Attacks on fairness in Federated Learning
0
🏋️
Sign in to get full access
Overview
- Federated Learning is a distributed training paradigm that keeps data private on clients.
- Backdoor attacks on Federated Learning models are well-understood, where a small subset of clients can introduce a backdoor.
- This paper presents a new type of attack that compromises the fairness of the trained model, rather than introducing a backdoor.
- Fairness refers to the attribute-level performance distribution of the trained model, which is important in domains where unfair discrimination could have serious consequences.
Plain English Explanation
Federated Learning is a way of training AI models without collecting all the data in one place. Instead, the training happens on individual devices, like phones or computers, and the model is updated by combining the changes from many devices. This keeps the data private on the individual devices.
Previous research has shown that backdoor attacks are possible in Federated Learning. This means that even if only a small number of devices are compromised, the attacker can introduce a backdoor into the final trained model.
This new paper looks at a different type of attack, one that compromises the fairness of the trained model, rather than introducing a backdoor. Fairness means that the model performs equally well across different groups or attributes, like age, gender, or race. Unfair models can have serious consequences in domains like healthcare or finance.
The paper shows that using a similar threat model to a backdoor attack, an attacker can influence the final model to have an unfair performance distribution between different attributes. Importantly, the attacker only needs to control a single client device to pull this off.
While dealing with natural unfairness in Federated Learning has been discussed before, this artificial unfairness introduced by an attacker has been overlooked. The paper argues that defending against attacks on fairness should be a critical consideration whenever unfairness in a model could benefit someone who participated in the training.
Technical Explanation
The paper presents a new type of attack on Federated Learning models that compromises the fairness of the trained model, rather than introducing a backdoor.
The threat model is similar to that of a backdoor attack - the attacker controls only a small subset of the participating clients. However, instead of injecting a backdoor, the attacker aims to influence the aggregated model to have an unfair performance distribution across different attributes.
The authors demonstrate that this "fairness attack" is possible by controlling just a single client. They show how the attacker can strategically update the local model on the compromised client to skew the final aggregated model towards unfair performance.
While prior work has addressed naturally-occurring unfairness in Federated Learning, this paper highlights that artificially-induced unfairness through adversarial attacks has been overlooked. The authors argue that defending against fairness attacks should be a critical consideration in any scenario where unfairness in the trained model could benefit a participant in the training process.
Critical Analysis
The paper makes an important contribution by identifying a new type of attack on Federated Learning models that targets fairness, rather than introducing a backdoor. This is a significant concern, as unfair models can have severe real-world consequences in domains like healthcare, finance, and criminal justice.
However, the paper does not address some key limitations and open questions:
- The proposed attack relies on the attacker having perfect knowledge of the target attributes and being able to strategically update the local model. In practice, this level of information and control may be difficult to achieve.
- The paper does not explore potential defenses against fairness attacks. Developing effective countermeasures should be a priority for future research in this area.
- The scope is limited to Federated Learning, but unfairness in AI models is a broader issue that affects centralized training as well. Expanding the analysis to other distributed training paradigms could yield additional insights.
Despite these limitations, the paper successfully highlights the importance of fairness as a security and privacy concern in Federated Learning. Further research is needed to fully understand the risks and develop robust defenses against this new class of attacks.
Conclusion
This paper presents a novel attack on Federated Learning models that compromises the fairness of the trained model, rather than introducing a backdoor. The authors demonstrate that an attacker can strategically update a single compromised client to skew the final aggregated model towards unfair performance across different attributes.
While prior work has addressed naturally-occurring unfairness in Federated Learning, this paper argues that artificially-induced unfairness through adversarial attacks has been overlooked. Defending against fairness attacks should be a critical consideration whenever unfairness in the trained model could benefit a participant in the training process.
The paper makes an important contribution by identifying this new threat, but further research is needed to fully understand the risks and develop effective countermeasures. Expanding the analysis beyond Federated Learning to other distributed training paradigms could also yield valuable insights.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
🏋️
0
Attacks on fairness in Federated Learning
Joseph Rance, Filip Svoboda
Federated Learning is an important emerging distributed training paradigm that keeps data private on clients. It is now well understood that by controlling only a small subset of FL clients, it is possible to introduce a backdoor to a federated learning model, in the presence of certain attributes. In this paper, we present a new type of attack that compromises the fairness of the trained model. Fairness is understood to be the attribute-level performance distribution of a trained model. It is particularly salient in domains where, for example, skewed accuracy discrimination between subpopulations could have disastrous consequences. We find that by employing a threat model similar to that of a backdoor attack, an attacker is able to influence the aggregated model to have an unfair performance distribution between any given set of attributes. Furthermore, we find that this attack is possible by controlling only a single client. While combating naturally induced unfairness in FL has previously been discussed in depth, its artificially induced kind has been neglected. We show that defending against attacks on fairness should be a critical consideration in any situation where unfairness in a trained model could benefit a user who participated in its training.
