{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,27]],"date-time":"2026-03-27T17:09:12Z","timestamp":1774631352069,"version":"3.50.1"},"reference-count":139,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"name":"NICT, Japan","award":["JPJ012368C01901"],"award-info":[{"award-number":["JPJ012368C01901"]}]},{"name":"JST ASPIRE, Japan","award":["JPMJAP2323"],"award-info":[{"award-number":["JPMJAP2323"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2024]]},"DOI":"10.1109\/access.2024.3404948","type":"journal-article","created":{"date-parts":[[2024,5,24]],"date-time":"2024-05-24T17:26:06Z","timestamp":1716571566000},"page":"103949-103975","source":"Crossref","is-referenced-by-count":3,"title":["A Security-Oriented Overview of Federated Learning Utilizing Layered Reference Model"],"prefix":"10.1109","volume":"12","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4032-4117","authenticated-orcid":false,"given":"Jiaxing","family":"Lu","sequence":"first","affiliation":[{"name":"Graduate School of Interdisciplinary Information Studies, The University of Tokyo, Bunkyo-ku, Tokyo, Japan"}]},{"given":"Norihiro","family":"Fukumoto","sequence":"additional","affiliation":[{"name":"Graduate School of Interdisciplinary Information Studies, The University of Tokyo, Bunkyo-ku, Tokyo, Japan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0012-5287","authenticated-orcid":false,"given":"Akihiro","family":"Nakao","sequence":"additional","affiliation":[{"name":"Graduate School of Engineering, The University of Tokyo, Bunkyo-ku, Tokyo, Japan"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"Cisco Annual Internet Report (2018\u20132023) White Paper","year":"2020"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3031234"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/CBMS.2015.26"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-45691-7_4"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2014.2299233"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/SAS.2015.7133628"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/JSYST.2012.2221934"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.2018.1700202"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.2014.6863125"},{"key":"ref10","article-title":"Federated optimization: Distributed machine learning for on-device intelligence","author":"Konecny","year":"2016","journal-title":"arXiv:1610.02527"},{"key":"ref11","article-title":"Federated learning: Strategies for improving communication efficiency","author":"Konecny","year":"2016","journal-title":"arXiv:1610.05492"},{"key":"ref12","article-title":"Communication-efficient learning of deep networks from decentralized data","author":"Brendan McMahan","year":"2016","journal-title":"arXiv:1602.05629"},{"key":"ref13","first-page":"1","article-title":"A little is enough: Circumventing defenses for distributed learning","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"32","author":"Baruch"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2021.3124599"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2020.2986024"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2020.2975749"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3013541"},{"key":"ref18","doi-asserted-by":"crossref","first-page":"619","DOI":"10.1016\/j.future.2020.10.007","article-title":"A survey on security and privacy of federated learning","volume":"115","author":"Mothukuri","year":"2021","journal-title":"Future Gener. Comput. Syst."},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1007\/s41666-020-00082-4"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2021.106775"},{"issue":"19","key":"ref21","doi-asserted-by":"crossref","first-page":"9901","DOI":"10.3390\/app12199901","article-title":"Privacy and security in federated learning: A survey","volume":"12","author":"Gosselin","year":"2022","journal-title":"Appl. Sci."},{"key":"ref22","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1016\/j.comcom.2023.05.012","article-title":"A survey on federated learning for security and privacy in healthcare applications","volume":"207","author":"Coelho","year":"2023","journal-title":"Comput. Commun."},{"key":"ref23","article-title":"Security and privacy issues of federated learning","author":"Hasan","year":"2023","journal-title":"arXiv:2307.12181"},{"key":"ref24","article-title":"A survey on decentralized federated learning","author":"Gabrielli","year":"2023","journal-title":"arXiv:2308.04604"},{"key":"ref25","doi-asserted-by":"crossref","first-page":"29","DOI":"10.17352\/tcsit.000066","article-title":"Security and privacy in federated learning: A survey","volume":"8","author":"Kandati","year":"2023","journal-title":"Trends Comput. Sci. Inf. Technol."},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/3298981"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1561\/2200000083"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3494834.3500240"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i04.5895"},{"key":"ref30","first-page":"1","article-title":"Fully decentralized federated learning","volume-title":"Proc. 3rd Workshop Bayesian Deep Learn.","author":"Lalitha"},{"key":"ref31","article-title":"On the convergence of FedAvg on non-IID data","author":"Li","year":"2019","journal-title":"arXiv:1907.02189"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/ICC.2019.8761315"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1007\/s13042-022-01647-y"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-86044-8_6"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102402"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/TCOM.1980.1094702"},{"issue":"1","key":"ref37","first-page":"1793","article-title":"Statistical normalization and back propagation for classification","volume":"3","author":"Jayalakshmi","year":"2011","journal-title":"Int. J. Comput. Theory Eng."