In this work, we propose a general solution to address the non-IID challenges that hinder many defense methods against backdoor attacks in federated learning. Backdoor attacks involve malicious clients attempting to poison the global model. While many defense methods effectively filter out these malicious clients using clustering techniques, their effectiveness diminishes when the federated learning process involves non-IID datasets. In such cases, clustering methods struggle to distinguish between benign and malicious clients due to the inherent variability in the clients' data distributions.
Our proposed solution leverages data generation to mitigate the non-IID nature of clients' local datasets. By generating synthetic data, the datasets become more IID, enabling defense methods to once again effectively counter backdoor attacks. Evaluations are carried out on standard datasets in the image classification fields, like MNIST and CIFAR-10. The results show that the data generation solution can effectively improve the performance of defense methods and filter out malicious clients again. Although the generated data samples may suffer from low quality and limited diversity due to constraints in training the generative adversarial networks (GANs), our approach demonstrates significant improvements in defending against backdoors.

This thesis paper addresses the vulnerability of Deep Neural Networks (DNNs) to adversarial attacks. We introduce Multi-Scale Inpainting Defense (MSID), a novel adversarial purification method leveraging a pre-trained diffusion denoising probabilistic model (DDPM) for targeted perturbation removal. MSID employs a four-step process: (1) multi-scale superpixel segmentation, (2) occlusion sensitivity map generation at multiple scales to identify important regions for inference, (3) targeted inpainting using the DDPM, and (4) artifact removal using Variance Preservation Sampling. We investigate the effectiveness of diffusion-based inpainting for robust defense, the impact of multi-scale occlusion sensitivity mapping, and the robustness of MSID against a set of adversarial attacks, including color-based attacks. Our experiments demonstrate that MSID outperforms existing adversarial purification methods, achieving robustness improvements of up to 5.42% on CIFAR-10 and 10.75% on ImageNet against AutoAttack, with further gains against PGD and unseen attacks, while maintaining high standard accuracy. This paper, to the best of our knowledge, is the first to apply DDPM inpainting for targeted adversarial purification and demonstrates its effectiveness in purifying a range of adversarial attacks.

This work explores the feasibility of combining zero-knowledge proofs with SGX enclave protection technology, using the Hyperledger fabric, as the testing environment. The focus is on assessing the viability of this combination in real-world scenarios where post-quantum security is crucial. To this end, a new zero-knowledge proof, called Vesper, has been developed. This is a lattice-based zk-SNARK with a Regev commitment scheme. Vesper aims to provide a novel approach to developing lattice-based zero-knowledge proofs suitable for blockchain environments. Vesper features a proof size of 128 bytes, an average verification time of 0.14 ms, requires no trusted setup, while achieving at least 128-bit and 256-bit security. Only the proof geberation time increases when the LWE dimension increases. To analyze and explore the potential of combining Intel SGX with such a ZKP and Hyperledger Fabric, two projects have been developed: 1. Vesper Smart Contract: This project uses Vesper in combination with a lattice-based digital signing scheme that has been NIST-approved. The proof generation benefits from SGX enclave protection, while the verifier for Vesper is deployed in a permissioned blockchain as a smart contract. Middleware using Fabric Peer command line interface (CLI) tools facilitates commu- nication between the prover and verifier sides. 2. Vesper-FPC: This project explores the feasibility of protecting Hyperledger Fabric chaincode with an SGX enclave. It combines Vesper with a simplified lattice-based digital signing function to accommodate a restricted environment. Both the proof generation and the deployed verifier are SGX-protected. Communication is managed via custom peer CLI commands specifically de- signed to handle the interaction between the additional SGX protection layer and the blockchain infrastructure. The simplified digital signing scheme of Vesper-FPC has a fast average verification time of 1.46 ms and an even faster average signing time of 0.49 ms while achiving 128-bit security. This is quicker than the NIST-approved digital signing scheme of Vesper Smart Contract, which has average signing and verification times of approximately 76.52 ms and 13.25 ms, respectively. The simplified version features a private key size of 512 bytes, a signature size of 768 bytes, and a public key size of 48 KB. In contrast, the digital signing scheme of Vesper Smart Contract has a private key size of 2528 bytes, a signature size of 2420 bytes, and a public key size of 1312 bytes. The execution time of Vesper Smart Contract without SGX is on average approximately 2086.83 ms for a 128-bit security level. Adding SGX protection on the prover side increased the average execution time to 26339 ms. Vesper-FPC, with SGX protection for both the prover and the deployed verifier, has an average execution time of approximately 51229 ms.

