Towards Private and Secure Federated Learning: Exploring the Interplay of Differential Privacy and Byzantine Robustness

Date of Award


Document Type


Degree Name

Master of Science in Machine Learning


Machine Learning

First Advisor

Dr. Samuel Horvath

Second Advisor

Dr. Karthik Nandakumar


"Federated Learning is a part of Machine Learning where the learning process occurs on edge devices instead of a centralized approach. With this shift towards decentralized data collection, the risk of privacy leaks and malicious attacks from participants has become prevalent and requires attention. While Federated Learning alone has shown the potential to address privacy issues, it remains an insufficient method to rely solely on for explicit security guarantees. Federated Learning has been proven to leak information from participating clients from their updates. In addition, because data is decentralized, there is little control over what each participant sends, creating a vulnerability attackers could exploit to send corrupted updates and prevent learning. To address these limitations, researchers have adopted standard methods such as Differential Privacy and Byzantine robustness. Differential Privacy has gained popularity as a procedure to ensure the privacy of Machine Learning, specifically Federated Learning models. Participants inject noise into their data and then send it to the server. These clients could exhibit Byzantine behavior and act maliciously to disrupt the final model; therefore, Byzantine robustness has been used to mitigate their influence. These notions of Differential Privacy and Byzantine robustness have been used to enforce privacy and security assurances. Both objectives need to be met to ensure that Federated Learning is both practical and deployable in the real world. The main aim of this thesis is to study the combination of Differential Privacy and Byzantine robustness goals in a Federated Learning setting and understand the interplay of these objectives and whether they were indeed incompatible. In our work, we apply the classical FedAvg algorithm on three datasets and study the impact of the DP-SGD algorithm, the Krum aggregation method with different attacks (Sign-Flip and A Little is Enough), and their integration on the performance of the models. To conduct the experiments, we use the Flower federated framework. Our main results suggest that maintaining a high-performing model when faced with both objectives is challenging. When evaluating Differential Privacy and Byzantine robustness separately, all models achieve high accuracy; however, they show a decline in the presence of both. The analysis attributes this opposing dynamic to the Differential Privacy noise that could grant Byzantine participants an opening to conceal their harmful behavior."


Thesis submitted to the Deanship of Graduate and Postdoctoral Studies

In partial fulfilment of the requirements for the M.Sc degree in Machine Learning

Advisors: Samuel Horvath, Karthik Nandakumar

Online access available for MBZUAI patrons