},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1186\/s13040-017-0155-3"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/TWC.2020.3031503"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1007\/s11704-021-0598-z"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.2988575"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/1666420.1666444"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2017.215"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-70604-3_2"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-48354-7_9"},{"key":"ref47","first-page":"35","article-title":"Experiences threat modeling at Microsoft","volume-title":"Proc. MODSEC@ MoDELS","author":"Shostack"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.6028\/nist.ai.100-2e2023"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-021-00105-6"},{"key":"ref50","first-page":"2484","article-title":"Simple black-box adversarial attacks","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Guo"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/3447548.3467386"},{"key":"ref52","first-page":"1299","article-title":"When does machine learning FAIL? Generalized transferability for evasion and poisoning attacks","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Suciu"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-63076-8_1"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"key":"ref55","article-title":"Federated learning: Opportunities and challenges","author":"Mary Mammen","year":"2021","journal-title":"arXiv:2101.05428"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2021.3128646"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58951-6_24"},{"key":"ref58","first-page":"1","article-title":"Poison frogs! targeted clean-label poisoning attacks on neural networks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"31","author":"Shafahi"},{"key":"ref59","article-title":"BadNets: Identifying vulnerabilities in the machine learning model supply chain","author":"Gu","year":"2017","journal-title":"arXiv:1708.06733"},{"key":"ref60","article-title":"Mitigating Sybils in federated learning poisoning","author":"Fung","year":"2018","journal-title":"arXiv:1808.04866"},{"key":"ref61","first-page":"634","article-title":"Analyzing federated learning through an adversarial lens","volume-title":"Proc. 36th Int. Conf. Mach. Learn.","author":"Bhagoji"},{"key":"ref62","first-page":"2938","article-title":"How to backdoor federated learning","volume-title":"Proc. Int. Conf. Artif. Intell. Statist.","author":"Bagdasaryan"},{"key":"ref63","article-title":"Intriguing properties of neural networks","author":"Szegedy","year":"2013","journal-title":"arXiv:1312.6199"},{"key":"ref64","first-page":"1","article-title":"Machine learning with adversaries: Byzantine tolerant gradient descent","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"30","author":"Blanchard"},{"key":"ref65","first-page":"1","article-title":"Deep leakage from gradients","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"32","author":"Zhu"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134012"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"ref71","article-title":"Overlearning reveals sensitive attributes","author":"Song","year":"2019","journal-title":"arXiv:1905.11742"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/CSF57540.2023.00027"},{"key":"ref73","article-title":"IDLG: Improved deep leakage from gradients","author":"Zhao","year":"2020","journal-title":"arXiv:2001.02610"},{"key":"ref74","first-page":"17","article-title":"Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing","volume-title":"Proc. 23rd USENIX Secur. Symp.","author":"Fredrikson"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2018.00027"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1109\/MCOM.001.2000196"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00038"},{"key":"ref78","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow","year":"2014","journal-title":"arXiv:1412.6572"},{"key":"ref79","article-title":"Model extraction attacks on split federated learning","author":"Li","year":"2023","journal-title":"arXiv:2303.08581"},{"key":"ref80","first-page":"1895","article-title":"Evaluating differentially private machine learning in practice","volume-title":"Proc. 28th USENIX Security Symp.","author":"Jayaraman"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1098\/rsta.2018.0083"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2017.10"},{"key":"ref83","article-title":"Can you really backdoor federated learning?","author":"Sun","year":"2019","journal-title":"arXiv:1911.07963"},{"key":"ref84","first-page":"1846","article-title":"Free-rider attacks on model aggregation in federated learning","volume-title":"Proc. Int. Conf. Artif. Intell. Stat.","author":"Fraboni"},{"key":"ref85","article-title":"Free-riders in federated learning: Attacks and defenses","author":"Lin","year":"2019","journal-title":"arXiv:1911.12560"},{"key":"ref86","first-page":"1","article-title":"Advanced free-rider attacks in federated learning","volume-title":"Proc. 1st NeurIPS Workshop New Frontiers Federated Learn. Privacy, Fairness, Robustness, Personalization Data Ownership","author":"Zhu"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1109\/ISCC55528.2022.9912903"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2023.3298606"},{"key":"ref89","article-title":"PASS: A parameter audit-based secure and fair federated learning scheme against free-rider