A Blockchain-Based Federated-Learning Framework for Defense against Backdoor Attacks

Abstract

Federated learning (FL) is a technique that involves multiple participants who update their local models with private data and aggregate these models using a central server. Unfortunately, central servers are prone to single-point failures during the aggregation process, which leads to data leakage and other problems. Although many studies have shown that a blockchain can solve the single-point failure of servers, blockchains cannot identify or mitigate the effect of backdoor attacks. Therefore, this paper proposes a blockchain-based FL framework for defense against backdoor attacks. The framework utilizes blockchains to record transactions in an immutable distributed ledger network and enables decentralized FL. Furthermore, by incorporating the reverse layer-wise relevance (RLR) aggregation strategy into the participant’s aggregation algorithm and adding gradient noise to limit the effectiveness of backdoor attacks, the accuracy of backdoor attacks is substantially reduced. Furthermore, we designed a new proof-of-stake mechanism that considers the historical stakes of participants and the accuracy for selecting the miners of the local model, thereby reducing the stake rewards of malicious participants and motivating them to upload honest model parameters. Our simulation results confirm that, for 10% of malicious participants, the success rate of backdoor injection is reduced by nearly 90% compared to Vanilla FL, and the stake income of malicious devices is the lowest.

1. Introduction

Federated learning (FL) [1] is a technique that involves multiple participants who update their local models with private data and aggregate the models using a centralized server. However, the centralized server cannot detect the legitimacy of the local model. Thus, the centralized server is easily attacked by malicious participants, such as those implanting backdoors into the local model, causing incorrect predictions of classification results.

In FL, backdoor attacks are divided into attacker and defender attacks. Attackers can control one or more participants (malicious participants), whereas defenders are generally assumed to be participants rather than servers because servers would be easily infiltrated. In reality, only trusted servers can perform federated aggregation. Moreover, defenders are usually servers, but benign participants can also be regarded as defenders in some cases, particularly when attackers can only change the local training samples of participants but cannot modify their training process or trained model.

A blockchain is a distributed ledger with the fundamental characteristic of converting traditional centralized solutions into a distributed network structure [2,3]. This ensures data security on the blockchain through asymmetric encryption and other cryptographic technologies. At the same time, consensus mechanisms, smart contracts, and other mechanisms ensure the reliability of data on the blockchain, which is distributed among multiple participants.

FL and blockchain need multiple stakeholders to participate and achieve technological consensus to establish a trusted network. Both mechanisms show good complementarity. The distributed ledger characteristics of a blockchain naturally ensure the consistency and synchronization of the model parameter data and guarantee that the data shared among multiple stakeholders are secure, reliable, and transparent. This ensures that the exchanged model parameter data are transparent, traceable, and resistant to tampering and forgery. During the model-training process, participants are rewarded based on the quantity and quality of their training data, and the rewards are written onto the blockchain. The transparency and openness of the blockchain can encourage more stakeholders to join and simultaneously improve the degree of cooperation of stakeholders [4].

This article proposes the application of blockchain to FL to overcome barriers between centralized servers and participants and efficiently use computing resources [3]. Devices such as smartphones, IoT sensors, and vehicles generate large amounts of data, which creates a challenging situation: how to effectively apply the blockchain to FL to coordinate decentralized learning processes while maintaining learning security and data privacy.

Based on this goal, this paper proposes a blockchain-based FL (DBFL) framework to defend against backdoor attacks. This paper makes the following contributions:

• We use the blockchain to attain FL. Recording transactions in the immutable distributed ledger network improves the traceability, auditability, and tamper resistance of the joint model and avoids the single-point failures of the centralized server.
• We propose a new aggregation strategy where participants independently determine how aggregation is performed in the model, combined with reverse layer-wise relevance (RLR) [5], and further add gradient noise that limits the effectiveness of backdoor attacks.
• A new proof-of-stake consensus mechanism (PoSA) is designed to consider the historical stakes of participants and the accuracy of their local models. The PoSA mechanism reduces the stake rewards of malicious participants to motivate them to upload honest model parameters, thereby making the model-learning process more reliable and trustworthy.

This work may have considerable implications for future research and provide a practical solution for protecting privacy and security in FL.

