BFG: privacy protection framework for internet of medical things based on blockchain and federated learning

Abstract

The deep integration of Internet of Medical Things (IoMT) and Artificial intelligence makes the further development of intelligent medical services possible, but privacy leakage and data security problems hinder its wide application. Although the combination of IoMT and federated learning (FL) can achieve no direct access to the original data of participants, FL still can't resist inference attacks against model parameters and the single point of failure of the central server. In addition, malicious clients can disguise as benign participants to launch poisoning attacks, which seriously compromises the accuracy of the global model. In this paper, we design a new privacy protection framework (BFG) for decentralized FL using blockchain, differential privacy and Generative Adversarial Network. The framework can effectively avoid a single point of failure and resist inference attacks. In particular, it can limit the success rate of poisoning attacks to less than 26%. Moreover, the framework alleviates the storage pressure of the blockchain, achieves a balance between privacy budget and global model accuracy, and can effectively resist the negative impact of node withdrawal. Simulation experiments on image datasets show that the BFG framework has a better combined performance in terms of accuracy, robustness and privacy preservation.

KEYWORDS:

• Blockchain
• federated learning
• generative adversarial network
• internet of medical things
• privacy protection

1. Introduction

The rapid development of IoT technology has brought more possibilities and broader development prospects to various fields (Zhang, Wang, et al., 2023), and an increasing number of IoT devices are widely used in sustainable smart cities, smart healthcare, and other fields (Han et al., 2021). The development of advanced science and technology has led to a broadening of the coverage of smart cities and smart healthcare (Liang, Li, et al., 2022).

With the continuous development of intelligent medical systems, a large number of medical Internet of Things (IoMT) devices, such as wearable sensors, are widely used to collect medical data. IoMT is expected to transform the healthcare system into a user-centered personalised service system, providing users with better medical management. Artificial intelligence (AI) is used for intelligent analysis of this data to achieve better intelligent medical applications, such as disease prediction and remote health monitoring. AI combined with blockchain technology, being applied to IoT devices, can further ensure data integrity (Zeng et al., 2021). Machine learning shows great potential in medical data analysis by processing rich data to train models with satisfactory performance. However, traditional machine learning uses centralised training methods and needs to aggregate the collected data into the cloud or data centre, which may cause serious data security and privacy leakage problems, e.g. malicious tampering, data loss, and hacker attacks (Liang, Xiao, et al., 2021). Therefore, in the AI era (Long et al., 2022), data security has attracted considerable attention (Liang, Xie, Zhang, Li, & Li, 2021), and privacy security is at great risk (Zhang, Hu, Liang, Li, & Gupta, 2023), especially in the medical field, which will pose a major threat to the safety and privacy of patients. For example, attackers can attack data uploaded by centralised servers and IoMT devices and tamper with the patient's data, which will seriously endanger the health of patients. Many governments have enacted laws to protect users’ private data, especially highly sensitive health data, such as the US's Health Insurance Portability and Accountability Act (HIPAA) and the European Union's General Data Protection Regulation (GDPR) (Drake & Ridder, 2022).

In this context, Federated Learning (FL), a distributed collaborative machine learning framework (Zhang, Xie, et al., 2021), allows multiple health data clients (e.g. IoMT devices) to collaboratively train machine learning models without sharing local raw data, which not only solves the data silo problem but also potentially reduces the risk of user data and sensitive information leakage, contributing to the implementation of smart healthcare applications in IoMT. In addition, FL attracts large computational and dataset resources from many health data clients to train AI models, and the quality of health data training (e.g. accuracy) will be significantly improved, which may not be achieved by centralised AI methods with less data and limited computing power (Nguyen et al., 2022). Compared with traditional centralised learning, on the one hand, FL reduces communication costs by moving parameter updates rather than raw data from the client to the data centre, on the other hand, it reduces computational costs by leveraging the computational resources of individual local devices, and enhances user privacy protection since local data never leaves the client device. Because of these benefits, FL is gaining popularity at an alarming rate, despite its recent introduction into the healthcare field. However, as privacy attacks become more advanced and diverse, several challenges remain to be addressed when applying FL to healthcare:

• FL needs a trusted central server to aggregate the model parameters uploaded by individual participants, and in the event that the central server is crashed by an attack and has a single point of failure, the training of FL will be interrupted and stopped.

• In the FL training process, the model parameters uploaded by the local client may still be stolen by an attacker, who can infer the original confidential data through the model parameters, which will seriously threaten data privacy security.

• Since FL does not contain an authentication mechanism, a malicious client can disguise itself as a benign participant in FL training and launch poisoning attacks, such as label flipping, to compromise the accuracy of the global model.

The above challenges are shown in Figure 1.

Figure 1. Challenges for smart healthcare based on FL.

To address the above challenges, this paper presents a novel privacy-preserving framework (BFG) for decentralised FL that utilises blockchain technology based on Inter Planetary File System (IPFS), differential privacy, and generative adversarial network (GAN). The aim of this framework is to enable smart healthcare in a privacy-preserving and data-secure manner. The main contributions of this paper are as follows:

• We propose an IoMT privacy-preserving framework based on blockchain and FL. This framework stores FL tasks and model updates by using blockchain and IPFS, achieving dual on-chain and off-chain storage. This reduces the storage pressure on the blockchain and implements decentralised FL training to solve the single point of failure problem.

• We achieve differential privacy by adding Laplace noise to the model update, which adds an additional layer of security to blockchain-based FL. This is to address inference attacks and further prevent data privacy exposure. It also balances the privacy budget with accuracy.

• We use GAN to design a distributed poisoning defense mechanism for blockchain-based FL. This is achieved by reconstructing training data from local data and using the generated data as an auditing dataset to evaluate the accuracy of each participant's model. The purpose of this is to discard poisoning models with accuracy below a threshold value and to detect and mitigate poisoning attacks.

