A Data-Driven Defense against Edge-case Model Poisoning Attacks on Federated Learning

Read original: arXiv:2305.02022 - Published 8/15/2024 by Kiran Purohit, Soumi Das, Sourangshu Bhattacharya, Santu Rana

📈

Overview

Federated Learning systems are vulnerable to model poisoning attacks from clients.
Edge-case attacks targeting a small fraction of the input space are difficult to detect using existing defenses.
The proposed DataDefense method uses an external defense dataset to learn a poisoned data detector and a client importance model.
The global model is updated as a weighted average of client model updates, where the weights are determined by the client importance model.
DataDefense can significantly reduce the attack success rate compared to other state-of-the-art defenses.

Plain English Explanation

In Federated Learning, multiple devices or clients collaborate to train a shared machine learning model without sharing their raw data. This approach is useful for preserving privacy and decentralizing data. However, Federated Learning systems are vulnerable to model poisoning attacks from malicious clients.

These attacks can target edge cases, which are rare or unusual inputs that make up a small fraction of the total input space. Existing defenses often struggle to detect these types of attacks, leading to a high success rate for the attackers.

The DataDefense method proposed in the paper aims to address this issue. It uses an external "defense dataset" that contains a mix of poisoned and clean examples, with only a few known to be clean. The method learns two models:

A poisoned data detector that can identify whether each example in the defense dataset is poisoned or clean.
A client importance model that estimates the probability of a client update being malicious.

The global model is then updated as a weighted average of the client model updates, where the weights are determined by the client importance model. This helps to reduce the impact of malicious client updates on the final model.

The key advantage of DataDefense is that it can significantly reduce the attack success rate compared to other state-of-the-art defenses, even with a small number of defense examples (as few as five).

Technical Explanation

The DataDefense method consists of two main components:

Poisoned Data Detector: This model is trained to classify each example in the defense dataset as either poisoned or clean. It is trained using an alternating minimization strategy over the Federated Learning rounds, where the model parameters are updated based on the current state of the global model and the client updates.
Client Importance Model: This model estimates the probability of a client update being malicious. It is also trained using the alternating minimization strategy, with the goal of assigning lower importance to updates from clients that are more likely to be malicious.

The paper presents extensive experiments on standard attack scenarios, demonstrating that DataDefense can defend against model poisoning attacks where other state-of-the-art defenses fail. In particular, DataDefense is able to reduce the attack success rate by at least ~40% on standard attack setups and by more than 80% on some setups.

Critical Analysis

The paper presents a novel and effective defense against model poisoning attacks in Federated Learning. However, there are a few potential limitations and areas for further research:

Dependence on the Defense Dataset: The performance of DataDefense is heavily dependent on the quality and coverage of the defense dataset. In real-world scenarios, it may be challenging to obtain a representative defense dataset with the right mix of poisoned and clean examples.
Scalability and Computational Overhead: The proposed method involves training two additional models (the poisoned data detector and the client importance model) on top of the global model. This may lead to increased computational and memory requirements, which could be a concern for resource-constrained devices in Federated Learning.
Generalization to Other Attack Scenarios: The paper focuses on evaluating DataDefense against specific attack scenarios. It would be valuable to explore the method's performance against a wider range of attack types and settings.
Interpretability and Explainability: The paper does not provide much insight into how the poisoned data detector and client importance models make their decisions. Improving the interpretability of these models could help users better understand and trust the defense mechanism.

Overall, the DataDefense method represents a significant step forward in defending Federated Learning systems against model poisoning attacks. Further research to address the identified limitations could help to make the approach more practical and widely applicable.

Conclusion

The DataDefense method proposed in this paper addresses a crucial vulnerability in Federated Learning systems: the difficulty of detecting and mitigating model poisoning attacks, especially those targeting edge cases. By leveraging an external defense dataset, DataDefense can significantly reduce the attack success rate compared to other state-of-the-art defenses.

This research has important implications for the widespread adoption of Federated Learning, as it helps to improve the security and robustness of these distributed learning systems. As Federated Learning continues to gain traction in various applications, effective defenses against model poisoning attacks will be crucial for ensuring the trustworthiness and integrity of the learned models.

This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!