This paper is organized as follows: In Section 2, we provide a summary of related work. Section 3 describes the proposed framework. We then discuss our experimental results in Section 4 and demonstrate the effectiveness of our approach in different environments. Finally, Section 5 provides our conclusions.

2. Related Work

FL is a distributed-learning paradigm that enables the centralized server to learn an accurate global model [5]. However, some participants in this process may be malicious, submitting malicious local models to the centralized server through backdoor attacks [6] and causing incorrect classification or decreased model accuracy after aggregation.

According to the object of the attack, this article divides backdoor attacks into two types: attacks on training data and attacks on local models. Attacks on training data are further divided into attacks based on label flipping and attacks based on planting triggers. Attacks based on label flipping do not modify the input data, only the labels, whereas attacks based on planting triggers modify both the input data and labels, effectively constructing an adversarial sample. Attacks on local models are divided into attacks based on modifications to the training process and attacks based on modifications to the trained model. The former occurs during the training process, whereas the latter mainly occurs after the model has been trained.

A blockchain is a distributed shared ledger where all participants record all historical transaction models; it is decentralized and immutable [2]. Using the blockchain, FL promotes traceability, auditability, and tamper resistance, making the model-learning process more transparent and secure [7]. Therefore, many model verification methods based on the blockchain are applied in the FL framework.

Islam et al. presented an FL-based data accumulation scheme that combined drones and blockchains to attain secure accumulation and privacy of the model [8]. Zhang et al. designed a blockchain-based model migration approach to achieve secure model migration and speed up the training of the model while minimizing computation costs [9]. Rückel et al. proposed an FL system that combines a blockchain, local differential privacy, and zero-knowledge proof, using multivariate linear regression to achieve economic incentives, trust, and confidentiality requirements [10]. In another study, Dong et al. constructed a secure, reliable, decentralized, and federated learning system (FLock system) based on a blockchain to detect and block malicious participants through on-chain intelligent contracts while motivating participants to upload and review model parameters honestly [11]. Stephanie et al. presented a secure multi-party computation-based ensemble FL with a blockchain that enabled heterogeneous models to collaboratively learn from the data of healthcare institutions without violating users’ privacy [12]. Wang et al. designed a new block structure, new transaction types, and a credit-based incentive mechanism (PF PoFL) that allowed for efficient model evaluation and utterly decentralized reward allocation [13].

Kalapaaking et al. proposed blockchain-based FL with SMPC model verification to detect and defend against malicious model updates while maintaining the privacy of the model [14]. BEAS was the first N-party FL framework based on a blockchain that provided strict privacy protection via improved gradient pruning for training models, which resulted in rigorous privacy protection. An abnormal detection protocol was proposed to reduce the risk of data poisoning attacks [7]. Baucas et al. proposed a platform using FL and private blockchain technology within a fog-IoT network, which can effectively preserve the privacy of patients and the integrity of the predictive service [15].

This paper uses difference privacy (DP) for privacy protection. Adding noise (which only requires the incorporation of pre-computed noise through an addition operation) is more effective than using complex cryptographic tools. Moreover, using DP and a PoSA consensus, we can guarantee the trust and privacy of the entire training process, which is impossible with the currently used techniques.

We compare DBFL against existing state-of-the-art frameworks for decentralized FL. DBFL uses a multi-channel permissioned blockchain to store all model gradients, which enables rapid scalability, auditability, transparency, and trust amongst collaborating entities. DBFL has over these approaches communication efficiency and easy-to-implement data privacy and security guarantees.

Table 1. “P” is Participants; “A” is Aggregator; “I” is Inference; “T” is Training; “DPS” is Data Poisoning; “MPS” is Model Poisoning; “BA” is Byzantine Attack; “FSS” is Function Secret Sharing protocol; “SMPC” is multi-party computation; “DP” is Differential Privacy; “BC” is Blockchain; “IP” is Identity Privacy; “S” is Scalability; “AU” is Asynchronous Updates; “DPS” is Dynamic Participants; “D” is Decentralized Premature; “PC” is Premature Convergence; “RM” is Reward Mechanism; — denotes non-existent party; ☾ denotes honest party; ☼ denotes semi-honest party; ☀ denotes dishonest party; × denotes does not provide property; √ denotes provides property.