The remainder of this article is organised as follows. In the second part, we introduce the related work. In the third part, we provide brief background knowledge. In the fourth part, we introduce the designed BFG privacy protection framework. In the fifth part, we present the experimental results and discussion. In the sixth part, we conclude and provide future research directions.

2. Related work

In recent years, AI has been applied to many healthcare applications to improve the diagnostic rate of diseases and enhance the predictive effect of diseases. For example, machine learning is used to process medical images and analyze electronic health record data. At the same time, the deep integration of IoMT and ML makes the further development of medical services promising. Data collected by IoMT can be uploaded to the data centre for training effective and accurate models, which is of great significance for accurate analysis of diseases and telemedicine. Radakovich et al. (Radakovich et al., 2020) applied ML to hematological malignancies for tumour detection and analysis. Tariq et al. (Tariq et al., 2021) developed a multimodal fusion AI model based on past medical data to predict the severity of COVID-19. Roimi et al. (Roimi et al., 2020) developed an ML algorithm for early diagnosis of bloodstream infections in intensive care units. However, these centralised ML training methods upload sensitive clinical data to the data centre, which may lead to data leakage during transmission, and there are great privacy risks.

As a distributed collaborative learning framework, FL stores all sensitive data on local devices and performs model training for transmitting model updates. It provides a good privacy protection scheme for fragmented medical data (such as data collected by IoMT). In recent years, the application of FL in healthcare has been continuously proposed. Srivastava et al. (Srivastava et al., 2020) proposed a FL-based method to assist the diagnosis of acute neurological symptoms, such as severe headaches or loss of consciousness, to promote X-ray scanning imaging in intelligent medicine. Hao et al. (Hao et al., 2020) proposed a protocol based on privacy and optimal resource usage for FL to analyze electronic health records. Qayyum et al. (Qayyum et al., 2022) proposed a clustering FL-based approach to process clinical visualisation data at the edge, enabling remote hospitals to benefit from multimodal data while preserving privacy. These FL efforts avoid direct exposure of data in transit, but this requires a trusted central server to aggregate model updates and distribute the global model, thus increasing the risk of a single point of failure leading to an overall breakdown of training. In addition, once the model update is stolen during transmission, the attacker can infer important information related to the original data, which will pose a great threat to privacy security.

To solve these problems, FL, which introduces blockchain and differential privacy to achieve decentralised privacy protection, becomes a feasible and effective approach. Ali et al. (Ali et al., 2021) presented IoT-based use cases on the envisioned dispersed FL and introduced blockchain-based traceability functions to improve privacy. Prokop et al. (Prokop et al., 2022) proposed a solution that leverages checksums in blockchain-based FL to ensure the security of the model transmitted between units in FL. Adnan et al. (Adnan et al., 2022) conducted a case study of applying a differentially private FL framework for the analysis of histopathology images while proposing the standard DP-SGD approach, which clips gradient updates and adds noise. Wang et al. (Wang et al., 2020) proposed a privacy prevention algorithm consisting of reinforcement learning, blockchain, and differential privacy, which is deployed in FL aggregators to avoid privacy leakage attacks. Zhang, Li, Zhang, Gai, & Qiu (2021) proposed a medical data privacy protection framework based on blockchain (MPBC). In this framework, they protect privacy by adding differential privacy noise into FL. The implementation of blockchain and differential privacy in FL makes data more secure in terms of privacy and reduces the risk of single point of failure and inference attacks occurring. However, these above works do not address the problem of poisoning attacks by malicious participants. Cao et al. (Cao et al., 2023) proposed a FL method based on co-training and GAN that allows each client to design its own model to participate in FL training independently without sharing any model architecture or parameter information with other clients or a centre. Tabassum et al. (Tabassum et al., 2022) designed a novel distributed GAN-based intrusion detection model for smart IoT devices that augments the data on IoT devices using synthetic data generated by GAN to solve the problem of limited, missing, and unbalanced data on IoT devices. While these solutions are effective in preventing privacy breaches and intrusion detection, they do not specifically and significantly address poisoning attacks and ignore the diversity of privacy attacks. The comparison of existing works and our scheme is shown in Table 1. The research content in the BFG framework and the methodology used is shown in Table 2. The research summary in the exiting framework and the methodology used is shown in Table 3.

Table 1. The comparison of existing works and our scheme.

	Schemes
Features	Hao et al., 2020	Qayyum et al., 2022	Ali et al., 2021	Adnan et al., 2022	Wang et al., 2020	Zhang et al., 2021	Cao et al., 2023	Ours
FL	√	√	√	√	√	√	√	√
Blockchain	×	×	√	×	√	√	×	√
Differential privacy	×	×	×	√	√	√	×	√
GAN defense mechanism	×	×	×	×	×	×	√	√
IoMT application	×	×	×	×	×	×	×	√

Table 2. The research content in the BFG framework and the methodology used.

Research Content	Methodology
Avoid a single point of failure	Blockchain, FL
Prevent inference attacks	Differential privacy
Reduce the storage pressure on the blockchain	IPFS
Detect and mitigate poisoning attacks	GAN defense mechanism
Aggregate model updates to generate the global model	Blockchain, IPFS, federated average aggregation algorithm

Table 3. The research summary in the exiting framework and the methodology used.

