BlockFLA: Accountable Federated Learning
via Hybrid Blockchain Architecture Conference’17, July 2017, Washington, DC, USA
desired performance metric (e.g., accuracy) on a validation dataset
maintained by the server.
2.2 Backdoor Attacks and Model Poisoning
Training time attacks against machine learning models can roughly
be classied into two categories: targeted [
3
,
5
,
9
,
19
], and untar-
geted attacks [
4
,
6
]. In untargeted attacks, the adversarial task is to
make the model converge to a sub-optimal minima, or to make the
model completely diverge. Such attacks have been also referred as
convergence attacks, and to some extend, they are easily detectable
by observing the model’s accuracy on a validation data.
On the other hand, in targeted attacks, adversary wants the
model to misclassify only a set of chosen samples while minimally
aecting its performance on the main task. Such targeted attacks
are also known as backdoor attacks. A prominent way of carrying
backdoor attacks is through trojans [
9
,
19
]. A trojan is a carefully
crafted pattern that is leveraged to cause the desired misclassica-
tion. For example, consider a classication task over cars and planes
and let the adversarial task be making the model classify blue cars
as planes. Then, adversary could craft a brand logo, put it on some
of the blue car samples in the training dataset, and only mislabel
those as plane. Then, potentially, model would learn to classify blue
cars with the brand logo as plane. At the inference time, adversary
can present a blue car sample with the logo to the model to activate
the backdoor. Ideally, since the model would behave correctly on
blue cars that do not have the trojan, it would not be easy to detect
the backdoor on a clean validation dataset.
In FL, the training data is decentralized and the aggregation
server is only exposed to model updates. Given that, backdoor
attacks are typically carried by constructing malicious updates. That
is, adversary tries to create an update that encodes the backdoor
in a way such that, when it is aggregated with other updates, the
aggregated model exhibits the backdoor. This has been referred
as model poisoning attack [
3
,
5
,
32
]. For example, an adversary
could control some of the participating agents in a FL instance, and
train their local models on trojaned datasets to construct malicious
updates.
2.3 Blockchain
Blockchain was rst introduced by Nakamato as the underlying
ledger of the now famous Bitcoin cryptocurrency [
25
]. Briey, a
blockchain is an append-only, distributed and replicated database.
It allows the participants of a network to collectively maintain a
sequence of data in a tamper-resilient way. More importantly, it
does so without a requirement for a trusted third party by invoking
a consensus mechanism.
Informally, a blockchain network operates as follows: partic-
ipants broadcast their data, and certain nodes called miners (or
validators) gather, and store the data they receive in wrapper struc-
tures called blocks. Through a consensus mechanism, the network
elects a leader miner in a decentralized fashion for a sequence of
epochs. The epoch leader broadcast his block to the network and,
having received the leaders block, other nodes store it in their local
memory where each block maintains a hash-link to the previous
block.
The consensus algorithm that the blockchain network deploys
may depend on whether or not the network is public. For example,
Bitcoin operates on a public network, where anyone is free to join
and there is no uniform view of the network across participants. It
utilizes a cryptographic puzzle called Proof-of-Work [
15
] to achieve
consensus. This makes tampering with the order of blocks compu-
tationally infeasible when the majority of the network participants
follow the protocol honestly. In private networks however, partic-
ipants can employ more ecient consensus algorithms, such as
PBFT [
8
]. This is because the identity and number of participants
are known to every party, as access to the such networks can be
arbitrarily restricted.
We provide examples for a private, and a public blockchain below,
and note that there exists also hybrid architectures (as in this work),
that combine both public, and private blockchains.
2.3.1 Private Blockchain: Hyperledger Fabric. Hyperledger [
2
] is
the umbrella project for many open source blockchains. Hyper-
ledger Fabric, a permissioned blockchain is one amongst many
blockchains that holds properties like identiable participants, high
transaction throughput performance [
14
], low latency of trans-
action [
28
] conrmation alongside privacy and condentiality of
transactions. Hyperledger promotes the usage of smart contracts
called chaincode and pluggable consensus models for the conr-
mation of the underlying transactions committed on the ledger.
The transaction orders are maintained and are visible to all peers
participating on the network.
2.3.2 Public Blockchain: Ethereum. Ethereum [
33
], also possess
the capability to host smart contracts. However, the smart con-
tracts published are public due to the permissionless nature of the
blockchain making every transaction transparent. Each ethereum
smart contract and participant have an account of its own. Ether,
being the hosted cryptocurrency on the ethereum chain is required
to publish contracts, call functions and send transactions over the
chain. This currency is stored in a wallet possessed by every par-
ticipant on the blockchain and is spent in the form of Gas to make
smart contract calls. Ethereum, however, oers low transaction
throughput and high latency on transaction conrmation.
3 SYSTEM ARCHITECTURE
In this paper, we propose a practical system architecture that allows
any Federated Learning algorithm to run eciently and securely
while enabling auditability. Our solution maintains a multi-factor
approach to securely detect the potential trojan introduced in the
model over time and penalize the oending parties. There are many
components to the system, each playing a critical role to accomplish
the comprehensive goal.
3.1 Framework Setup
The overall BlockFLA framework assumes each participant trains
the model on their local machine or on a separate Virtual Machine
in the cloud. This assumption eliminates the expense of training the
model on the chain and enhances data privacy. Alongside training
the model locally, we consider the network to be an established TCP
connection between the participants and the aggregation server,
thus eliminating the overhead for establishing a connection every