Framework	Threat Model		Privacy Guarantees		Security Guarantees			Techniques Used				Features
	P	A	I	T	DPS	MPS	BA	FSS	SMPC	DP	BC	IP	S	AU	DPS	D	PC	RM
FBI [8]	☾	—	√	√	×	×	×	×	×	×	√	√	√	×	√	×	×	×
Zhang et al. [9]	☀	—	√	√	×	×	×	×	×	×	√	√	√	×	√	×	×	√
Rückel et al. [10]	☾	—	√	√	×	×	×	×	×	√	√	√	√	×	×	√	√	√
FLock [11]	☀	—	√	√	√	×	×	×	×	×	√	×	√	×	×	√	√	√
Stephanie et al. [12]	☾	—	√	√	×	×	×	×	√	√	√	√	√	×	√	×	×	×
PF-PoFL [13]	☼	—	√	√	×	√	×	×	×	√	√	√	√	×	√	√	×	√
Kalapaaking et al. [14]	☀	☼	√	√	√	√	×	√	√	√	√	√	√	×	√	×	√	×
BEAS [7]	☀	—	√	√	√	√	√	×	×	√	√	√	√	√	√	√	√	√
Baucas et al. [15]	☾	—	×	√	×	×	×	×	×	×	√	×	√	×	√	×	×	×
DBFL (ours)	☀	—	√	√	√	×	×	×	×	√	√	√	√	√	√	√	√	√

shows the comparative analysis of the proposed DBFL framework against other existing frameworks.

3. DBFL Framework

3.1. DBFL Operation Process

DBFL comprises a set of participants $\mathcal{N}=\left\{N_1,N_2,\dots N_{\mathrm{m}}\right\}$, and similar to Vanilla FL, it executes the learning process through a series of communication $\mathcal{R}=\left\{R_1, R_2, R_3,\dots \right\}$. All $N\in \mathcal{N}$ are assigned the following tasks in $R_j$: global model aggregation and local model update. All participants receive the winning block $bloc{k}_{j-1}$ from the previous round $R_{j-1}$ and add it to their blockchains. Through the recorded local models in $bloc{k}_{j-1}$, participants use the dynamic adaptive aggregation mechanism (Section 3.2) in round $R_j$ to build the global model $G_j$. In $R_j$, all participants perform local updates based on data samples $trai{n}_w$ used in training and the number of local training rounds $R_j$. This results in local model gradients $L_j^w$, which are encrypted using DP (Section 3.3) to obtain ${\tilde{L}}_j^w$. The variable ${\tilde{L}}_j^w$ and basic rewards $r_j^w$ are packaged as $t{x}_j^w({\tilde{L}}_j^w)$, and finally, participants send $t{x}_j^w({\tilde{L}}_j^w)$ to the miner to which they are connected (

Table 2. Symbolic representations used in our framework.

Symbols	Meaning
$\mathcal{N}$	A node in the blockchain node set ($\mathcal{N}=\left\{N_1, N_2,\dots N_{\mathrm{m}}\right\}$)
$N^w$	Blockchain Worker Node
$N^{wm}$	Blockchain Miner Node
$T$	Participant Online Probability
$T^w$	Worker waiting time
$T^m$	Miner waiting time
$R_j$	The jth round of communication
$trai{n}_w$	Node local private training dataset
$L_j^w$	Node j updates the local model in the $R_j$ round
$G_j$	$R_j$ round global model update
$r_j^w$	Basic rewards obtained by blockchain node j
$r_j^{wm-veri}$	Verification signature reward obtained by miner node j
$r_j^{wm}$	Mining reward obtained by miner node j
${\alpha }_j$	Accuracy ratio of blockchain winning miner node j model
${\beta }_j$	Historical Equity Ratio blockchain winning miner node j model
$bloc{k}_j^m$	The blocks mined by the miner node j
$bloc{k}_j$	The blocks mined by the winning miner node j
$\mathcal{L}\left(.\right)$	Accuracy function
$\mathcal{l}\left(.\right)$	Historical stakes function
$\zeta \left(.\right)$	Model aggregation method

).