Federated learning (FL) allows the collaborative training of a model while keeping data decentralized. However, FL has been shown to be vulnerable to poisoning attacks. Model poisoning, in particular, enables adversaries to manipulate their local updates, leading to a significant degradation of the global model accuracy. Most state-of-the-art attacks rely on prior knowledge of the server's aggregation rules (AGRs), so-called AGR-tailored attacks, making them more effective than AGR-agnostic attacks that lack such information. In this paper, we propose AIDA (Adaptive Inference-Driven Attack), the first adaptive AGR-agnostic attack. This attack begins with an AGR-agnostic approach where it analyzes the training process to identify the aggregation rule that the server is using, and it then transitions to a more powerful AGR-tailored attack. Extensive experiments reveal that AIDA substantially outperforms other state-of-the-art AGR-agnostic attacks, achieving additional model degradation of up to 3.01% on Krum, 13.96% on MKrum, and 2.85% on FLAME. These results demonstrate the effectiveness of AIDA and its ability to significantly degrade the global model performance, making it a more generic and powerful attack than existing AGR-agnostic approaches.

This thesis explores the application of a modular execution environment, specifically utilizing the Move Virtual Machine (MoveVM), within a blockchain-agnostic framework. The study aims to demonstrate how this modular approach can enhance the execution capability of existing blockchain systems. The case study focuses on the IOTA Distributed Ledger Technology (DLT), known for its unique Tangle architecture, which differentiates it from traditional blockchain technologies.

The research begins by detailing the current limitations in existing blockchain platforms, such as their dependence on specific consensus algorithms and rigid execution environments. It then introduces the MoveVM, developed firstly by the Libra (Diem) project and now by the projects Sui and Aptos, highlighting its advantages in terms of security, programmability, and modularity.

By integrating an object-flavored MoveVM into the IOTA framework, the study examines how the modular smart contract execution environment can operate almost independently of the underlying ledger. The work for this thesis was conducted in two main parts. In the first part, a prototype was created by integrating a modified version of the existing IOTA node software with an object-flavored Move execution environment. In the second part, a Move Swap smart contract was developed at the application layer to showcase the system's ability to support an advanced intent-based architecture. This approach, which executes based on user intents rather than declarative smart contract commands, offers significant economic benefits and reduces unnecessary costs for users.

To validate the effectiveness of this approach, the thesis presents empirical data and performance metrics gathered from various test scenarios. The results demonstrate the successful integration of the Move smart contract execution into the IOTA node software, but also significant improvements resource efficiency thanks to the intent-based architecture.

In conclusion, this thesis contributes to the growing body of knowledge on blockchain technology by showcasing the potential of MoveVM in enhancing the functionality and performance of blockchain-agnostic networks. Moreover, the findings suggest that the intent-based approach not only simplifies user interactions but also enables advanced functionalities and custom on-chain VMs, paving the way for innovative applications in DLTs.

One distinguishable feature of file-inject attacks on searchable encryption schemes is the 100% query recovery rate, i.e., confirming the corresponding keyword for each query. The main efficiency consideration of file-injection attacks is the number of injected files. In the work of Zhang et al. (USENIX 2016), log_2|K| injected files are required, each of which contains |K|/2 keywords for the keyword set K. Based on the construction of the uniform (s,n)-set, Wang et al. need fewer injected files when considering the threshold countermeasure. In this work, we propose a new attack that further reduces the number of injected files where Wang et al. need up to 38% more injections to achieve the same results. The attack is based on an increment (s,n)-set, which is also defined in this paper.