Schemes	Research Summary	Methodology
Hao et al., 2020	Proposed a protocol based on privacy and optimal resource usage for FL to analyze electronic health records	FL
Qayyum et al., 2022	Proposed a clustering FL-based approach to process clinical visualisation data at the edge	FL
Ali et al., 2021	Presented IoT-based use cases on envisioned dispersed FL and introduced blockchain-based traceability functions to improve privacy	FL, Blockchain
Adnan et al., 2022	Conducted a case study of applying a differentially private FL framework for the analysis of histopathology images	FL, Differential privacy
Wang et al., 2020	Proposed a FL privacy-prevention algorithm consisting of reinforcement learning, blockchain and differential privacy	FL, Blockchain, Differential privacy
Zhang et al., 2021	Proposed a medical data privacy protection framework based on blockchain and FL (MPBC)	FL, Blockchain, Differential privacy
Cao et al., 2023	Proposed a FL method based on co-training and GAN that allows each client to design its own model to participate in FL training independently	FL, GAN defense mechanism

In addition to the related work above, we provide a more detailed analysis of similar recent schemes. Wan et al. (Wan et al., 2022) proposed a privacy-preserving blockchain-enabled federated learning scheme for B5G-driven edge computing. The scheme uses blockchain for decentralised federation learning to reduce communication costs and mitigate data forgery problems. It uses WGAN to generate DP-compliant controlled random noise and injects it into model parameters to ensure an optimal trade-off between differential privacy protection and improved data utility of model parameters. Cui et al. (Cui et al., 2022) proposed a blockchain-empowered decentralised and asynchronous FL framework for anomaly detection in IoT systems and designed a novel GAN-driven differentially private algorithm to preserve the privacy of local model parameters. This algorithm injects controllable noise into local model parameters, which complies with differential privacy requirements while guaranteeing the improved utility of the anomaly detection model. Qu et al. (Qu et al., 2022) proposed a novel blockchain-enabled adaptive asynchronous federated learning (FedTwin) paradigm for privacy-preserving and decentralised digital twin networks. It uses GAN to enhance differential privacy to protect the privacy of local model parameters, which can achieve strict differential privacy protection while guaranteeing optimal data utility. All three schemes enhance differential privacy protection by utilising GAN. A Nash equilibrium can be achieved by playing between the generator, the discriminator, and the DP-identifier, i.e. generating optimised noise satisfying differential privacy, thus achieving a tradeoff between differential privacy protection and data utility. Different from the above schemes, our proposed BFG scheme uses GAN to design a distributed poisoning defense mechanism to detect and mitigate poisoning attacks instead of enhancing differential privacy protection. Our scheme limits the success rate of poisoning attacks to less than 26% by leveraging the auditing dataset generated by GAN to identify attackers and discarding model updates with accuracy below a threshold. Not only that, in addition to introducing blockchain for decentralised federated learning, we utilise IPFS to ease the storage pressure of blockchain and use smart contracts for aggregation control and key management. By interacting with the smart contract, each participating node can flexibly join and exit. Key management also ensures the privacy and security of IPFS and blockchain network transmission. Moreover, our BFG framework integrates these technologies into IoMT, which is quite novel, and the healthcare field will benefit from this in the future.

In summary, although existing works have made contributions to privacy protection, these works still have some security issues and cannot comprehensively address privacy security threats. Additionally, the integrated design of FL, IPFS-based blockchain, differential privacy, and GAN, and their application in the context of IoMT are still missing from the literature studies mentioned above.

3. Background

In this section, we will briefly review the background knowledge of FL, blockchain, IPFS, and differential privacy, and provide a brief introduction of GAN to help understand our BFG framework.

3.1. Federated learning

FL (McMahan et al., 2017) provides a distributed machine learning collaboration framework built across multiple devices, consisting of individual client participants and a centralised central server. In FL, N participants (k = 1, … , N) collaborate for model training. Firstly, the central server distributes the initial global model to all participants, and then the client participants train with their local private data to update their local models. Each participant uploads the model update to the central server after the local training. The central server aggregates the model updates to generate a new global model and replaces the global model of the previous round. During the training of FL, the transfer of model parameters replaces the transfer of raw data between the client devices and the central server, so the data can always be stored on the local devices, which greatly reduces the risk of data leakage. Formula (1) represents the update process of the global model. (1) $M_t=M_{t-1}+{\displaystyle \frac{1}{N}\sum _{k=1}^N{u}_t^k}$(1) Where $M_{t-1}$ represents the global model distributed to each participant in the t-th iteration, $u_t^k$ represents the model update uploaded by the k-th participant in the t-th iteration, and $M_t$ represents the new global model generated by aggregation.

3.2. Blockchain and IPFS

Blockchain (Zheng et al., 2018) is a key concept in Bitcoin, which is essentially a decentralised database and a network-sharing system characterised by disintermediation, transparency, and openness (Liang et al., 2022). Specifically, a blockchain is a distributed decentralised ledger in which blocks of data are sequentially linked in a chronological manner to form a chained data structure that is cryptographically guaranteed to be untamperable and unforgeable. Each block header contains the hash value of all transactions in the block, the current block root hash, the previous block root hash, and the timestamp, among other things. Blockchain is distributed, transparent, secure, suitable for records management, and has been widely used in cognitive computing (Fu et al., 2022). In the blockchain system, point-to-point transactions can be permanently and immutably recorded, while training tasks can be choreographed and model updates can be aggregated through the consensus algorithm (Bach et al., 2018). Not only that, but blockchain can also solve problems such as message leaks (Zheng et al., 2022). The blockchain can be divided into public blockchain, consortium blockchain, and private blockchain. The mainstream consortium blockchain projects include Hyperledger Fabric and FISCO BCOS.

IPFS (Mani et al., 2021) is a permanent, decentralised, and distributed file-sharing file system designed to solve the problem of file storage redundancy. It allocates a unique hash for each stored file and can find the corresponding file according to the assigned hash address. IPFS integrates the best distributed system ideas of the past few years and provides a globally unified addressable space for all. It can be used as a storage platform to greatly alleviate the storage pressure of blockchain.