Read more7/29/2024
🔎
0
Mitigating Malicious Attacks in Federated Learning via Confidence-aware Defense
Qilei Li, Ahmed M. Abdelmoniem
Federated Learning (FL) is a distributed machine learning diagram that enables multiple clients to collaboratively train a global model without sharing their private local data. However, FL systems are vulnerable to attacks that are happening in malicious clients through data poisoning and model poisoning, which can deteriorate the performance of aggregated global model. Existing defense methods typically focus on mitigating specific types of poisoning and are often ineffective against unseen types of attack. These methods also assume an attack happened moderately while is not always holds true in real. Consequently, these methods can significantly fail in terms of accuracy and robustness when detecting and addressing updates from attacked malicious clients. To overcome these challenges, in this work, we propose a simple yet effective framework to detect malicious clients, namely Confidence-Aware Defense (CAD), that utilizes the confidence scores of local models as criteria to evaluate the reliability of local updates. Our key insight is that malicious attacks, regardless of attack type, will cause the model to deviate from its previous state, thus leading to increased uncertainty when making predictions. Therefore, CAD is comprehensively effective for both model poisoning and data poisoning attacks by accurately identifying and mitigating potential malicious updates, even under varying degrees of attacks and data heterogeneity. Experimental results demonstrate that our method significantly enhances the robustness of FL systems against various types of attacks across various scenarios by achieving higher model accuracy and stability.
Read more8/20/2024
0
Federated Fairness Analytics: Quantifying Fairness in Federated Learning
Oscar Dilley, Juan Marcelo Parra-Ullauri, Rasheed Hussain, Dimitra Simeonidou
Federated Learning (FL) is a privacy-enhancing technology for distributed ML. By training models locally and aggregating updates - a federation learns together, while bypassing centralised data collection. FL is increasingly popular in healthcare, finance and personal computing. However, it inherits fairness challenges from classical ML and introduces new ones, resulting from differences in data quality, client participation, communication constraints, aggregation methods and underlying hardware. Fairness remains an unresolved issue in FL and the community has identified an absence of succinct definitions and metrics to quantify fairness; to address this, we propose Federated Fairness Analytics - a methodology for measuring fairness. Our definition of fairness comprises four notions with novel, corresponding metrics. They are symptomatically defined and leverage techniques originating from XAI, cooperative game-theory and networking engineering. We tested a range of experimental settings, varying the FL approach, ML task and data settings. The results show that statistical heterogeneity and client participation affect fairness and fairness conscious approaches such as Ditto and q-FedAvg marginally improve fairness-performance trade-offs. Using our techniques, FL practitioners can uncover previously unobtainable insights into their system's fairness, at differing levels of granularity in order to address fairness challenges in FL. We have open-sourced our work at: https://github.com/oscardilley/federated-fairness.
Read more8/16/2024
0
Non-Cooperative Backdoor Attacks in Federated Learning: A New Threat Landscape
Tuan Nguyen, Dung Thuy Nguyen, Khoa D Doan, Kok-Seng Wong
Despite the promise of Federated Learning (FL) for privacy-preserving model training on distributed data, it remains susceptible to backdoor attacks. These attacks manipulate models by embedding triggers (specific input patterns) in the training data, forcing misclassification as predefined classes during deployment. Traditional single-trigger attacks and recent work on cooperative multiple-trigger attacks, where clients collaborate, highlight limitations in attack realism due to coordination requirements. We investigate a more alarming scenario: non-cooperative multiple-trigger attacks. Here, independent adversaries introduce distinct triggers targeting unique classes. These parallel attacks exploit FL's decentralized nature, making detection difficult. Our experiments demonstrate the alarming vulnerability of FL to such attacks, where individual backdoors can be successfully learned without impacting the main task. This research emphasizes the critical need for robust defenses against diverse backdoor attacks in the evolving FL landscape. While our focus is on empirical analysis, we believe it can guide backdoor research toward more realistic settings, highlighting the crucial role of FL in building robust defenses against diverse backdoor threats. The code is available at url{https://anonymous.4open.science/r/nba-980F/}.
Read more7/12/2024