:learning the distributions of adversarial examples for an improved black-box attack on deep neural networks[C]// Proceedings of the 36th International Conference on Machine Learning.[S.l.:s.n.], 2019: 3866-3876.
[3]	BLANCO-JUSTICIA A , DOMINGOFERRER J , MARTíNEZ S , ,et al. Achieving security and privacy in federated learning systems:survey,research challenges and future directions[J]. Engineering Applications of Artificial Intelligence, 2021,106: 104468.
[4]	YANG Q , LIU Y , CHENG Y ,et al. Federated learning[J]. Synthesis Lectures on Artificial Intelligence and Machine Learning, 2019,13(3): 1-207.
[38]	BAI Y , CHEN D G , CHEN T ,et al. GANMIA:GAN-based black-box membership inference attack[C]// Proceedings of 2021 IEEE International Conference on Communications. Piscataway:IEEE Press, 2021: 1-6.
[39]	ZHANG Y H , JIA R X , PEI H Z ,et al. The secret revealer:generative modelinversion attacks against deep neural networks[C]// Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2020: 250-258.
[5]	LI T , SAHU A K , TALWALKAR A ,et al. Federated learning:challenges,methods,and future directions[J]. IEEE Signal Processing Magazine, 2020,37(3): 50-60.
[6]	TRUONG N , SUN K , WANG S Y ,et al. Privacy preservation in federated learning:an insightful survey from the GDPR perspective[J]. Computers ＆Security, 2021,110: 102402.
[40]	REN H C , DENG J J , XIE X H . GRNN:generative regression neural network—a data leakage attack for federated learning[J]. ACM Transactions on Intelligent Systems and Technology, 2022,13(4): 1-24.
[41]	HITAJ B , ATENIESE G , PEREZCRUZ F . Deep models under the GAN:information leakage from collaborative deep learning[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 603-618.
[7]	KONE?NY J , MCMAHAN H B , YU F X ,et al. Federated learning:strategies for improving communication efficiency[J]. arXiv preprint,2016,arXiv:1610.05492.
[8]	马嘉华, 孙兴华, 夏文超 ,等. 基于标签量信息的联邦学习节点选择算法[J]. 物联网学报, 2021,5(4): 46-53.
[42]	LYU L J , YU H , YANG Q . Threats to federated learning:a survey[J]. arXiv preprint,2020,arXiv:2003.02133.
[43]	SONG M K , WANG Z B , ZHANG Z F ,et al. Analyzing user-level privacy attack against federated learning[J]. IEEE Journal on Selected Areas in Communications, 2020,38(10): 2430-2444.
[8]	MA J H , SUN X H , XIA W C ,et al. Node selection based on label quantity information in federated learning[J]. Chinese Journal on Internet of Things, 2021,5(4): 46-53.
[9]	ABDULRAHMAN S , TOUT H , OULDSLIMANE H ,et al. A survey on federated learning:the journey from centralized to distributed on-site learning and beyond[J]. IEEE Internet of Things Journal, 2021,8(7): 5476-5497.
[44]	BOUACIDA N , MOHAPATRA P . Vulnerabilities in federated learning[J]. IEEE Access, 2021,9: 63229-63249.
[45]	WANG Z B , SONG M K , ZHANG Z F ,et al. Beyond inferring class representatives:user-level privacy leakage from federated learning[C]// Proceedings of 2019 IEEE Conference on Computer Communications. Piscataway:IEEE Press, 2019: 2512-2520.
[10]	王健宗, 孔令炜, 黄章成 ,等. 联邦学习算法综述[J]. 大数据, 2020,6(6): 64-82.
	WANG J Z , KONG L W , HUANG Z C ,et al. Research review of federated learning algorithms[J]. Big Data Research, 2020,6(6): 64-82.
[46]	MOTHUKURI V , PARIZI R M , POURIYEH S ,et al. A survey on security and privacy of federated learning[J]. Future Generation Computer Systems, 2021,115: 619-640.
[47]	LYU L J , YU H , MA X J ,et al. Privacy and robustness in federated learning:attacks and defenses[J]. arXiv preprint,2020,arXiv:2012. 06337.
[48]	WEI K , LI J , DING M ,et al. Federated learning with differential privacy:algorithms and performance analysis[J]. IEEE Transactions on Information Forensics and Security, 2020,15: 3454-3469.