Threshold signatures play a crucial role in the security of blockchain applications. An efficient threshold signature can be applied to enhance the security of wallets and transactions by enforcing multi-device-based authentication, as this requires adversaries to compromise more devices to recover the key. Additionally, threshold signatures can protect user privacy, for instance, by enabling anonymous transaction signing on behalf of a group of users sharing a blockchain wallet. This study conducts a comprehensive analysis of threshold signature schemes, identifying FROST as the premier choice due to its performance efficiency, improved energy consumption, and practical feasibility on mid-range IoT devices and smartphones as demonstrated through empirical testing. Furthermore, we introduce a protocol for integrating FROST with Hyperledger Fabric v3.0, aimed at enhancing IoT devices' ability to interact with blockchain networks through efficient transaction signing. Our experiments reveal that an IoT network of five devices, under optimal network conditions, can sign a transaction and commit it to the Hyperledger Fabric network within 3.2 seconds, leveraging a 2-second batch timeout configuration.

Previous research has explored the detection of adversarial examples with dimensional reduction and Out-of-Distribution (OOD) recognition. However, these approaches are not effective against white-box adversarial attacks. Moreover, recent OOD methods that utilize hidden units hinder the scalability of the target model.

For that reason, various explanations of adversarial examples are studied to get a better understanding about its properties and anomalies. Furthermore, we discuss the added value of using natural scene statistics and utility functions to improve the relevance of the features for detection. By utilizing the anomalies we identified for adversarial examples in an ensemble, this thesis is the first to propose a robust solution for adaptive and white-box attacks.

Particularly, we address these challenges with MeetSafe. A Gaussian Mixture Model that leverages principal component analysis, feature squeezing, and density estimation to detect adaptive white-box adversaries. Furthermore, our enhanced Local Reachability Density (LRD) algorithm further improves the efficiency of state-of-the-art OOD methods. In particular, the proposed LRD enhances scalability by feature bagging hidden units with large absolute Z-scores. We then show that predictors, including LRD, are far more effective in ensembles like MeetSafe which supports prior conjectures that a range of different heuristics may further constrain adversaries when combined.

Extensive experiments on 14 models show that MeetSafe detects adaptive perturbations with an accuracy of 62% on STL-10, 75% on CIFAR-10, and 99% on MNIST using either adversarial training or Reverse Cross Entropy (RCE), achieving an improvement of at least 8.1% for each evaluated method by averaging across the three datasets.

Searchable symmetric encryption (SSE) is an encryption scheme that allows a single user to perform searches over an encrypted dataset. The advent of dynamic SSE has further enhanced this scheme by enabling updates to the encrypted dataset, such as insertions and deletions. In dynamic SSE, attackers have employed file injection attacks, initially proposed by Cash et al. (CCS 2015), to obtain sensitive information. These attacks have shown impressive performance with 100% accuracy and no prior knowledge requirement. However, they fail to recover queries with underlying keywords not present in the injected files. To address these limitations, our research introduces a novel attack strategy that incorporates the idea of inference attacks relying on uniqueness in leakage patterns. The goal is to achieve an amplified effect in query recovery. Additionally, we propose a keyword classification based on their access patterns, which helps identify the current limitation of query recovery in reference attacks. With our proposed attack, we demonstrate a minimum query recovery rate of 1.3 queries per injected keyword with a 10% data leakage of real-life datasets. Furthermore, our findings initiate further research to overcome challenges associated with non-distinctive keywords faced by inference attacks.

Current backdoor attacks against federated learning (FL) strongly rely on universal triggers or semantic patterns, which can be easily detected and filtered by certain defense mechanisms such as norm clipping, comparing parameter divergences among local updates. In this work, we propose a new stealthy and robust backdoor attack with flexible triggers against FL defenses. To achieve this, we build a generative trigger function that can learn to manipulate the benign samples with an imperceptible flexible trigger pattern and simultaneously make the trigger pattern include the most significant hidden features of the attacker-chosen label. Moreover, our trigger generator can keep learning and adapt across different rounds, allowing it to adjust to changes in the global model. By filling the distinguishable difference (the mapping between the trigger pattern and target label), we make our attack naturally stealthy. Extensive experiments on real-world datasets verify the effectiveness and stealthiness of our attack compared to prior attacks on decentralized learning framework with eight well-studied defenses.

The Machine Learning (ML) technology has taken the world by storm since it equipped the machines with previously unimaginable decision-making capabilities. However, building powerful ML models is not an easy task, but the demand for their utilization in different industries and areas of expertise is high. This was recognized by entities that have managed to create ML models and they started offering ML prediction services to clients in exchange for financial compensation. In this work, we explore how a ML predication service platform can be built in which we focus on two things: (1) privacy-preservation which entails keeping the client’s datasets and service provider’s ML models private and (2) inference verifiability ensuring that the ML prediction service providers do not commit fraud. The result are two platforms: ML Prediction Service Platform (MLPSP) which does not protect the secrecy of the client’s datasets but offers model privacy and verifiability of the predictions and Input-Privacy ML Prediction Service Platform (IP-MLPSP) which protects the secrecy of the client’s dataset and model privacy but the verifiability is probabilistic.