A random selection of a part of $N^{wm}$ from the participants is assigned the following tasks: (i) the verification and signature validation of the local models collected and (ii) the collection, aggregation, and mining of all local updates for the ultimate winning block. If the signature of transaction $t{x}_j^w({\tilde{L}}_j^w)$ is verified, $N^{wm}$ extracts ${\tilde{L}}_j^w$ from $t{x}_j^w({\tilde{L}}_j^w)$. If the signature of $t{x}_j^w({\tilde{L}}_j^w)$ is not verified, $N^{wm}$ does not broadcast the ${\tilde{L}}_j^w$ packaged in the unverified $t{x}_j^w({\tilde{L}}_j^w)$.

Then, each miner $N^{wm}$ broadcasts $t{x}_j^w({\tilde{L}}_j^w)$ to all other miners. This ensures that each $N^{wm}$ has $t{x}_j^w({\tilde{L}}_j^w),$ and, thus, each $N^{wm}$ can access all ${\tilde{L}}_j^w$. At the same time, miner $N^{wm}$ receives a verification reward $r_j^{wm-veri}$ by verifying the signature of a $t{x}_j^w({\tilde{L}}_j^w)$.

If the signature is verified, $N^{wm}$ extracts ${\tilde{L}}_j^w$ from $t{x}_j^w({\tilde{L}}_j^w).$ Then, all local updates {${\tilde{L}}_j^w$} are collected and placed in the privately constructed $bloc{k}_j^m$ for all $N^w$. The content of the block is collected by hashing it and signing it with the private key, which is equivalent to proof-of-work mining with a difficulty of zero. The candidate block also contains all expected rewards $r_j^w$, $r_j^{wm-veri},$ and $r_j^{wm}$. The participant with the highest score from $N^{wm}$ is selected as the best participant, and its constructed candidate block ($bloc{k}_j^m$) is published to the blockchain as the final legitimate block ($bloc{k}_j$). All participants receive the winning block ($bloc{k}_j$) for this round and add it to their blockchains [2]. Using the local models recorded in $bloc{k}_j$, participants use the dynamic adaptive aggregation mechanism to build a global model $G_{j+1}$ for the next round of training.

Moreover, DBFL will first determine whether each participant $\mathcal{N}$ has successfully connected in each round (Figure 1).

3.1.1. Participant $N_{\mathrm{i}}$ Failed to Connect before Starting Local Training

The participant $N_{\mathrm{i}}$ will not receive the blocks and contact other participants to obtain the lost blocks for aggregation but will not receive stakes.

3.1.2. Participant $N_{\mathrm{i}}$ Failed to Connect during Local Training

Going online again will connect other participants to obtain lost blocks for aggregation but not receive stakes.

3.1.3. Participants $N_{\mathrm{i}}$ Failed to Have Connected after Local Training

Going online again will connect other participants to obtain lost blocks for aggregation and gain stakes.

3.1.4. The above Three Situations All Assume That the Miner Is Always Online

When the miner suddenly goes offline, the participants associated with it will be processed according to Section 3.1.1.

In reality, each participant $\mathcal{N}$ can be offline at any time. However, in the comparative experiment, to test the effectiveness of backdoor attacks, we set the probability parameters $T$ and waiting time $\left(T^w,T^m\right)$ always to be online and infinite waiting.

3.2. Dynamic Adaptive Aggregation Mechanism [16,17]

The gradient aggregation rule (GAR) aggregates gradients received from peers during each round. We designed the GAR to add robustness to the gradient generated by malicious participants who use backdoor attacks.

To improve the privacy of the FL aggregation process, we propose a dynamic adaptive aggregation mechanism that overcomes the drawbacks of traditional aggregation algorithms, which perform a single, undifferentiated aggregation. The proposed mechanism can adapt to local circumstances and determine the aggregation algorithm autonomously (Algorithm 1).