[49]	GIRGIS A M , DATA D , DIGGAVI S ,et al. Shuffled model of differential privacy in federated learning[C]// Proceedings of 2021 International Conference on Artificial Intelligence and Statistics.[S.l.:s.n.], 2021: 2521-2529.
[50]	HU R , GUO Y X , LI H N ,et al. Personalized federated learning with differential privacy[J]. IEEE Internet of Things Journal, 2020,7(10): 9530-9539.
[51]	MCMAHAN H B , RAMAGE D , TALWAR K ,et al. Learning differentially private recurrent language models[J]. arXiv preprint,2017,arXiv:1710.06963.
[52]	GEYER R C , KLEIN T , NABI M . Differentially private federated learning:a client level perspective[J]. arXiv preprint,2017,arXiv:1712.07557.
[53]	SUN L C , QIAN J W , CHEN X . LDPFL:practical private aggregation in federated learning with local differential privacy[C]// Proceedings of the 30th International Joint Conference on Artificial Intelligence. California:International Joint Conferences on Artificial Intelligence Organization, 2021: 1571-1578.
[54]	DUCHI J C , JORDAN M I , WAINWRIGHT M J . Local privacy and statistical minimax rates[C]// Proceedings of 2013 IEEE 54th Annual Symposium on Foundations of Computer Science. Piscataway:IEEE Press, 2013: 429-438.
[55]	ERLINGSSON ú , PIHUR V , KOROLOVA A . RAPPOR:randomized aggregatable privacy-preserving ordinal response[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2014: 1054-1067.
[56]	RASTOGI V , NATH S . Differentially private aggregation of distributed time-series with transformation and encryption[C]// Proceedings of the 2010 ACM SIGMOD International Conference on Management of Data. New York:ACM Press, 2010: 735-746.
[57]	AGARWAL N , SURESH A T , YU F ,et al. cpSGD:communication-efficient and differentially-private distributed SGD[C]// Proceedings of the 32nd International Conference on Neural Information Processing Systems.Red Hook:Curran Associates Inc. , 2018: 7575-7586.
[58]	ZHANG C L , LI S Y , XIA J Z ,et al. BatchCrypt:efficient homomorphic encryption for cross-silo federated learning[C]// Proceedings of the 2020 USENIX Annual Technical Conference. Berkeley:USENIX Association, 2020: 493-506.
[59]	FANG H K , QIAN Q . Privacy preserving machine learning with homomorphic encryption and federated learning[J]. Future Internet, 2021,13(4): 94.
[60]	GENTRY C , . Fully homomorphic encryption using ideal lattices[C]// Proceedings of the 41st Annual ACM Symposium on Theory of Computing. New York:ACM Press, 2009: 169-178.
[61]	PHONG L T , AONO Y , HAYASHI T ,et al. Privacy-preserving deep learning via additively homomorphic encryption[J]. IEEE Transactions on Information Forensics and Security, 2018,13(5): 1333-1345.
[62]	YANG T , ANDREW G , EICHNER H ,et al. Applied federated learning:improving google keyboard query suggestions[J]. arXiv preprint,2018,arXiv:1812.02903.
[63]	MADI A , STAN O , MAYOUE A ,et al. A secure federated learning framework using homomorphic encryption and verifiable computing[C]// Proceedings of 2021 Reconciling Data Analytics,Automation,Privacy,and Security:A Big Data Challenge. Piscataway:IEEE Press, 2020: 1-8.
[64]	ZHU H F , MONG GOH R S , NG W K . Privacy-preserving weighted federated learning within the secret sharing framework[J]. IEEE Access, 2020,8: 198275-198284.
[65]	CHA J , SINGH S K , KIM T W ,et al. Blockchain-empowered cloud architecture based on secret sharing for smart city[J]. Journal of Information Security and Applications, 2021,57: 102686.
[66]	BONAWITZ K , IVANOV V , KREUTER B ,et al. Practical secure aggregation for privacy-preserving machine learning[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 1175-1191.
[67]	HAN G , ZHANG T T , ZHANG Y H ,et al. Verifiable and privacy preserving federated learning without fully trusted centers[J]. Journal of Ambient Intelligence and Humanized Computing, 2022,13(3): 1431-1441.
