[论文阅读] 有关联邦学习应用综述 A review of applications in federated learning

---

论文阅读 有关联邦学习应用综述 A review of applications in federated learning

原文链接
因为最近在写一篇联邦学习应用方向的论文，所以阅读了本文章，所以做了一些简要的笔记。
🙋‍♂️ 张同学 zhangruiyuan@zju.edu.cn 有问题请联系我

一、联邦学习概述

本文首先介绍了联邦学习的概述，从联邦学习特点、现存的开源框架、联邦学习的分类三个方向。

联邦学习的特点

1. 跨组织的联邦学习场景的普遍性

2. 大量的非独立同分布

3. 去中心化的技术

   这里引用原文解释一下为什么作者认为联邦学习是一种去中心化的技术：For cases in FL, each client is completely autonomous, data is not allocated by center and the training process is not governed by server. Therefore, FL is an integrated tech- nology to combine machine learning models and data fusion through decentralized collaboration.

4. 每个节点的状态相等

   这里指的是，在联邦学习中拥有少量数据集的用户与其他用户具备相同的地位。

现存的开源框架

作者在本文中介绍了两款联邦学习的框架TTF和FATE。

1. TTF

   第一个开源的自包含用于移动设备的联邦学习产品级框架，成功应用到next word prediction、Emoji prediction 等领域，已经实现了1000万设备正在向10亿设备前进。

2. FATE

   第一个开源的工业级别框架，主要用于跨组织的架构的联邦学习，已经应用到风控、目标检测、和反洗钱领域。

联邦学习分类

本文介绍的联邦学习的分类主要参考的就是杨强的Federated machine learning: concept and applications. 但是我个人，emmm，更喜欢用跨组织、跨设备来对联邦学习进行分类。

二、联邦学习的演变

本文作者介绍的联邦学习的演变，从算法优化和安全两个角度展开。

2.1 算法优化

降低通信代价类的方法：降低通信轮次、减少模型更新的时间

解决统计学上的异质性的方法：关注全局模型、增加额外的数据预处理程序、修改本地训练的模式

结构上的异质性（训练设备的不同）：容忍错误、资源分配
这一部分内容不是我的关注点，感兴趣的可以去看原文。

2.2 安全

当前在联邦学习中存在的隐私风险：数据投毒攻击、模型中毒、推理攻击

联邦学习中的隐私保护技术：客户端一侧的隐私保护、安全聚合方法、联邦学习框架的保护方法

隐私风险

Nevertheless, the system is not sufficiently secure because the transmission of gradients and partial parameters may lead to indirect privacy leakage (Bos, Lauter, & Naehrig, 2014).

1. 数据投毒攻击

There are two main types of ‘data poisoning’ attsck modes including model skew and feedback weaponization.

首先是一篇文章中陈述联邦学习没有直接拿到原始数据，所以不会像传统联邦学习那样可以收到数据投毒的危害。

Nevertheless, these traditional data poi- sonings methods are less effective or may need many malicious partic- ipants when it comes to FL since malicious attackers have no direct access to raw data (Bagdasaryan, Veit, Hua, Estrin, & Shmatikov, 2018).

但是接下来，另一篇文章证明了这个错误的观点，即联邦学习能够避免数据投毒。

On the basis research of Bagdasaryan et al., (2018), Yang et al. (2019) studied a novel and effective distributed backdoor attack. They divided an attack trigger into many slices and embedded each slice into different attackers instead of embedding a complete trigger into only one attacker. This new-fashioned mode throws a wrench in the old argument that FL is possible to avoid data poisoning. It also gives a new evaluation form for security analysis in FL.

2. 模型投毒（Model poisoning 或者 adversarial attack）

模型投毒指的是通过设计一个特别的输入，使得机器学习模型生成一个错误的输入。Model poisoning refer to make machine learning model to generate a wrong result by designing a specific input.