Algorithm 1: Dynamic adaptive aggregation mechanism

Input: $\mathcal{N}=\left\{N_1,N_2,\dots N_m\right\}$, $bloc{k}_{j-1}$ Output: $G_j$ 1 initialization: Broadcast $bloc{k}_{j-1}$ to the network and receive ${\tilde{L}}_{j-1}^w$ form peers; 2 For each participant $N\in \mathcal{N}$ in parallel do 3   $N$.receive($bloc{k}_{j-1}$); 4   Check the legitimacy of the $bloc{k}_{j-1}$ 5   If Verify($bloc{k}_{j-1}$)=True then 6       $N$ adds $bloc{k}_{j-1}$ to its own blockchain 7       Take the gradient of each participant from the $bloc{k}_{j-1}$:                $bloc{k}_{j-1}\left(t{x}_j^w({\tilde{L}}_j^w)\right)$--->$\left\{{\tilde{L}}_{j-1}^w\right\}$ 8       Adaptive selection aggregation method $\zeta \left(.\right)$ combined with RLR:                $G_j=\zeta \left(\left\{{\tilde{L}}_{j-1}^w\right\}\right)$; 9   Else 10      $N$ refuses to accept the $bloc{k}_{j-1}$ 11 End

Furthermore, to defend against backdoor attacks, we specifically require the aggregation algorithm of each participant to include an RLR aggregation strategy. This strategy adjusts the learning rate during aggregation based on the symbol information updated by the participants in each global iteration. If the number of models updating in the same direction exceeds a certain threshold, the learning rate is updated to minimize the loss on that dimension [18]. Otherwise (i.e., if the process indicates an attacker is trying to guide the parameters to an incorrect classification), the learning rate is updated in the direction that would maximize the loss on the unwanted dimension by negating the learning rate of that dimension (i.e., by multiplying it by −1). We set hyperparameter $\mathsf{\theta }$ to be the learning threshold. If

$$\left|{{\displaystyle \sum }}_{k}sgn\left(L_j^w\right)\right|\ge \theta ,$$

the learning rate is multiplied by 1; otherwise, it is multiplied by −1.

In this paper, DBFL uses FedAvg with RLR [5] and coordinate-wise median (COMED) with RLR [5] as the GAR. See Appendix A for the relevant assumptions and theorems.

3.3. Differential Privacy [19]

During each round, participant $N^w$ exchanges its random gradient with all other participants in the blockchain. Specifically, each participant maintains a true random gradient $L_j^w$ and a perturbed gradient ${\tilde{L}}_j^w$ that it wishes to share. The entire exchange process can be summarized in the following steps (Algorithm 2):

• Local gradient calculation. Calculate the local gradient $L_j^w$ by sampling a random local dataset.
• Addition of noise. Add stochastic Gaussian noise to the shared local gradient $L_j^w$, with the noise variance represented by input variable $\mathsf{\epsilon }$.
• Broadcast the gradient. Transmit the perturbed local gradient ${\tilde{L}}_j^w$ as a transaction to all other participants and receive the local gradients of other participants from the winning block.

Algorithm 2: Gradient Computation

Input: $\mathcal{N}=\left\{N_1,N_2,\dots N_m\right\}$, $R_j$, $trai{n}_w$, $G_j$ Output: $t{x}_j^w({\tilde{L}}_j^w)$ 1 initialization: 2 For each participant $N\in \mathcal{N}$ in parallel do   2.1 Local Computation:      Randomly sample $trai{n}_w$ and compute local stochastic gradient $L_j^w$ and $r_j^w$;   2.2 Adding Noise:      Randomly generate Gaussian noise ${\xi }_j^t\backsim N\left(0,\mathsf{\epsilon }\right)$ and add noise to the variable      ${\tilde{L}}_j^w=L_j^w+{\xi }_j^t$;   2.3 Broadcast Gradients:      Package gradient ${\tilde{L}}_j^w$ and $r_j^w$ into a transaction $t{x}_j^w({\tilde{L}}_j^w)$, Broadcast      $t{x}_j^w({\tilde{L}}_j^w)$ to the $N^{wm}$; 3 End

3.4. Threat Model

In FL, the training data is decentralized, and the aggregation server is only exposed to model updates. Given that, backdoor attacks are typically carried out by constructing malicious updates. The attacker tries to create an update that encodes the backdoor so that when the malicious update is aggregated with other updates, the aggregated model exhibits the backdoor. A prominent way of carrying backdoor attacks is through Trojans. A Trojan is a carefully crafted pattern that is leveraged to cause the desired misclassification. The toxic data are generated by (i) extracting all the base class instances that were constructed from the original validation data and (ii) adding backdoor patterns and relabeling them as the target class. In other words, the models with backdoors classify the base class examples that have backdoor patterns as the target class.