[68]	CHANDRAMOULI A , CHOUDHURY A , PATRA A . A survey on perfectlysecure verifiable secret-sharing[J]. ACM Computing Surveys, 2022.
[69]	FEREIDOONI H , MARCHAL S , MIETTINEN M ,et al. SAFELearn:secure aggregation for private FEderated learning[C]// Proceedings of 2021 IEEE Security and Privacy Workshops. Piscataway:IEEE Press, 2021: 56-62.
[70]	周俊, 方国英, 吴楠 . 联邦学习安全与隐私保护研究综述[J]. 西华大学学报(自然科学版), 2020,39(4): 9-17.
	ZHOU J , FANG G Y , WU N . Survey on security and privacy-preserving in federated learning[J]. Journal of Xihua University (Natural Science Edition), 2020,39(4): 9-17.
[71]	BARACALDO N , CHEN B , LUDWIG H ,et al. Mitigating poisoning attacks on machine learning models:a data provenance based approach[C]// Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. New York:ACM Press, 2017: 103-110.
[72]	SATTLER F , WIEDEMANN S , MüLLER K-R ,et al. Robust and communication-efficient federated learning from non-i.i.d.data[J]. IEEE Transactions on Neural Networks and Learning Systems, 2020,31(9): 3400-3413.
[73]	LIAO F Z , LIANG M , DONG Y P ,et al. Defense against adversarial attacks using high-level representation guided denoiser[C]// Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2018: 1778-1787.
[74]	XU W L , EVANS D , QI Y J . Feature squeezing:detecting adversarial examples in deep neural networks[J]. arXiv preprint,2017,arXiv:1704.01155.
[75]	ZHU C , CHENG Y , GAN Z ,et al. FreeLB:enhanced adversarial training for language understanding[J]. arXiv preprint,2019,arXiv:1909.11764.
[76]	SHAH D , DUBE P , CHAKRABORTY S ,et al. Adversarial training in communication constrained federated learning[J]. arXiv preprint,2021,arXiv:2103.01319.
[77]	FUNG C , YOON C J M , BESCHASTNIKH I . Mitigating sybils in federated learning poisoning[J]. arXiv preprint,2018,arXiv:1808.04866.
[78]	王健宗, 孔令炜, 黄章成 ,等. 联邦学习隐私保护研究进展[J]. 大数据, 2021,7(3): 130-149.
	WANG J Z , KONG L W , HUANG Z C ,et al. Research advances on privacy protection of federated learning[J]. Big Data Research, 2021,7(3): 130-149.
[79]	ANDREINA S , MARSON G A , M?LLERING H ,et al. BaFFLe:backdoor detection via feedback-based federated learning[C]// Proceedings of 2021 IEEE 41st International Conference on Distributed Computing Systems. Piscataway:IEEE Press, 2021: 852-863.
[80]	MCMAHAN H B , MOORE E , RAMAGE D ,et al. Communication-efficient learning of deep networks from decentralized data[J]. arXiv preprint,2016,arXiv:1602.05629.
[81]	YIN D , CHEN Y D , RAMCHANDRAN K ,et al. Byzantine-robust distributed learning:towards optimal statistical rates[J]. arXiv preprint,2018,arXiv:1803.01498.
[82]	BLANCHARD P , MHAMDI E M E , GUERRAOUI R ,et al. Machine learning with adversaries:Byzantine tolerant gradient descent[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems.Red Hook:Curran Associates Inc. , 2017: 118-128.
[83]	MHAMDI E M E , GUERRAOUI R , ROUAULT S . The hidden vulnerability of distributed learning in Byzantium[J]. arXiv preprint,2018,arXiv:1802.07927.
[84]	SO J , GüLER B , AVESTIMEHR A S . Turbo-aggregate:breaking the quadratic aggregation barrier in secure federated learning[J]. IEEE Journal on Selected Areas in Information Theory, 2021,2(1): 479-489.
[85]	LEE H , KIM J , AHN S ,et al. Digestive neural networks:a novel defense strategy against inference attacks in federated learning[J]. Computers ＆ Security, 2021,109: 102378.
[86]	周传鑫, 孙奕, 汪德刚 ,等. 联邦学习研究综述[J]. 网络与信息安全学报, 2021,7(5): 77-92.
	ZHOU C X , SUN Y , WANG D G ,et al. Survey of federated learning research[J]. Chinese Journal of Network and Information Security, 2021,7(5): 77-92.