Follow @aimodelsfyi on 𝕏 →

Related Papers

📈

A Data-Driven Defense against Edge-case Model Poisoning Attacks on Federated Learning

Kiran Purohit, Soumi Das, Sourangshu Bhattacharya, Santu Rana

Federated Learning systems are increasingly subjected to a multitude of model poisoning attacks from clients. Among these, edge-case attacks that target a small fraction of the input space are nearly impossible to detect using existing defenses, leading to a high attack success rate. We propose an effective defense using an external defense dataset, which provides information about the attack target. The defense dataset contains a mix of poisoned and clean examples, with only a few known to be clean. The proposed method, DataDefense, uses this dataset to learn a poisoned data detector model which marks each example in the defense dataset as poisoned or clean. It also learns a client importance model that estimates the probability of a client update being malicious. The global model is then updated as a weighted average of the client models' updates. The poisoned data detector and the client importance model parameters are updated using an alternating minimization strategy over the Federated Learning rounds. Extensive experiments on standard attack scenarios demonstrate that DataDefense can defend against model poisoning attacks where other state-of-the-art defenses fail. In particular, DataDefense is able to reduce the attack success rate by at least ~ 40% on standard attack setups and by more than 80% on some setups. Furthermore, DataDefense requires very few defense examples (as few as five) to achieve a near-optimal reduction in attack success rate.

8/15/2024

🔎

Mitigating Malicious Attacks in Federated Learning via Confidence-aware Defense

Qilei Li, Ahmed M. Abdelmoniem

Federated Learning (FL) is a distributed machine learning diagram that enables multiple clients to collaboratively train a global model without sharing their private local data. However, FL systems are vulnerable to attacks that are happening in malicious clients through data poisoning and model poisoning, which can deteriorate the performance of aggregated global model. Existing defense methods typically focus on mitigating specific types of poisoning and are often ineffective against unseen types of attack. These methods also assume an attack happened moderately while is not always holds true in real. Consequently, these methods can significantly fail in terms of accuracy and robustness when detecting and addressing updates from attacked malicious clients. To overcome these challenges, in this work, we propose a simple yet effective framework to detect malicious clients, namely Confidence-Aware Defense (CAD), that utilizes the confidence scores of local models as criteria to evaluate the reliability of local updates. Our key insight is that malicious attacks, regardless of attack type, will cause the model to deviate from its previous state, thus leading to increased uncertainty when making predictions. Therefore, CAD is comprehensively effective for both model poisoning and data poisoning attacks by accurately identifying and mitigating potential malicious updates, even under varying degrees of attacks and data heterogeneity. Experimental results demonstrate that our method significantly enhances the robustness of FL systems against various types of attacks across various scenarios by achieving higher model accuracy and stability.

8/20/2024

Defending Against Sophisticated Poisoning Attacks with RL-based Aggregation in Federated Learning

Yujing Wang, Hainan Zhang, Sijia Wen, Wangjie Qiu, Binghui Guo

Federated learning is highly susceptible to model poisoning attacks, especially those meticulously crafted for servers. Traditional defense methods mainly focus on updating assessments or robust aggregation against manually crafted myopic attacks. When facing advanced attacks, their defense stability is notably insufficient. Therefore, it is imperative to develop adaptive defenses against such advanced poisoning attacks. We find that benign clients exhibit significantly higher data distribution stability than malicious clients in federated learning in both CV and NLP tasks. Therefore, the malicious clients can be recognized by observing the stability of their data distribution. In this paper, we propose AdaAggRL, an RL-based Adaptive Aggregation method, to defend against sophisticated poisoning attacks. Specifically, we first utilize distribution learning to simulate the clients' data distributions. Then, we use the maximum mean discrepancy (MMD) to calculate the pairwise similarity of the current local model data distribution, its historical data distribution, and global model data distribution. Finally, we use policy learning to adaptively determine the aggregation weights based on the above similarities. Experiments on four real-world datasets demonstrate that the proposed defense model significantly outperforms widely adopted defense models for sophisticated attacks.

6/21/2024

FedMID: A Data-Free Method for Using Intermediate Outputs as a Defense Mechanism Against Poisoning Attacks in Federated Learning

Sungwon Han, Hyeonho Song, Sungwon Park, Meeyoung Cha

Federated learning combines local updates from clients to produce a global model, which is susceptible to poisoning attacks. Most previous defense strategies relied on vectors derived from projections of local updates on a Euclidean space; however, these methods fail to accurately represent the functionality and structure of local models, resulting in inconsistent performance. Here, we present a new paradigm to defend against poisoning attacks in federated learning using functional mappings of local models based on intermediate outputs. Experiments show that our mechanism is robust under a broad range of computing conditions and advanced attack scenarios, enabling safer collaboration among data-sensitive participants via federated learning.

4/19/2024