We assume that blockchain devices are rational [9]. These devices can evaluate their interests based on public information and maximize their benefits without performing operations that would harm them. Furthermore, we assume that blockchain devices are always on alert and do not trust each other.

We also assume that blockchain technology is credible. The blockchain is mainly maintained by devices with robust computation, storage, and communication capabilities and uses a consensus mechanism that is friendly to devices. Furthermore, most entities in the blockchain are reliable, and the records on the blockchain cannot be tampered with. Therefore, we can regard the blockchain as a trusted infrastructure, and we ignored attacks against it.

3.5. PoSA Blockchain Consensus

The PoSA blockchain consensus process deeply integrates the blockchain, PoSA consensus protocol [20], and GAR [16] aggregation functions. Specifically, the blockchain consensus includes two parts: an equity calculation and the choice of winners among the miners.

3.5.1. Calculation of Stakes

The PoSA consensus mechanism protects local model updates that are authorized for legitimate learning and ensures that these updates are recorded on the blockchain and used to update the global model. Because miners are responsible for aggregating local updates and recording them in a block, when a malicious device becomes a miner, it may attempt to disrupt the computation of the global model by placing false local updates and forged validator signatures in the blocks it mines. Therefore, avoiding blocks mined by malicious participants during selection is crucial for a robust blockchain FL.

Hence, inspired by the reward mechanism in VBFL [2] and reinforced by the role-switching strategy, PoSA rewards devices according to the roles they play, with $r$ being the unit reward.

The various types of rewards are described below.

Basic reward. Participants that perform local updates in $R_j$ receive a proportional reward based on the number of data samples that ${\mathrm{train}}_w$ used for training and the number of local training rounds $R_j$ (indicated by $l{e}_j^w$). The basic reward for participants in $R_j$ is calculated as follows:

$$r_j^w=l{e}_j^w\ast \left|trai{n}_w\right|\ast r$$

(1)

where $r$ is the unit reward. To encourage participants to partake in the construction of the model, the basic reward accounts for 75% of the total profit generated during the model construction process.

Signature verification reward. The participant’s id is the public key, which is used to verify the signature of the transactions or blocks generated by the $N^{\mathit{wv}}$. Participants partaking in mining tasks receive verification rewards $r_j^{wm-veri}$ by verifying the signature of a local update transaction $t{x}_j^w$. Formula (2) is used for calculation.

$$r_j^{wm-veri}=\left|\left\{t{x}_j^w\right\}\right|\ast r$$

(2)

Mining reward. Those participating in mining tasks in $R_j$ verify aggregated validator transactions $\left\{t{x}_j^v\left(l_j^w\right)\right\}$ received from other participants and place them in a privately constructed winning block (${\mathit{block}}_j^{\mathit{wm}}$). After the block is published to the blockchain, participants receive mining rewards. Formula (3) is used for the calculation.

$$r_j^{wm}=\left|\left\{t{x}_j^w\left({\tilde{L}}_j^w\right)\right\}\right|\ast r$$

(3)

3.5.2. PoSA Miner Options

If workers actively train the model, PoSA rewards them with worker stakes to incentivize them to contribute substantial amounts of high-quality data and legally execute as many epochs as possible. Therefore, as the communication loop continues, the accumulated interest in the equipment can demonstrate its total contribution to the entire learning process. When selecting blocks for the global model update, PoSA instructs participants to select the block produced by the miner with the highest score in $N^{wm}$. Because this miner makes the greatest contribution to the learning process, it is considered the most trustworthy with the lowest probability of blocking this process.

The participant weight calculation is divided into two parts: the model accuracy ratio and the historical state ratio. The model accuracy ratio is defined as

$${\alpha }_j=\frac{\mathcal{L}\left({\tilde{L}}_j^w\right)}{{{\displaystyle \sum }}_{i=1}^{n_k}\mathcal{L}\left({\tilde{L}}_i^w\right)}$$

(4)

We used a shared dataset (MNIST) to test the model accuracy of the blockchain miners so that all miners obtain the same accuracy through their own test set. The historical stake ratio is defined as

$${\beta }_j=\frac{\mathcal{l}\left(N_j^{wm}\right)}{{{\displaystyle \sum }}_{i=1}^{n_k}\mathcal{l}\left(N_i^{wm}\right)}$$

(5)

and the participant score is

$$Q_j=\omega {\alpha }_j+\left(1-\omega \right){\beta }_j$$

(6)

where the trade-off coefficient $\omega \in \left(0,1\right)$.