Model poisoning分为 Non-targeted adversarial attack 和 Targeted adversarial attack，区别如下：

The former one is a common type which lead to an incorrect conse- quence, and the other one is relatively difficult that aiming at injecting a specific type for input. 另一方面，联邦学习为了实现安全聚合，这造成了聚合器在检查模型异常和本地不正确的更新上就变得更加的困难（因为看不到客户端更新的模型的情况）。

攻击案例：

• According to this drawback, the backdoor can be inserted into federated environment by malicious participant through model-replacement methodology thus misunderstand the joint model. This novel attack method can be suc- cessfully employed in federated training tasks including image classifi- cation and word prediction (Bagdasaryan et al., 2018).

• Bhagoji, Chakraborty, Mittal, and Calo (2019) attacked global model through few malicious adversaries to wrongly classified targeted model。

上述的这种攻击就是目标型攻击，这一类攻击确保了大部分的识别结果是正确的。

拜占庭抵御方法也同时被证明了崩溃，emmm：

• In addition, the results show Byzantine-resilient aggregation technology is weak to offense this type of attack in the federated setting. Then Zhang, Chen, Wu, Chen, and Yu (2019) give first attempt to generate model poisoning attack based on Generative Adversarial Nets (GAN). In this work, malicious participant pretended to be a benign agent. Then they assign a GAN architecture to generate training data as well as distributed a wrong label to induce benign client to be damaged.The existing methodologies aiming at defending poisoning attack are quite invalid in federated settings. In

作者希望，服务端的异常检测、隐藏的分类结果可能是一个发展的方向，emmm，我觉得还是应该仔细地思考一下，这个问题应该不会这么容易地被解决掉。

3. 推理攻击（Inferring attack）

The value of this type of attack mainly used to detect privacy records or restore training data through a white box or a black box.

Inferring attack可以分为tracing attacks(membership inference attacks) 和 reconstruction attacks，区别如下：

The first mentioned of two indicates to infer whether a client is contained in the data set. The latter advocates recover some features about an individual participant.

攻击案例：

• 成员推理攻击：With utilization of vulnerability of SGD, Nasr, Shokri, and Houmansadr (2019) designed a white-box membership inference attack method direct at neural network. Then it was successfully applied to federated setting to infer information via a curious server or any of a participant.
• 重构推理攻击：In cases of this kind, Wang, Z. et al. (2019) built a general attack frame called mGAN-AI which could reconstruct private information for target client.

为了解决上面的问题，作者认为应该探索更多的预测算法，数据在上传之前应该做好加密。

安全 - 在联邦学习中的隐私保护技术

1. 客户端一侧的隐私保护

差分隐私使用：

• For instance, since FedAvg is prone to be violated by differential attack, Geyer, Klein, and Nabi (2018) leveraged differ- ential privacy on FL to conceal whether a client participant in the training process. Likewise,
• Likewise, to improve FedAvg, McMahan, Zhang, Ramage, and Talwar (2018) also applied DP to this process by adding Gaussian noise to the global model.

优化的差分隐私用法：

• In federated online training for ranker using feedback from users, Kharitonov (2019) introduced ε-local differential privacy. Opposite to common algorithms, it is stricter since they protect user-lever privacy instead of imposing privacy-preserving technology after data aggregation.

同态加密算法使用:

Homomorphic encryption refers to an encryption mechanism that parameters are encoded before adding or multiplying operation and performs equivalent result compare to uncode function

• Liu et al. (2018) employed additively homomorphic encryption to modify neural network model and minimize the impact on training accuracy. Ilias
• Ilias and Georgios (2019) also added homomorphic encryption to a more robust FL framework, which make it possible to compute aggregation on encrypted client.

但是同态加密的使用，往往需要传递更多的参数信息。

位置敏感哈希（Locality-sensitive hashing(LSH)(Gionis, Indyk, & Motwani, 1999).）使用：

作者认为，LSH相比较于差分隐私和同态加密的好处？

Besides, LSH would not cause overmuch communication overhead like homomorphic encryption and reduce accuracy like differential privacy.

• Lee et al. (2018) make use of LSH to detect similar patients in federated settings.
• Recently, Li et al. (2020) build a practical gradient boosting decision trees rely on LSH. In the pre-processing stage, LSH would help find similar samples dispersed in different clients, and they will use the sum gradients of similar instances instead of only use the gradient of one instance when processing gradient updating.