3.3. Differential privacy

Differential privacy (DP) (Choudhury et al., 2019) is a strict and quantifiable privacy protection model that hides or blurs the actual results of query operations by adding random noise until they cannot be distinguished, thereby protecting private data. Let $\text{A}$ be a random algorithm, $\text{D}$ and ${\text{D}}^{{}^{\mathrm{\prime }}}$ be two different adjacent datasets. If the result $\text{S}$ of any output of $\text{A}$ on ${\text{D}}^{{}^{\mathrm{\prime }}}$ and $\text{D}$ satisfies the following formula (2), $\text{A}$ is said to implement ($ϵ,\delta$) differential privacy. (2) $Pr(A(D)\in S)\le e^{\in }\times Pr(A(D^{\mathrm{\prime }})\in S)+\delta$(2) The parameter $ϵ$ is the privacy budget, which represents the degree of privacy protection realised by differential privacy technology. For a random function $\text{A}$, the smaller the $ϵ$ value, the higher the level of privacy protection. $\text{S}$ is all possible outputs of the random function $\text{A}$, $\text{Pr}$ is the probability of obtaining a certain value of $\text{A}(\text{D})$, $\delta$ is the probability used to limit the arbitrary change of the model behaviour, usually set $\delta$ as a small constant. If $\delta$ = 0, the random function $\text{A}$ represents strict $ϵ$-differential privacy.

The commonly used mechanisms for privacy protection are Laplace noise mechanism and exponential noise mechanism. In the context of FL, we use the Laplace noise mechanism in the scheme to ensure the realisation of differential privacy by adding the independent zero mean Laplace noise with scale $\lambda$ to each dimension of the output. Note that $\lambda$ is equal to $\text{s}/ϵ$, where $\text{s}$ is the sensitivity value, which measures the maximum change in real query output on adjacent databases.

3.4. Generative adversarial network

The GAN (Goodfellow et al., 2020) has shown excellent performance in computer vision and other research fields, as it can generate high-quality pseudo images based on the original image set. The GAN structure consists of two neural networks: the generator and the discriminator, where the generator ($\text{G}$) generates the image, and the discriminator ($\text{D}$) identifies whether the image comes from the generator or the original image set (can be expressed as false / true). In the training process, the generator ($\text{G}$) and discriminator ($\text{D}$) of GAN engage in an adversarial game. Specifically, $\text{G}$ is mainly used to learn the distribution of real images so that the generated images are more realistic and thereby deceive $\text{D}$, and $\text{D}$ needs to discriminate between the true and false images it receives. Throughout the process, $\text{G}$ strives to make the generated image more realistic while $\text{D}$ strives to identify the true and false of the image. As the training cycle progresses, the generator and discriminator continually engage in this adversarial game, resulting in the performance of $\text{G}$ and $\text{D}$ constantly improving. Finally, the two networks achieve a dynamic equilibrium in which the image generated by the generator is close to the real image distribution, while the discriminator cannot differentiate between the true and false images. Formula (3) represents the training objective for GAN. (3) $\mathrm{mi}{\mathrm{n}}_{\mathrm{G}}\mathrm{ma}{\mathrm{x}}_{\mathrm{D}}\mathrm{V}\left(\mathrm{D},\mathrm{G}\right)={\mathbb{E}}_{\mathrm{x}\sim {\mathrm{p}}_{\mathrm{data}}\left(\mathrm{x}\right)}\left[\mathrm{logD}\left(\mathrm{x}\right)\right]+{\mathbb{E}}_{\mathrm{z}\sim {\mathrm{p}}_{\mathrm{z}}\left(\mathrm{z}\right)}\left[\log \left(1-\mathrm{D}\left(\mathrm{G}\left(\mathrm{z}\right)\right)\right)\right]$(3) Where $\mathbb{E}$ denotes the expectation, ${\text{p}}_{\text{data }}(\text{x})$ denotes the distribution of the original image,${\text{p}}_{\text{z}}(\text{z})$ denotes the distribution of the random vector $\text{z}$, $\text{D}(\text{x})$ denotes the probability that $\text{D}$ distinguishes $\text{ x}$ as a real data sample, and $\text{D}(\text{G}(\text{z}))$ denotes the probability that$\text{ D}$ determines the data generated by $\text{G}$.The discriminator $\text{D}$ aims to maximise the value function $\text{V}(\text{D},\text{G})$ in formula (3), while the generator $\text{G}$ tries to minimise the value. $\text{D}$ and $\text{G}$ will undergo several epochs of training until the adversarial game reaches Nash equilibrium.

4. Proposed framework

4.1. Overview of BFG framework

The BFG framework consists of four parts: client participants, GAN-based auditing dataset, IPFS, and blockchain. Client participants consist of various distributed IoMT devices. The GAN-based auditing dataset is generated by a locally deployed GAN reconstructing training data from local data upfront. The blockchain uses a consortium blockchain Hyperledger Fabric and is combined with IPFS to reduce the storage pressure on the blockchain by using IPFS to implement model updates for off-chain storage FL and storing hashes of data locations on the blockchain instead of in actual files. Specifically, the client downloads the global model from the IPFS-based blockchain and uses local data for model training, and the model updates will be audited locally by a GAN-generated auditing dataset to avoid sudden poisoning attacks by malicious clients masquerading as benign participants in the training process in the early stages. Audited model updates will be added with differential privacy noise and then uploaded to IPFS for off-chain preservation, and a hash index representing the location information will be sent to the blockchain for storage as a transaction. The blockchain can retrieve the actual model updates from IPFS using hashes and aggregate them via a federated averaging algorithm to obtain the global model. Each client downloads a new global model to replace the old one for the next training round until the global model converges, or the training time is exhausted. The BFG framework is shown in Figure 2.

Figure 2. The proposed BFG framework.