attack","author":"Wang","year":"2022","journal-title":"arXiv:2207.07292"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1145\/62212.62238"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1109\/MCOM.004.2100867"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560663"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00033"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.3390\/ijerph19095477"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3449926"},{"key":"ref97","first-page":"1273","article-title":"Communication-efficient learning of deep networks from decentralized data","volume-title":"Proc. Artif. Intell. Statist.","author":"McMahan"},{"key":"ref98","article-title":"Protection against reconstruction and its applications in private federated learning","author":"Bhowmick","year":"2018","journal-title":"arXiv:1812.00984"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2017.2787987"},{"key":"ref100","article-title":"Learning differentially private language models without losing accuracy","author":"McMahan","year":"2017","journal-title":"arXiv:1710.06963"},{"key":"ref101","first-page":"1","article-title":"cpSGD: Communication-efficient and differentially-private distributed SGD","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"31","author":"Agarwal"},{"key":"ref102","first-page":"1605","article-title":"Local model poisoning attacks to Byzantine-robust federated learning","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Fang"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00035"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363201"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.00995"},{"key":"ref106","article-title":"Differentially private federated learning: A client level perspective","author":"Geyer","year":"2017","journal-title":"arXiv:1712.07557"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1109\/lcomm.2019.2921755"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2019.2952332"},{"key":"ref109","article-title":"Certifiable black-box attack: Ensuring provably successful attack for adversarial examples","author":"Hong","year":"2023","journal-title":"arXiv:2304.04343"},{"key":"ref110","article-title":"Mitigating adversarial effects through randomization","author":"Xie","year":"2017","journal-title":"arXiv:1711.01991"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1803.01442"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00045"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00191"},{"key":"ref114","article-title":"Towards deep learning models resistant to adversarial attacks","author":"Madry","year":"2017","journal-title":"arXiv:1706.06083"},{"key":"ref115","first-page":"1","article-title":"Adversarial training and robustness for multiple perturbations","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"32","author":"Tramer"},{"key":"ref116","first-page":"5498","article-title":"The odds are odd: A statistical test for detecting adversarial examples","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Roth"},{"key":"ref117","first-page":"2317","article-title":"Adversarial detection avoidance attacks: Evaluating the robustness of perceptual hashing-based client-side scanning","volume-title":"Proc. 31st USENIX Secur. Symp.","author":"Jain"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00044"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-63387-9_5"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1145\/3214303"},{"key":"ref121","article-title":"A fully homomorphic encryption scheme","author":"Gentry","year":"2009"},{"key":"ref122","first-page":"493","article-title":"BatchCrypt: Efficient homomorphic encryption for cross-silo federated learning","volume-title":"Proc. USENIX Annu. Tech. Conf.","author":"Zhang"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5422"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-79228-4_1"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1561\/9781601988195"},{"key":"ref126","article-title":"SoK: Training machine learning models over multiple sources with privacy preservation","author":"Song","year":"2020","journal-title":"arXiv:2012.03386"},{"key":"ref127","first-page":"1","article-title":"Practical locally private heavy hitters","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"30","author":"Bassily"},{"key":"ref128","article-title":"Differentially-private `draw and discard machine learning","author":"Pihur","year":"2018","journal-title":"arXiv:1807.04369"},{"key":"ref129","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133982"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.1145\/3458864.3466628"},{"key":"ref131","first-page":"1","article-title":"Efficient and private federated learning using tee","volume-title":"Proc. EuroSys Conf.","author":"Mo"},{"key":"ref132","volume-title":"Intel SGX Explained","author":"Costan","year":"2016"},{"key":"ref133","volume-title":"Open Portable Trusted Execution Environment","year":"2022"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1038\/s42256-021-00337-8"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1145\/3338501.3357371"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2015.2484326"},{"key":"ref137","doi-asserted-by":"publisher","DOI":"10.29012\/jpc.v7i2.652"},{"key":"ref138","article-title":"Rewarding high-quality data via influence functions","author":"Richardson","year":"2019","journal-title":"arXiv:1908.11598"},{"key":"ref139","article-title":"One-shot federated learning","author":"Guha","year":"2019","journal-title":"arXiv:1902.11175"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/6287639\/10380310\/10538336.pdf?arnumber=10538336","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,7]],"date-time":"2024-08-07T07:04:53Z","timestamp":1723014293000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10538336\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"references-count":139,"URL":"https:\/\/doi.org\/10.1109\/access.2024.3404948","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024]]}}}