2. 安全聚合

Secure multi-party computation (SMC) is employed, which mainly concentrate on how to safely calculate a function for various client without a reliable third party.

• 第一篇安全聚合的文章

  Bonawitz et al. (2017) proposed the first secure aggregation protocol with utilization of secure multiparty computation. In this agreement, model update infor- mation of each device is unrevealed to central server. Only after enough devices update their model, can server receive the aggregated model. Owing to the quadratic communication cost, the above-mentioned protocol is not applicable for larger scale situations.

• 让安全聚合变得更加能够应用到现实中

  By this way, Hao, Li, Luo et al. (2019) envisioned a more efficient privacy-preserving scheme for FL, which integrate differential privacy and lightweight homomorphic encryption technology. This protocol, mainly for stochastic gradient descent approach, is robust to curious-but-honest server and collusion between the cloud and server.

• 验证云服务器返回的模型的准确性，并利用秘密分享算法避免梯度信息泄露给云服务器

  Occasionally, global model returned by clouds may not reliable or complete. Because unreliable cloud server may be malicious to return a totally wronged model or may be lazy to convey a compressed but inaccurate model due to computa- tional pressure. Thereafter Xu, Li, Liu, Yang, and Lin (2020) devised VerifyNet, the first protocol that can verify correctness of returned model from cloud. For privacy guarantee, they implemented variation of secret sharing combined with key agreement protocol to enhance confidentiality of gradients.

• 来判断客户端的模型是不是恶意的

  The up-to-date approach proposed by Chen et al. (2020) also concentrated on secure aggregation scheme. They add an extra public parameter dispatch to each client to force them training in a same way, thus detect malicious client easily when making an aggregation stage.

其实，读完这一节挺迷茫的。什么是联邦学习的安全聚合呢？

• 避免客户端的模型被服务端知道
• 避免服务端的非法聚合
• 避免客户端的非法梯度

3. 联邦学习框架中的保护方法

To enhance privacy for the framework, many hybrid approaches have been proposed.

• 为了解决差分隐私降低准确率的问题

  However, the introduced noise of differential privacy may lead to decreased accuracy. To reduce noise, the Hybrid-One scheme combine the use of DP with MPC without compromising accuracy rate, which protect communica- tion messages rely on MPC thus introduce less noise than traditional local DP (Truex et al., 2019).

  这种方法依旧存在着通信的问题：

  But this method often result in unafford- able communication cost and long convergence time as homomorphic encryption can be.

• Then the efficient HybridAlpha emerged at the right moment, which combined functional encryption with SMC protocol to achieve the highly-performance model without privacy sacrifice (Xu, Baracaldo, Zhou, Anwar, & Ludwig, 2019).

• 联邦学习与sketched algorithm的爱情💑故事

  Additionally, sketched al- gorithms are inherently suitable for FL since data identities are not stored, and extra mechanisms are needed to trace back original data. Inspired by this, Liu, Li, Smith, and Sekar (2019) established relation- ship between FL and sketching algorithm to strength confidentiality.

三、联邦学习的应用

其实本章的内容才是我特别关心的。

移动设备上的应用

• 手机

  • 最早的应用就是Gboard了

  • 键盘预测改进

    Further improvement for prediction on keyboard has been made through Chen, Mathews, Ouyang, and Beau- fays (2019), Leroy, Coucke, Lavril, Gisselbrecht, and Dureau (2019), Hard, Rao, Mathews, Ramaswamy, Beaufays, Augenstein, and Ramage (2019) and Yang et al. (2018).

  • 表情预测

    Besides, emoji prediction is also a research hotspot (Ramaswamy et al., 2019).

  • 人类行动轨迹

    In addition, bring FL model to smart devices to predict human trajectory (Feng, Rong, Sun, Guo, & Li, 2020)

  • 人类行为

    human behavior (Sozinov, Vlassov, & Girdzijauskas, 2018) is also a potential application.

• 将联邦学习与移动边缘计算结合在一起是一个比较好的应用方向

  Nowadays, although there is a rapid growth in storage capacity and
  computing power of mobile devices. It’s difficult to satisfy the growing quality demand from mobile subscribers due to communication band- width limitation. Thus, most of comprehensive provider prefer to offer a service environment at the edge of the cellular network close to the customer instead of integrate cloud computing and cloud storage in core network so as to reduce network congestion. This technology is dubbed mobile edge computing (MEC), but it also faces increased risk of infor- mation leakage.