4.2. Workflow

Our workflow consists of several steps through which we complete a training round.

1. Local training: Client participants download the latest global model from the IPFS-based blockchain and use local data to train and update the local model. After this, local model updates are sent to the auditing dataset. During the training process, local data is continuously used to train the model in multiple batches to ensure the continuous improvement of the performance of the generated model.

2. Model audit: The auditing dataset assesses the accuracy of local model updates sent by participants. Models with accuracy below a predetermined threshold will be identified as poisoned models, which will be discarded. These poisoned models will be unable to participate in subsequent processes. Malicious clients generally disguise themselves as benign participants for training in the early stages and perform poisoning attacks in the middle and late stages of training in order to complete the damage to the global model more stealthily. We exploit this by reconstructing the training data from local data using GAN during the first few rounds of training. We use the generated data to constitute an auditing dataset to audit the model updates. Model updates that pass the audit will continue to participate in the subsequent process, and those that fail the audit will be discarded as poisoned model updates. This will achieve detection and mitigation of poisoning attacks.

3. Add noise: Qualified local model updates will be added with Laplace noise for differential privacy (DP). DP is a rigorous and provable privacy-preserving approach. We apply the Laplace mechanism to model updates and keep the sensitivity of the query function to a low range. Adding a small amount of noise from calibration to the vetted model updates helps avoid inference attacks and thus achieve privacy preservation. We add Laplace noise to the model updates as shown in equation (4). (4) $\mathrm{\Delta }\widetilde{L_t^k}=\mathrm{\Delta }{L}_t^k+Laplace\left(\frac{s}{\in }\right)$(4)

Where ${\mathrm{\Delta }\mathrm{L}}_{\text{t}}^{\text{k}}$ denotes the model updates for participant k who passed the audit in the t-th iteration, $\text{s}$ denotes the sensitivity value, $ϵ$ denotes the privacy budget, and $\mathrm{\Delta }\widetilde{{\text{L}}_{\text{t}}^{\text{k}}}$ denotes the model update after adding Laplace noise.

The sensitivity value $\text{s}$ is defined as shown in equation (5). (5) $s=\underset{D,D^{\mathrm{\prime }}}{max}{\Vert f\left(D\right)-f\left(D^{\mathrm{\prime }}\right)\Vert }_p$(5)

1. Model upload: Noise-added model updates will be uploaded to IPFS, and hash values representing location information will be sent to the consortium blockchain to achieve on-chain and off-chain dual storage. We use the Hyperledger Fabric, a consortium blockchain. Due to block size limitations, IPFS is used as an off-chain store, and the hash value is stored as a transaction in the consortium blockchain. The hash value can be used to retrieve the actual model update from IPFS. When the participant uploads the hash of the model to the blockchain, he should digitally sign the hash of the model with his private key in advance. The miner will check the signature of the uploaded file, and if the signature is valid, the miner will confirm that the uploaded model update comes from a legitimate participant.

2. Model aggregation: We use the federated averaging algorithm for model aggregation and select the miner with the highest priority to become the leader in the consensus process. The selected leader will be the final aggregation node responsible for aggregating the models submitted by participants and uploading the obtained global model hash value to the blockchain for storage. The consensus protocol we use is the Algorand, which is based on PoS and BFT (Wang et al., 2019). It combines the PoS mechanism with the BFT consensus process. The following steps are required to reach consensus: (1) Miners compete to become the leader. The percentage of a miner's shareholding determines their probability of being selected, and miners with more shares have a higher chance of becoming the leader. (2) The committee members verify the new block generated by the selected leader, and when more than two-thirds of the committee members sign and agree with the block, the new block is accepted and recorded in the consortium blockchain. (3) Broadcast the new block and achieve consensus in the consortium blockchain.

The demonstration for the federated averaging aggregation process in generating new blocks will be presented later. The hash of the new global model generated by the federated averaging algorithm will be stored in the new block. At the start of the next training round, individual participants can download the global model from the associated IPFS based on the hash value in the new block. The model aggregation is shown in equation (6). (6) $M_t=M_{t-1}+{\displaystyle \frac{1}{Q}\sum _{k=1}^Q\mathrm{\Delta }\widetilde{L_t^k}}$(6) Where $\text{Q}$ represents the total number of models that have been audited and eventually entered the federated averaging aggregation, and ${\text{M}}_{\text{t}}$ represents the new global model generated by the aggregation.

1. End of training: When the global model converges or the training time is exhausted, the overall model training will stop completely, which represents the end of the whole training process.

4.3. Privacy-preserving algorithm for BFG

During the training process of FL, malicious clients can launch poisoning attacks to compromise the global model. In order to detect and mitigate poisoning attacks, we take advantage of the feature that malicious clients disguise themselves as benign participants for early training, and use GAN to reconstruct training data from local data to generate auxiliary datasets to help train generators and discriminators. This helps generate auditing datasets and identify attackers by checking the accuracy of model updates uploaded by each participant through auditing datasets. Since malicious clients are good at disguising themselves and can use optimisation algorithms for stealth poisoning attacks, common poisoning detection methods, such as gradient distance detection methods (Fung et al., 2018), do not play a significant role. Taking advantage of these characteristics of malicious clients and combining the idea of deploying GAN in FL servers to detect poisoning attacks in (Zhao et al., 2020) and (Zhao et al., 2022), we deploy and train GAN on each local client. Then, we implement decentralised poisoning defense and privacy protection by combining blockchain and IPFS. In the previous training, we use GAN to perform iterative self-training on the local client and improve the performance of $\text{D}$ and $\text{G}$ through the adversarial game between the discriminator ($\text{D}$) and generator ($\text{G}$) in GAN. This generates auditing datasets that are infinitely close to the real image, and $\text{D}$ cannot distinguish between the true and false. In addition, we pre-set an accuracy threshold $\mathrm{\Gamma }$ to identify attackers and benign participants. If a participant's model accuracy is lower than the threshold $\mathrm{\Gamma }$, it is identified as an attacker, and the participant's model update is discarded. This avoids the damage caused by poisoning attacks. After that, we add Laplace noise to the audited model update and store it using IPFS and blockchain. Finally, we use the consensus mechanism of blockchain for federated average aggregation. The following is our privacy protection algorithm flow.

