TLDR: Sentinel is a remote attestation-based framework that significantly enhances the security of Federated Learning (FL) by verifying the integrity of client-side training processes. Unlike traditional data-driven defenses, Sentinel uses a Trusted Execution Environment (TEE) to monitor control-flow and critical variables during local training. This system-level approach effectively mitigates Byzantine attacks, such as model and data poisoning, by ensuring only legitimate model updates are aggregated. Evaluated on IoT devices, Sentinel demonstrates superior defense capabilities against targeted and untargeted attacks with minimal runtime and memory overhead, making it a practical solution for trustworthy FL in mission-critical scenarios.
Federated Learning (FL) has emerged as a powerful approach for collaboratively training artificial intelligence models across distributed devices without requiring the sharing of sensitive raw data. This privacy-preserving capability makes it particularly attractive for applications in mission-critical environments, such as disaster response, remote surveillance, and defending decentralized infrastructure, where data locality and security are paramount.
However, the distributed nature of FL introduces a significant challenge: the central server must inherently trust the local training processes of participating clients. This blind trust makes FL systems vulnerable to Byzantine attacks, where malicious participants can manipulate their model updates (model poisoning) or use carefully crafted datasets (data poisoning) to degrade the global model’s performance or inject backdoors. Detecting these attacks is complex because variations in model updates can stem from legitimate factors, like diverse data distributions (non-IID data), rather than adversarial behavior. Existing data-driven defenses often struggle to differentiate between malicious updates and natural variations, leading to high false positive rates and ineffective filtering.
To address this critical security gap, researchers propose Sentinel, a novel remote attestation (RA)-based scheme designed to enhance client-side transparency and mitigate Byzantine threats in FL systems from a system security perspective. Sentinel moves beyond traditional data-driven defenses by focusing on verifying the integrity of the training process itself.
How Sentinel Works
Sentinel operates through a four-step process to ensure the trustworthiness of local training:
1. Code Instrumentation: The framework instruments the original training source code on client devices. This instrumentation allows Sentinel to track the control-flow (the sequence of operations and function calls) and monitor critical variables (like learning rates, batch sizes, loaded datasets, model weights, gradients, and loss values) during the local training process.
2. Runtime Training Measurement: To guarantee the integrity of these measurements, Sentinel leverages a Trusted Execution Environment (TEE) as a root of trust. Within the TEE, a ‘trusted training recorder’ dynamically records control-flow traces and monitors the usage of critical variables. This ensures that the execution reports generated are tamper-proof.
3. Attestation Report Generation: To prevent forgery and replay attacks, the measurement engine cryptographically signs the execution data, along with a unique challenge issued by the server for the current FL iteration, using its TEE signing key. This signed attestation report, containing control-flow information, critical variable usage, and the challenge, is then securely transmitted to the central server along with the client’s model updates.
4. Training Verification: Upon receiving the report, the server first verifies its authenticity and integrity. It then analyzes the recorded execution path to ensure control-flow integrity (comparing it against the expected logic) and validates data integrity by checking critical variable usage. If any anomalies are detected—such as unauthorized program behavior or data manipulation—the corresponding model updates are flagged as potentially compromised and excluded from the global model aggregation. Only trusted model updates that pass all verification checks are aggregated into the global model.
By enforcing execution integrity on the client side, Sentinel eliminates the need for the central server to blindly trust remote clients, significantly reducing the attack surface and mitigating potential Byzantine attacks that aim to tamper with the training process. This system-oriented defense complements existing data-driven approaches by adding a robust layer of verifiable client training.
Also Read:
- Building Trust in Decentralized AI Systems: A New Defense Against Malicious Actors
- Securing AI on the Go: A Look at Privacy and Security in Mobile Large Language Models
Evaluation and Impact
Sentinel was prototyped and evaluated on IoT devices, specifically Raspberry Pi V devices, simulating FL clients. The experiments involved various machine learning tasks on datasets like FMNIST and CIFAR-10, under both IID (independent and identically distributed) and non-IID data settings. The framework was tested against targeted and untargeted control-flow hijacking and data-only attacks, and its performance was compared with several existing defense baselines.
The results demonstrated Sentinel’s clear advantages. It effectively nullified targeted attacks, achieving a 0% attack success rate in all tested scenarios. For untargeted attacks, Sentinel consistently achieved the highest model accuracy, significantly outperforming conventional data-driven defenses, especially in challenging non-IID environments where other methods struggled. This highlights Sentinel’s ability to distinguish adversarial behavior from natural data heterogeneity.
Crucially, Sentinel maintains a low overhead in terms of runtime and memory usage, making it practical for real-world mission-critical FL deployments. The verification time on the server side also remains low, preventing bottlenecks in the FL pipeline. For more details, you can refer to the full research paper: Enabling Trustworthy Federated Learning via Remote Attestation for Mitigating Byzantine Threats.
In conclusion, Sentinel represents a significant step forward in securing Federated Learning by providing a robust, system-level defense against Byzantine attacks. By ensuring the integrity of local training processes through remote attestation, it enhances the transparency and trustworthiness of FL, paving the way for more secure and reliable collaborative AI in sensitive applications.