[87]	QUOC D L , FETZER C . SecFL:confidential federated learning using TEEs[J]. arXiv preprint,2021,arXiv:2110.00981.
[88]	LI W H , XIA Y B , LU L ,et al. TEEv:virtualizing trusted execution environments on mobile platforms[C]// Proceedings of the 15th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. New York:ACM Press, 2019: 2-16.
[89]	CHEN Y , LUO F , LI T ,et al. A trainingintegrity privacy-preserving federated learning scheme with trusted execution environment[J]. Information Sciences, 2020,522: 69-79.
[90]	ZHAO Y , ZHAO J , JIANG L S ,et al. Mobile edge computing,blockchain and reputation-based crowdsourcing IoT federated learning:a secure,decentralized and privacy-preserving system[J]. arXiv preprint,2019,arXiv:1906.10893.
[11]	LI L , FAN Y X , TSE M ,et al. A review of applications in federated learning[J]. Computers ＆ Industrial Engineering, 2020,149: 106854.
[91]	DOSHI-VELEZ F , KIM B . Towards a rigorous science of interpretable machine learning[J]. arXiv preprint,2017,arXiv:1702.08608.

攻击类型	描述	攻击效果
干净标签中毒攻击	将恶意数据添加到训练数据集中	伪造高质量数据难度较高，但效果好
脏标签中毒攻击	将干净训练样本的标签翻转为另一类，数据的特征保持不变	典型且实用，不具有针对性
	将干净样本的标签翻转为指定类别	针对性强，效果明显
数据后门中毒攻击	修改原始训练数据集的单个特征或小区域，将其作为后门并嵌入模型	后门嵌入，攻击成功率较高

攻击类型	攻击原理	攻击方法
数据中毒	攻击者向训练数据集中添加恶意数据或篡改数据集中的某些数据，以达到攻击目的	干净标签中毒攻击^[14]、脏标签中毒攻击^[15-17]
模型攻击	通过更改被攻击客户端本地模型的更新来更改全局模型更新	拜占庭攻击^[24-25]、后门攻击^[27-28]
推理攻击	通过攻击手段（如窃听、监视等）获取某些信息，然后利用这些信息推理获得目标信息	成员、特征、标签推理攻击^[30-32]，黑/白盒攻击^[33-35]，生成对抗网络^[39-40]
服务器漏洞	服务器所处环境缺少安全防御措施，导致易受到攻击，或存在恶意服务器	脆弱、恶意服务器攻击^[42-45]

技术结合	参考文献	特性
中心化差分隐私	[51-52]	聚合和更新分别通过添加与删除噪声来达到保护隐私的目的，但需要一个可信的数据收集库
本地化差分隐私	[53-55]	将数据的隐私化处理过程转移至每个用户的设备上，使得用户能够单独地处理和保护个人数据，但这会影响模型的精度
分布式差分隐私	[56-57]	结合密码学技术来改进本地差分隐私和中心差分隐私
全同态加密	[60]	对隐私有绝对的保护，但计算复杂度非常高
部分同态加密	[60-63]	只对梯度进行加密处理，可以在很大程度上降低通信成本，实用性强
秘密共享	[65]	属于典型的密钥分发机制，在联邦学习中应用成熟
可验证性秘密共享	[67-69]	通过引入可验证机制，进一步提高秘密共享的安全性，且能与其他技术结合使用

防御类型	参考文献	防御措施	特点
防御数据中毒	[71]	检测上下文信息	通过与之前的数据进行对比来检测数据点
	[72-73]	最小化图像总方差，HGD	使用压缩、降噪和减少全局方差等方法来处理数据，进而达到保护数据的目的
	[75-77]	对抗训练	将真实样本和对抗样本放在一起作为训练集进行训练
防御模型攻击	[78]	检测错误的模型更新	直接或间接使用模型参数之间的数值差异来检测异常模型
	[80-83]	安全聚合	使用不同的聚合算法来保护模型参数
防御推理攻击	[84-85]	模型堆叠，DNN	将多种模型进行集成或者组合，以提高模型的复杂度
防御服务器漏洞	[87-[89]	TEE	通过硬件隔离的技术来保护隐私
	[90]	安全多方计算	安全联合多个参与方完成某种协同计算