A searchable symmetric encryption (SSE) scheme allows a user to securely perform a keyword search on an encrypted database. This search capability is useful but comes with the price of unintentional information leakage. An attacker abuses leakage to steal confidential information by launching SSE attacks. In this work, our goal is to design a new inference attack that improves the query recovery accuracy of an existing attack. We combine an additional volume leakage pattern and investigate the effectiveness of existing countermeasures against it. Our attack utilizes similar data knowledge and known queries to perform the attack. The results show that usage of an additional volume leakage pattern results in an improved query recovery accuracy, and a more stabilized spread in the results. When an attacker knows up to 4 known queries, we observe an improved query recovery accuracy between 5 and 19.5%. Furthermore, we investigate if the attack can be improved even further by utilizing clustering. However, the results are too close with a high trade-off in performance. From our findings, we can generalize that additional knowledge available to the attacker improves query recovery accuracy. More leakage combinations and their impact are open to future research.

In this work, we propose FLVoogd, an updated federated learning method in which servers and clients collaboratively eliminate Byzantine attacks while preserving privacy. In particular, servers use automatic Density-based Spatial Clustering of Applications with Noise (DBSCAN) combined with S2PC to cluster the benign majority without acquiring sensitive personal information. Meanwhile, clients build dual models and perform test-based distance controlling to adjust their local models toward the global one to achieve personalizing. Our framework is automatic and adaptive that servers/clients don't need to tune the parameters during the training. In addition, our framework leverages Secure Multi-party Computation (SMPC) operations, including multiplications, additions, and comparison, where costly operations, like division and square root, are not required. Evaluations are carried out on some conventional datasets from the image classification field. The result shows that FLVoogd can effectively reject malicious uploads in most scenarios; meanwhile, it avoids data leakage from the server-side.

Searchable Symmetric Encryption (SSE) schemes provide secure search over encrypted databases while allowing admitted information leakages. Generally, the leakages can be categorized into access, search, and volume pattern. In most existing Searchable Encryption (SE) schemes, these leakages are caused by practical designs but are considered an acceptable price to achieve high search efficiency. Many attacks on SSE schemes have shown that such leakages could be easily exploited to retrieve the underlying keywords for search queries. Each attack abuses a different leakage pattern and uses different techniques to achieve high query recovery accuracy. An attacker could be passive or active, where an active attacker can inject files in an SSE scheme, while a passive attacker only observes the queried data. Some passive attacks use the number of files returned by a query to create a match with a candidate keyword. Others use the co-occurrence of multiple keywords in the files to match a query with the same occurrence. We continue this research and design a new Volume and Access Pattern Leakage-abuse Attack (VAL-Attack) that exploits both the access and volume patterns. Our proposed attack only leverages leaked documents and the keywords present in those documents as auxiliary knowledge and can effectively retrieve document and keyword matches from leaked data. Furthermore, the recovery performs with great accuracy and without false positives. We compare VALAttack with two recent well-defined attacks on several real-world datasets to highlight the effectiveness of our attack and present the performance under popular countermeasures.

This paper offers a prototype of a smart-contract-based encryption scheme meant to improve the security of user data being uploaded to the ledger. A new extension to the self-encryption scheme was introduced by integrating identity into the encryption process. Such integration allows to permanently preserve ownership of the original file and link it to the person who originally encrypted it. Moreover, self-encryption provides strong security guarantees under the condition that the encrypted file and the key are safely stored.

Blockchain technologies allow users to securely store and trace their data on a fully decentralized system, and have the potential to make a huge impact on many industries. While traditional, permissionless blockchains such as Bitcoin, Ethereum, and Cardano are very popular, they are currently unable to provide trust and privacy on the network. To solve these issues, many new, permissioned blockchain technologies have been implemented, including Hyperledger Fabric. Although Hyperledger Fabric has proven to be highly successful in providing trust and privacy through the use of identities, channels, and private data collections, one of its major drawbacks is the lack of a flexible and scalable access control system. Currently, access control decisions have to be built into each smart contract individually, which can cause many vulnerabilities and prevent access policies to be updated dynamically.