In the current implementation, there may be a turn composed of all malicious devices in $N^{\mathit{wm}}$. Malicious devices may be selected as the winning miner because they have more rights than other legitimate miners in $N^{wm}$. The role-switching strategy ensures that miners are randomly selected in each new round, reducing the probability that malicious devices are continuously assigned the miner’s role. Furthermore, role switching can prevent “non-democratic side effects” [21] (i.e., the winning miner does not continuously choose the equipment with the highest rights). Preventing these side effects can alleviate the risk of damage to the device and the possibility of attacks against the learning process. In Section 4, we validate the effectiveness of miner selection under the PoSA consensus.

4. Experiment

All experiments were implemented and completed using PyTorch [22] on a virtual machine, which used NVIDIA A100 GPU and Intel (R) Xeon (R) CPU @ 2.60GHz from Dell Computer in Urumqi, China. Multi-GPU training is not conducted in the paper experiments. We evaluate our framework on the public MNIST dataset.

The model architecture used in our experiment is from [18], a five-layer convolutional neural network consisting of about 1.2M parameters, which is composed of two convolutional layers followed by max-pooling layers and two fully connected layers.

The MNIST dataset is a subset of the NIST dataset. The training set contains a total of 60,000 images and labels, while the test set contains a total of 10,000 images and labels. Each image is a handwritten digital image with 28 ∗ 28 pixels ranging from 0 to 9, with pixel values ranging from 0 to 255.

We report the hyperparameters of our experiments and briefly discuss our choices.

• R: Number of rounds
• W: Blockchain Worker Node
• M: Blockchain Miner Node
• F: Fraction of corrupt participants
• P: Fraction of trojaned samples in a corrupt participant’s dataset
• C: Fraction of selected participants for training in a round
• E: Number of epochs in local training
• B: Batch size of local training
• T: Node online probability
• Tw: Worker waiting time
• Tm: Miner waiting time
• $\mathsf{\eta }$: learning rate
• $\mathsf{\theta }$: Threshold for RLR

We start with a setting where data is distributed in i.i.d. among participants (

Table 3. Hyperparameters for all i.i.d. experiments.

R	F	C	P	E	B	$\mathbf{\theta }$	$\mathbf{\eta }$	T	Tw	Tm
100	0.1	1	0.5	5	128	4	0.01	1 (100%)	$\infty$	$\infty$

). Concretely, we use the MNIST dataset and give each participant an equal number of samples from the training data via uniform sampling.

In all DBFL experiments, participants that performed the local update task received the most substantial stake rewards. Based on this, some participants were randomly selected for block-mining tasks. Each round of communication involved five local training iterations, a learning rate of 0.01, and a batch size of 128. We evaluated the performance of DBFL using the following standard metrics:

• Test error: This is the percentage of incorrect predictions made using the test dataset. We measured test errors based on rounds, network size, backdoor attacks, and privacy budgets.
• Stake accumulation: We measured the accumulation of stakes by the participants in the blockchain.

The following subsections provide a detailed analysis of the different aspects of the DBFL experiments.

4.1. Network Size Convergence

For simplicity, we represented the FL scheme as “PURE” (i.e., it does not utilize any DP techniques, GAR, or blockchain systems), and used “DP” to represent the learning scheme that is solely based on the “PURE” DP techniques. We compared DBFL with the PURE and DP schemes under non-attacked conditions. As shown in Figure 2, the test error almost converged after 20 rounds, but the fluctuations were large when N was small (≤5). When N = 20, all schemes achieved almost the same convergence.

4.2. Privacy Budget [19]

We tested our DBFL scheme by setting $\mathsf{\epsilon }$ to 0.001, 0.005, and 0.02. Among these, $\mathsf{\epsilon }=0.001$ represents the most robust privacy protection. The results shown in Figure 3 indicate that when N = 10, the convergence of noise with $\mathsf{\epsilon }$ equal to 0.001, 0.005, and 0.02 was similar. However, when N = 20, larger values may have led to greater testing errors. These results indicate that the trade-off between accuracy and privacy protection should be carefully adjusted based on the specific requirements of privacy protection and model accuracy.

