ML Security PapersA Secure and Private Distributed Bayesian Federated Learning Design
Nuocheng Yang 1, Sihua Wang 1, Zhaohui Yang 2, Mingzhe Chen 3, Changchuan Yin 1, Kaibin Huang 4
Published on arXiv
2602.20003
Data Poisoning Attack
OWASP ML Top 10 — ML02
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
The proposed GNN-RL-based framework achieves superior Byzantine robustness and privacy preservation with significantly lower communication and computation overhead compared to traditional centralized security and privacy schemes in DFL settings.
Secure Private Distributed Bayesian Federated Learning (GNN-RL neighbor selection)
Novel technique introduced
Distributed Federated Learning (DFL) enables decentralized model training across large-scale systems without a central parameter server. However, DFL faces three critical challenges: privacy leakage from honest-but-curious neighbors, slow convergence due to the lack of central coordination, and vulnerability to Byzantine adversaries aiming to degrade model accuracy. To address these issues, we propose a novel DFL framework that integrates Byzantine robustness, privacy preservation, and convergence acceleration. Within this framework, each device trains a local model using a Bayesian approach and independently selects an optimal subset of neighbors for posterior exchange. We formulate this neighbor selection as an optimization problem to minimize the global loss function under security and privacy constraints. Solving this problem is challenging because devices only possess partial network information, and the complex coupling between topology, security, and convergence remains unclear. To bridge this gap, we first analytically characterize the trade-offs between dynamic connectivity, Byzantine detection, privacy levels, and convergence speed. Leveraging these insights, we develop a fully distributed Graph Neural Network (GNN)-based Reinforcement Learning (RL) algorithm. This approach enables devices to make autonomous connection decisions based on local observations. Simulation results demonstrate that our method achieves superior robustness and efficiency with significantly lower overhead compared to traditional security and privacy schemes.
Key Contributions
- Novel DFL framework jointly addressing Byzantine robustness, privacy preservation against honest-but-curious neighbors, and convergence acceleration through Bayesian local training and optimal neighbor selection
- Analytical characterization of trade-offs between dynamic network connectivity, Byzantine detection, differential privacy levels, and convergence speed
- Fully distributed GNN-based RL algorithm enabling devices to autonomously select neighbors based on local observations under security and privacy constraints
🛡️ Threat Analysis
Paper explicitly defends against Byzantine adversaries in DFL who send poisoned model updates to degrade global model accuracy — a core Byzantine FL poisoning threat. The framework detects and excludes malicious participants during training.
Paper addresses 'private data reconstruction' by honest-but-curious neighbors who observe exchanged model posteriors/updates (citing DLG, BatchDLG, AIJack as the threat). The Bayesian framework and privacy constraints are designed to prevent neighbors from inverting model updates to recover local training data.