  • One possible solution is the combination of FL and MEC, Wang, X. et al. (2019) investigate an ‘In-Edge AI’ framework which combine FL based on deep reinforcement learning with MEC system and further optimize resource allocation problem.
  • Further, Qian et al. (2019) devoted to utilizing FL on MEC. They developed a privacy-aware service placement scheme to provide high-quality service by caching desired service on the edge server close to the users.

• 物联网设备

  In this case, mobile devices not only refer to common smart phones
  but also refer to devices in IOT settings. Smart home is one of the important applicable fields of IoT. To better learn users’ preference, devices in smart home architecture would upload some related data to cloud server which may lead to data breach.

  • Therefore, Aïvodji, Gambs, and Martin (2019) present a sufficient secure federated architecture to build joint models.
  • Similarly, Yu et al. (2020) build a federated multi- task learning framework for smart home IOT to automatically learn users’ behavior patterns, which could effectively detect physical hazards.
  • Furthermore, Liu, Wang, Liu, and Xu (2020) proposed a data fusion approach based on FL for robots imitation learning in robot networking. This method could be leveraged on self-driving cars to generate guide models and foresee various emergencies.（在自动驾驶中预见突发情况）

工业生产应用

Driven by the achievement of FL in data privacy protection, it is
logical for industrial engineering to follow it with applications of FL. Since data in these areas are not available directly due to some constraints of laws and regulations. However, only when FL is leveraged to these areas, can we make use of these disperse dataset to acquire infinite benefits.

• 环境保护

  Take environment protection as a case in point, Hu, Gao, Liu, and Ma (2018) designed a novel environmental monitoring frame based on federated region learning FRL) for the sake of inconvenient interchangeable monitor data. Thus, monitoring data dispersed from various sensors could be utilized for superior performance of collaborative model.

• FL is also applied to visual inspection task (Han, Yu, & Gu, 2019). It could not only help us solve the problem of lacking defective samples to detect defects in production tasks but also offered privacy guarantees for manufacturers.

• In image fields, vision -and-language is also a flashpoint, Liu, Wu, Ge, Fan, and Zou (2020) bring FL to acquire diversiform rep- resentation from federated tasks for better grounding applications.

• 无人机，YYDS

  FL is suitable for malicious attacks detection in communication system composed by Unmanned Aerial Vehicles (UAVs) (Mowla, Tran, Doh, & Chae, 2020). Since the features of UAVs such as unbalanced data distribution and unreliable communication conditions are quite matching with chal- lenges in FL.

• 让联邦学习用到充电桩的拥塞上

  With the popularization of electric vehicles, Saputra et al. (2019) designed a federated energy demand prediction method for various charging stations to prevent energy congestion in transmission process.

• 联邦学习与金融：信用卡欺诈检测

  Moreover, Yang, Zhang, Ye, Li, and Xu (2019) leveraged FL to transactions owned by different banks in order to detect credit card fraud efficiently, which is also a significant contribution to financial field.

• 文本方向：邮件过滤和情感分析

  For text mining, Wang, Tong, and Shi (2020) exploit an industrial grade federated framework based on Latent Dirichlet Allocation. It has passed the assessment on real data for spam filtering and sentiment analysis.

作者的愿景

To summarize, FL enable data owner to broaden the scope of data applications and improve model performance through iteration among different entities. In the future, FL technology would also support more industries to become more intelligent. The incorporation with FL in AI will build a federal ecosystem without data privacy concern.

医疗保健领域的应用

As a disruptive method to preserve data privacy, FL has great prospect in health care.

Each medical institute might have a lot of patient data, but that may be far from enough to train their own prediction models (Szegedi, Kiss, & Horv´ath, 2019). Combination of FL and disease prediction is one of the good solutions to break down the barriers of analysis throughout different hospitals.