This research aims to answer the research question “How can secure access control in Hyperledger Fabric be guaranteed by combining multiple ID’s, attributes, and policies with the components that regulate access control?”. To answer this question, the access control system currently used by Hyperledger Fabric is first completely analyzed. Next, a new implementation is proposed that builds upon the existing solution but provides users and developers with easier ways to make access control decisions based on combinations of multiple ID's, attributes, and policies. This solution is then implemented using the smart contract technology of Hyperledger Fabric, which allows it to easily be deployed to existing Hyperledger Fabric networks. Finally, the performance impact of this proposed implementation is analyzed, and new areas of research are proposed that can potentially be explored in future papers.

At the end of this research, it was concluded that it is possible to combine multiple ID's, attributes, and policies with the help of Hyperledger Fabric's smart contract technology. Furthermore, it could be seen that the performance impact for real-world applications is negligible compared to the insecure case of always providing access to a resource without performing access control.

Machine learning has been applied to almost all fields of computer science over the past decades. The introduction of GANs allowed for new possibilities in fields of medical research and text prediction. However, these new fields work with ever more privacy-sensitive data. In order to maintain user privacy, a combination of federated learning, differential privacy and GANs can be used to work with private data without giving away a users' privacy. Recently, two implementations of such combinations have been published: DP-Fed-Avg GAN and GS-WGAN. This paper compares their performance and introduces an alternative version of DP-Fed-Avg GAN that makes use of denoising techniques to combat the loss in accuracy that generally occurs when applying differential privacy and federated learning to GANs. We also compare the novel adaptation of denoised DP-Fed-Avg GAN to the state-of-the-art implementations in this field.

Federated learning (FL), although a major privacy improvement over centralized learning, is still vulnerable to privacy leaks. The research presented in this paper provides an analysis of the threats to FL Generative Adversarial Networks. Furthermore, an implementation is provided to better protect the data of the participants with Trusted Execution Environments (TEEs), using Intel Software Guard Extensions. Lastly, the viability of it’s use in practice is evaluated and discussed. The results indicate that this approach protects the data, while not affecting the predicting capabilities of the model, with a noticeable but manageable impact on the training duration.

Federated learning is an emerging concept in the domain of distributed machine learning. This concept has enabled GANs to benefit from the rich distributed training data while preserving privacy However,in a non-iid setting, current federated GAN architectures are unstable, struggling to learn the distinct features and vulnerable to mode collapse. In this paper, we propose a novel architecture MULTIFLGAN to solve the problem of low-quality images, mode collapse and instability for non-iid datasets. Our results show that MULTI-FLGAN is four times as stable and performant (i.e. high inception score) on average over 20 clients compared to baseline FLGAN.

A Generative Adversarial Network (GAN) is a deep-learning generative model in the field of Ma- chine Learning (ML) that involves training two Neural Networks (NN) using a sizable data set. In certain fields, such as medicine, the data involved in training may be hospital patient records that are stored across different hospitals. The classic cen- tralized implementation would involve sending the data to a centralized server where the model would be trained. However, that would involve breach- ing the privacy and confidentiality of the patients and their data, and would be unacceptable. There- fore, Federated Learning (FL), a ML technique that trains ML models in a distributed setting without data every leaving the host device, would be a bet- ter alternative to the centralized option. In this ML technique, only parameters and certain meta- data would be communicated. In spite of that, there still exist attacks that can infer user data using the parameters and metadata. A fully privacy preserv- ing solution involves homomorphically encrypting (HE) the data communicated. This paper will focus on the performance loss of training a FL-GAN with three different types of homomorphic encryption: Partial Homomorphic Encryption (PHE), Some- what Homomorphic Encryption (SHE), and Fully Homomorphic Encryption (FHE). We will also test the performance loss of Multi Party Computations (MPC), as it has homomorphic properties. The per- formance will be compared to the performance of training an FL-GAN without encryption. Our ex- periments show that the more complex the encryp- tion method is, the longer it takes, with the extra time taken for HE being quite significant in com- parison to the base case of FL.