Before reaching the predefined number of iterations, i.e. num-iter, BFG will generate auditing datasets through the above mechanism. Once the number of iterations num-iter is reached, the distributed poisoning defense mechanism is activated, and the auditing dataset reviews the model update${\mathrm{\Delta }\mathrm{L}}_{\text{t}}^{\text{k}}$ uploaded by each client. The model update above the threshold L will be added with an appropriate amount of DP noise and then uploaded to the IPFS-based blockchain for federated average aggregation. This generates a new global model ${\text{M}}_{\text{t}}$.

4.4. Decentralised federated averaging aggregation based on IPFS and consortium blockchain

We use IPFS and the consortium blockchain Hyperledger Fabric to achieve on-chain and off-chain dual storage and realise decentralised federated averaging aggregation. IPFS is used as a decentralised distributed file storage mechanism and can permanently store and share files. IPFS can return a unique hash value based on the uploaded content. The combination of IPFS and blockchain can eliminate the dependence on complete nodes and preserve the traceability of blockchain networks while greatly avoiding a single point of failure. We also use smart contracts for control and key management. Smart contracts are programmes deployed on the blockchain. Through interaction with smart contracts, each participating node can join and exit flexibly. Key management also ensures the privacy security of transmission between IPFS and blockchain. The aggregation process is as follows:

1. We use the consensus mechanism (Wang et al., 2019) to select the highest priority node as the leader, which is the final aggregation node. We also use smart contracts to select the initial aggregation node. The initial aggregation node stores the first model update with differential privacy noise into IPFS, which then returns a unique hash value based on the stored model update file.

2. The initial aggregation node encrypts the hash value using the public key of the subsequent node, uploads the encrypted hash value to the smart contract, and then passes the aggregation task to the next node.

3. The smart contract notifies the current node responsible for the aggregation task of the hash value of the previous node. After the current node decrypts the hash value using the local private key, it obtains the corresponding model update file from IPFS.

4. The current node adds the locally uploaded model update to the file obtained from the previous node to generate a new model update, which is then stored in IPFS to obtain a new hash value. The node encrypts the new hash value using the public key of the successor node and uploads it to the smart contract. Then, the process is repeated until the aggregation task is handed over to the final aggregation node.

5. The final aggregation node completes the final aggregation task to generate a new global model update. The final aggregation node obtains the file content of the previous node according to the previous process and adds the final model update to the obtained file. The federated averaging aggregation algorithm is used to calculate the new global model update. The global model update file is then stored in IPFS to generate the final hash value. Since the final aggregation node has no successor node, there is no need to encrypt the final hash value, and it is not uploaded to the smart contract.

6. The smart contract obtains the new global model update from IPFS based on the final hash value. It then finds the initial global model file based on the hash value of the initial global model stored in the blockchain, and adds the new global model update to the initial global model file to generate a new global model file. The hash value of the new global model file is uploaded to the consortium blockchain to generate a new block.

7. The committee members of the consortium blockchain verify the new blocks generated. When more than two-thirds of the committee members sign and agree to the new blocks, these blocks are accepted and recorded in the consortium blockchain. The new blocks are then broadcasted to reach a consensus.

At this point, the federated averaging aggregation process based on IPFS and consortium blockchain is finally completed. Since each node undertakes the task of partial aggregation, the entire federated averaging aggregation process is completely decentralised, avoiding the occurrence of a single point of failure. The use of blockchain and smart contracts in healthcare is shown in Figure 3.

Figure 3. The use of blockchain and smart contracts in healthcare.

Figure 4. GAN structure for the distributed poisoning defense mechanism.

4.5. Network structure of GAN

GAN involves two components: a discriminator and a generator. We use the architecture based on convolutional neural network (CNN) to construct the discriminator and use the deconvolution network to construct the corresponding generator. The goal of GAN design is to generate auditing datasets that are infinitely close to real data through a confrontation game between the generator and the discriminator. During the training process, the generator generates pseudo data, and the discriminator distinguishes the generated data from the real data, and these components are alternately optimised. We build GAN on each local end and use some of the previous local data as an auxiliary dataset to help train the generator and discriminator. After several rounds of iterative training, the generator successfully generates an auditing dataset. The auditing dataset of each local end will then audit the model transmitted by each participant to reduce the risk of poisoning attacks. We use six convolutional layers to construct the discriminator. The kernel sizes of the first three convolutional layers and the last three convolutional layers are 4 × 4 and 3 × 3, respectively. We use three deconvolution layers to construct the generator, whose kernel sizes are 4 × 4. The network structure of GAN for the distributed poisoning defense mechanism is shown in Figure 4.

5. Results and discussion

5.1. Experimental settings

We use Hyperledger Fabric 1.4.4 consortium blockchain in our experiments. The operating system used is Ubuntu 18.04. Additionally, the distributed file system uses IPFS 0.4.21, the CPU used is Intel i7-11700K, the RAM used is 16GB, and the GPU is GTX 1080 T. All experiments are performed under FL settings using the PyTorch framework. In order to simulate the distributed IoMT device, we randomly divide the dataset, and each data part is used as the local data of a device to simulate the data owned by each device in the actual situation. At the same time, we set a discriminator and a generator on each local device for GAN training. We use a convolutional neural network (CNN)-based architecture to construct discriminators and classifiers, and we use a deconvolution network to construct generators. Each local GAN training session lasts for 20 epochs.