• Electronic health records 电子健康记录单，联邦学习在这个领域的第一次尝试

  Electronic health records (EMR) contain lots of meaningful clinical
  concepts, Kim, Sun, Yu, and Jiang (2017) gave an attempt to use tensor factorization models for phenotyping analysis to obtain information concealed in health records without sharing patient-level data. It could be regarded as the first attempt for FL application in medical industry.

• Pfohl, Dai, and Heller (2019) explored differentially private learning for EMR in federated setting. And they further demonstrated the perfor- mance is comparable with training in a centralized setting.

• 预测心脏病死亡率

  Huang, Shea et al. (2019) make use of EMRs scattered across hospitals to predict mortality rate for heart disease patients. During training process, there is not any form of data or parameters transmission among hospitals’ da- tabases. Besides this, data consolidated from multiple remote clients into a central server is encoded in advance and the decoder will be aban- doned at the end of training.

• 用来评估是否需要住院

  In addition, Brisimi et al. (2018) also use EMRs to evaluate whether a patient with heart disease will be hospi- talized based on a FL algorithm called cluster Primal Dual Splitting (cPDS). This prediction work can be accomplished either on health monitoring devices or hospitals holding these medical data without in- formation leakage.

• 匹配相似的病人

  With utilization of health records, Lee et al. (2018) proposed a federated patient hashing framework to detect similar pa- tients scattered in different hospitals without sharing patient-level in- formation. This patient matching method could help doctors to summarize general character and direct them to treat patient with more experience.

• 利用联邦学习来获取某药物的使用情况

  In addition, Huang, Yin et al. (2019) leveraged Loss-based adaptive boosting Federated Averaging algorithm on drug usage extracted from MIMIC-III database to predict patient mortality rate. This research concerned computation complexity and communication cost as well as accuracy for each client therefore outperform baselines.

• 联邦学习在nlp上的第一次尝试

  Liu, Dligach, and Miller (2019) focus on need for un- structured data processing of clinical notes. It was the first attempt of NLP based on FL. They performed a two-stage federated training model contains pre-processing stage to predict a representation model for each patient and phenotyping training stage to study each kind of illness.

• 医学图像分析 - 核磁共振图像

  Recently, FL is also widely used in the area of biomedical imaging
  analysis. Federated principal components analysis (fPCA) has been put forward by Silva, Gutman, Romero, Thompson, Altmann, and Lorenzi (2019) to extract features from magnetic resonance images (MRI) come from different medical centers. Furthermore,

• 用于脑电图，emmm，真不戳

  Furthermore, Gao et al., (2019) proposed a hierarchical heterogeneous horizontal FL (HHHFL) framework for Electroencephalography (EEG) classification to overcome the challenge of limited labeled instances as well as the privacy constraint.

作者的愿景时刻

• In the future, medical data in hospitals could be cooperated with other institutions such as insurance agent to obtain reasonable pricing. Therefore, vertically FL is a promising direction to be explored.
• Moreover, one problem is existing federal training mostly base on small set of organizations and is not able to extend to collaborative training for huge number of devices or in- stitutions. Therefore, analysis of mobile devices data based on FL in an effective way should be progressed to generate more meaningful information.

作者总结的图真不戳，以后如果要写综述可以参考一下，可以将最近几年比较有代表性的文章拿出来展示一下；另外，那个时间变化图也是不戳的、可以学习的。

四、美好的未来生活~ 未来可以去研究的方向，思考🤔

异步的训练模式

我看的文章还是比较少，异步的训练模式是我第一次听到的概念。不过这个内容和我之前思考的内容是一致的，主要考虑的问题是异步本地更新和异步聚合。

梯度聚合方式

其实这是一个首先想到的问题吧，emmm，我们肯定是不能够用FedAvg的，一定是要根据客户端的不同来进行不同的聚合。

激励机制

T老师的研究方向么？搞不懂，emm，鼓励用户参与到联邦学习的过程中来。

联邦学习和区块链

我觉得这个方向，需要深入的研究。

联邦学习与无监督机器学习

作者认为，没有标签的数据要远远多于带有标签的数据，所以一定要好好的研究这个方向，赞同。

末、参考文献

Li L, Fan Y, Tse M, et al. A review of applications in federated learning[J]. Computers & Industrial Engineering, 2020: 106854.