4.3. Backdoor Attacks Caused by Malicious Participants

We provide empirical evidence to demonstrate the effectiveness of the defense capabilities of our framework. The general process is as follows: We simulate an FL network with 10 participants, with 10% of them being malicious. We randomly select one participant as the malicious participant and insert a backdoor into the training set labels, with label “5” causing the data to be misclassified as “7” (Figure 4). The test set of the malicious participant is also injected with backdoor data to compare the backdoor accuracy. The toxic data are generated by (i) extracting all the base class instances constructed using the original validation data and (ii) adding backdoor patterns and relabeling them as the target class [23]. In other words, the models with backdoors classify the base class examples that have backdoor patterns as the target class.

After receiving and aggregating updates, we measure the two key performance indicators of the aggregation algorithm: validation accuracy (%), which represents the global accuracy of the validation set before backdoor injection, and backdoor accuracy (%), which represents the rate of success of relabeling data with backdoor patterns as the target class.

As shown in

Table 4. Evolution of testing accuracy under different frameworks. Final backdoor, validation, and base class accuracies for different aggregations in i.i.d. settings.

Scheme	M	$\mathit{\epsilon }$	RLR Used?	Backdoor (%)	Validation (%)	Base (%)
PURE	0	0	N	99.8	96.4	98.7
DP	0	5 × 10−3	N	98.5	96.8	99
DBFL1	2	5 × 10−3	Y	9.6	95.6	97.7
DBFL2	2	5 × 10−3	Y	9.3	95.2	97
DBFL3	2	5 × 10−3	Y	9.1	94.8	97.4

, DBFL1, DBFL2, and DBFL3 represent GAR using FedAvg with RLR and COMED with RLR as the model aggregation method but applying different ratios ((0.8, 0.2), (0.5, 0.5), and (0.2, 0.8), respectively). COMED with RLR performs better than FedAvg with RLR. Thus, as the percentage of participants using COMED with RLR as the aggregation strategy increases, the accuracy of the global model increases.

4.4. Effectiveness of PoSA

To evaluate the effectiveness of PoSA, we selected a case where 10% of the participants performed backdoor attacks [2,23]. We observed the accumulation of stakes for each participant. Taking DBFL3 as an example, we considered four cases that represented the proportion of historical stakes in the participant’s score, while N represented the number of malicious participants that performed backdoor attacks. When only historical stakes were considered, the stakes of the malicious participants were not affected. When $\mathsf{\omega }$ = 0.5 or 1, the stakes of the malicious participants were the lowest, indicating that the local model gradient of the participants is crucial when evaluating them.

The miner selection mechanism in PoSA is related to the miners’ interests. Hence, we can evaluate the effectiveness of legal miner selection in PoSA by comparing the maliciousness of winning miners chosen based on model accuracy and historical stakes. For PoSA, we set the waiting time of the propagation block to infinite so that each miner could complete their block mining and receive propagation blocks from all other miners. The last propagation block was immediately determined as the legal block after the reception. The curve of accumulated stakes (Figure 5) revealed that because our framework considers both historical stakes and the accuracy of the participants’ models, the stakes of malicious participants grow slowly and remain the lowest during the round. Therefore, in the proposed framework, the blocks of malicious participants are less likely to be selected as the winning block.

5. Conclusions and Future Work

This article addresses how to effectively coordinate FL processes while maintaining learning security and user privacy [24]. We propose an FL framework that withstands backdoor attacks in a blockchain environment by incorporating an RLR aggregation strategy into the aggregation algorithm of the participant and adding gradient noise to limit the effectiveness of backdoor attacks. This framework effectively minimizes the risk of backdoor attacks and enhances the robustness of FL against backdoor attacks. Our DBFL framework also implements various blockchain functions, such as signature verification and simulation of chain resynchronization.

The DBFL framework proposed in this article runs in simulation mode. Hence, the development of more effective blockchain data structures, chain resynchronization algorithms, and fault tolerance mechanisms is needed to test the performance of DBFL in actual distributed systems [2].