5.2. Datasets

We evaluate our scheme (BFG) using the MNIST dataset and the CIFAR-10 dataset. The MNIST dataset is a handwritten digital image dataset, which is the most widely used dataset in FL. MNIST consists of 70,000 handwritten digital images with a size of 28 × 28, divided into 60,000 training images and 10,000 test images. The images are divided into 10 categories of Arabic numbers corresponding to 0–9 different numbers. The CIFAR-10 dataset consists of 60,000 colour images with a size of 32 × 32. The dataset comprises 50,000 training images and 10,000 test images. These images are divided into 10 categories, such as aircraft and birds. These two datasets are widely used in classification, task evaluation, and FL.

5.3. Experimental result

We investigate the performance of the proposed BFG framework through experiments and evaluate the framework from three aspects: accuracy, robustness, and privacy protection.

In order to verify the accuracy and effectiveness of the proposed framework, we conduct experiments on the MNIST dataset. We use BLADE-FL (Li et al., 2021), Original FL (McMahan et al., 2017), DP-FL without GAN (Geyer et al., 2017), BFG with $ϵ$ = 2 and BFG with $ϵ$ = 3 to train in the scenarios of 20 client participants and 50 client participants respectively. We then compare the accuracy of the global models trained by these five schemes. As shown in Figures 5 and 6, with 20 and 50 client participants trained, the global model trained by the proposed BFG framework has higher accuracy than DP-FL without GAN as well as BLADE-FL in most cases. The reason is that the BFG framework uses the auditing dataset generated by GAN to discard model updates with accuracy lower than the normal threshold, thereby reducing the impact of various negative nodes. For example, to reduce the training time, negative nodes can use less local data than normal to train the model to complete the training task as soon as possible. However, this will lead to a decrease in the accuracy of the model updates they upload, thereby affecting the accuracy of the global model. Our scheme can alleviate this effect. BLADE-FL, as a new blockchain-assisted FL framework, can overcome traditional problems associated with centralised clustering in FL systems and prevent model leakage and model update tampering by introducing blockchain and adding Gaussian noise to meet privacy protection needs. However, BLADE-FL still cannot significantly guarantee the accuracy aspect as it lacks a GAN-generated auditing mechanism.

Figure 5. Accuracy of five schemes with 20 participants.

Figure 6. Accuracy of five schemes with 50 participants.

In addition, as shown in Figures 5 and 6, we also compare the training results for BFG with $ϵ$ = 2 and $ϵ$ =  3 and Original FL. We find that the accuracy of BFG with two different $ϵ$ values is lower than that of Original FL, but the accuracy of the global model trained by BFG with $ϵ$ = 3 is better than that of BFG with $ϵ$ = 2. The reason is that DP noise is added to the BFG scheme to prevent inference attacks, which will have a certain impact on the accuracy of the global model. The smaller the privacy budget $ϵ$ is, the higher the degree of privacy protection is, and the more noise will be added, which will have a greater impact on the accuracy. BFG with $ϵ$ =  3 adds relatively less noise, so it can train a global model with higher accuracy.

By comparing and analyzing the five schemes, we find that the performance of BFG with $ϵ$ = 3 is significantly better than other schemes when training with 20 client participants and 50 client participants. Additionally, it is only slightly lower than Original FL, which achieves a balance between using DP to protect privacy and using GAN to improve accuracy. Therefore, in subsequent experiments, we will use BFG with $ϵ$ =  3 as our scheme.

In addition to using accuracy to evaluate the effect of aggregation analysis of different schemes, we also use loss functions for relevant complements. The loss function is an arithmetic function used to evaluate the degree of difference between the predicted and true values of the model, and we experimentally analyze and compare the loss functions for two scenarios with different numbers of client participants. As shown in Figures 7 and 8, the loss functions of the five schemes decrease with increasing accuracy for both the 20 and 50 client participants during training. The loss function in the 50-client participant scenario is smaller than the loss function in the 30-client participant scenario due to the fact that as the number of client participants increases, the data set involved becomes larger, resulting in a smaller loss function.

Figure 7. Loss function value of five schemes with 20 participants.

Figure 8. Loss function value of five schemes with 50 participants.

To verify the robustness of the proposed framework, we conduct experiments on the MNIST dataset. We set up three experimental scenarios with 30 and 60 nodes: all nodes participate in the full training, all nodes train normally upfront, but 30% of them drop out after the 160th round, and 70% of nodes participate in the whole training. We use our BFG scheme for model training in these scenarios and compare the global model accuracy in these three different scenarios. As shown in Figures 9 and 10, we show the global model accuracy changes from the 160th to the 300th round of training with two different numbers of nodes. We have found that the accuracy of the global model with 30% of the nodes exiting during the halfway of the training is lower than that of all nodes participating in the entire training due to the decrease in the number of nodes. However, it is slightly higher than that of the 70% of nodes that have not exited the training. This is because our decentralised framework based on blockchain and IPFS is robust. The exit of some nodes will not affect each other, and there is no single point of failure. Unlike the traditional centralised FL framework, even if 30% of the nodes drop out during the training process, the entire training process will not collapse completely. Other nodes can continue to train unaffected, so that after reaching stability, the accuracy of the global model can be continuously improved and eventually higher than the training results of the 70% of nodes that have not exited. This demonstrates that our scheme is stable and effective in the face of node exit.

Figure 9. Accuracy when 30% of 30 nodes drop out.

Figure 10. Accuracy when 30% of 60 nodes drop out.

Finally, to verify the effectiveness of our framework in privacy protection, we conduct experiments on the MNIST dataset and the CIFAR-10 dataset. We use the attack success rate to measure the performance of privacy protection. The higher the attack success rate, the lower the effectiveness of anti-poisoning attacks and the worse the privacy protection. We set the number of clients participating in the training to 50 and set the percentage of poisoning attackers at 10% and 30%, respectively, in the case of using the two datasets. Specifically, while keeping the sample characteristics unchanged, we change the label of the training sample, used the label flip attack to generate the poisoning sample, and assign the poisoning sample to each specified local device. The proportion of the poisoning local device is set to 10% and 30%, respectively. Additionally, we set the initial attack time to the 50th round and compared our scheme with BLADE-FL, Original FL, and DP-FL without GAN.

Figures 11 and 12 illustrate the attack success rates of 10% and 30% poisoning attackers on the MNIST dataset. Based on the experimental results, we find that both schemes demonstrated improved attack success rates after the attacker performed a poisoning attack on the 50th round, and the attack success rate of 30% poisoning attackers is higher than that of only 10% poisoning attackers. Furthermore, the attack success rate of Original FL and DP-FL without GAN is almost always above 58%, as these two schemes lack mechanisms to detect poisoning. The attack success rate of BLADE-FL is almost always contained below 56% due to its use of blockchain to enhance the system's security, which protects user privacy and prevents model updates from tampering with in a trusted blockchain network. Nevertheless, it still can’t significantly reduce the harm of poisoning attacks due to its absence of GAN-generated auditing mechanisms. The attack success rate of our BFG scheme is approximately 26%, mainly because our scheme can effectively detect and mitigate poisoning attacks by utilising GAN to generate auditing datasets on various local devices.

Figure 11. Attack success rate for 10% poisoning attackers in Minist dataset.

Figure 12. Attack success rate for 30% poisoning attackers in Minist dataset.

Figures 13 and 14 show the attack success rate of setting 10% poisoning attackers and 30% poisoning attackers on the CIFAR-10 dataset. We find that the experimental results on CIFAR-10 are similar to those of MNIST. The attack success rate of 30% poisoning attackers is still higher than that of 10% poisoning attackers. The attack success rate of both schemes, Original FL and DP-FL without GAN, is almost greater than 6%. The attack success rate of BLADE-FL scheme is almost within 52%, while the attack success rate of our BFG scheme is roughly limited to 23%. Experimental results show that BFG can effectively reduce the impact of poisoning attacks and has good performance in privacy protection.

Figure 13. Attack success rate for 10% poisoning attackers in CIFAR-10 dataset.

Figure 14. Attack success rate for 10% poisoning attackers in CIFAR-10 dataset.

From the above experimental results, we can see that our BFG framework performs well in accuracy, robustness, and privacy protection.

In addition, we also extend the more detailed consensus analysis. In terms of the performance of consensus analysis, we use throughput (TPS) and latency (s), which are the key factors and the most widely used metrics for most blockchain systems (Kuzlu et al., 2019). We measure the throughput, i.e. the number of successfully committed transactions per second, and latency, i.e. the time taken for each transaction to be submitted. For measurements, we use Calliper (Xu et al., 2021), which has been used in previous studies on the blockchain platform. TPS and latency are measured at least three times and averaged.

We study the effect of batch size on the consensus mechanism by varying the batch sizes from 10 to 200. Setting the batch size to 1 results in transaction failures, which are not caused by node failures. This is because a batch size of 1 produces a single block per transaction, leading to significant delays in block generation. Consequently, communication between Hyperledger Fabric nodes frequently times out due to the increased delay, eventually resulting in the failure of the Hyperledger Fabric system. Therefore, we exclude small batch sizes, including batch size 1, and set the initial batch size to 10.

Figures 15 and 16 demonstrate the relationship between batch size and throughput and latency, respectively. Figure 15 shows that the minimum and maximum throughput values were 613 (batch size 50) and 732 (batch size 150), respectively, and the difference between the two was within 17%. Figure 16 shows that the latency fluctuation was minimal, with an average latency of approximately 13.54 ms. The results show that the performance of our consensus mechanism is less affected by the batch size and that the throughput increases accordingly when the required processing and latency decrease.

Figure 15. Throughput Analysis in Consensus Performance Analysis.

Figure 16. Latency Analysis in Consensus Performance Analysis.

6. Conclusions and future work

This paper introduces BFG, a privacy protection framework for IoMT that utilises blockchain and FL. We utilise blockchain and IPFS for on-chain and off-chain storage and developed a decentralised federated averaging aggregation method based on IPFS and blockchain. This approach alleviates the storage pressure of the blockchain and mitigates the inherent risk of single points of failure in FL. Additionally, we employ DP to introduce noise into model updates and prevent inference attacks while balancing the privacy budget and accuracy. Our framework also uses GAN to reconstruct the training data on each local device to produce auditing datasets, which creates a distributed poisoning defense mechanism to enhance privacy protection. Simulation results showcase the feasibility and effectiveness of our proposed framework which demonstrates excellent performance in terms of accuracy, robustness, and privacy protection.

The BFG framework can use the above advantages to effectively protect sensitive healthcare data collected from heterogeneous and resource-constrained IoMT devices, securely share patient healthcare data, and provide better diagnosis and efficient and accurate clinical decisions for patients. The healthcare industry can benefit from this, and there may be more opportunities to build smart and secure healthcare delivery systems in the future.

While our solution can solve some difficult problems in healthcare, it consumes more time than traditional FL methods due to the introduction of IPFS. Additionally, we need to further explore more privacy-preserving scenarios of IoMT. In our future work, we plan to explore more complex and diverse applications of privacy-preserving scenarios, optimise our training tasks to reduce time loss, and design relevant incentives to make further improvements for the healthcare industry.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This work was supported by the Scientific Research Foundation of Hunan Provincial Education Department (2019-291, 20A191), Hunan University of Science and Technology (EK2104).