Defending Against Sophisticated Poisoning Attacks with RL-based Aggregation in Federated Learning
0
Sign in to get full access
Motivation
This paper addresses the critical challenge of defending against sophisticated poisoning attacks in the context of federated learning. Federated learning is a distributed machine learning approach where multiple devices collaborate to train a shared model, without directly sharing their local data. However, this collaboration can make the system vulnerable to malicious users who try to manipulate the model by submitting poisoned updates.
The authors note that existing defenses against poisoning attacks, such as RFLPA, FedCC, and Robust Federated Learning, have limitations in addressing more advanced, targeted poisoning attacks. They seek to develop a more robust and adaptive defense mechanism that can better handle these sophisticated threats.
Technical Explanation
The core of the proposed approach is an RL-based aggregation mechanism, which uses reinforcement learning to decide how to aggregate the client updates in a way that mitigates the impact of poisoned updates. The authors formulate the aggregation problem as a Markov Decision Process (MDP), where the aggregation agent learns an optimal policy for weighting the client updates based on their perceived trustworthiness.
The authors evaluate their approach, called RL-Aggregation, against several baseline defenses and sophisticated poisoning attacks, including the Precision-Guided Attack. The results show that RL-Aggregation outperforms the baselines in terms of defending against these advanced attacks while maintaining model performance on the target task.
Critical Analysis
The authors acknowledge that their approach relies on certain assumptions, such as the availability of a clean validation set to assess the trustworthiness of client updates. In practical scenarios, obtaining such a clean set may be challenging, and the performance of RL-Aggregation could be affected.
Additionally, the proposed method introduces additional computational complexity due to the reinforcement learning component, which may limit its scalability to large-scale federated learning systems. Further research is needed to explore ways to improve the efficiency of the RL-based aggregation mechanism.
Conclusion
This paper presents a novel RL-based aggregation approach to defend against sophisticated poisoning attacks in federated learning. By dynamically learning how to weight client updates based on their perceived trustworthiness, the authors demonstrate the effectiveness of their method in mitigating the impact of advanced poisoning attacks. While the approach has some practical limitations, this research represents an important step forward in enhancing the robustness of federated learning systems against malicious tampering.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
0
Defending Against Sophisticated Poisoning Attacks with RL-based Aggregation in Federated Learning
Yujing Wang, Hainan Zhang, Sijia Wen, Wangjie Qiu, Binghui Guo
Federated learning is highly susceptible to model poisoning attacks, especially those meticulously crafted for servers. Traditional defense methods mainly focus on updating assessments or robust aggregation against manually crafted myopic attacks. When facing advanced attacks, their defense stability is notably insufficient. Therefore, it is imperative to develop adaptive defenses against such advanced poisoning attacks. We find that benign clients exhibit significantly higher data distribution stability than malicious clients in federated learning in both CV and NLP tasks. Therefore, the malicious clients can be recognized by observing the stability of their data distribution. In this paper, we propose AdaAggRL, an RL-based Adaptive Aggregation method, to defend against sophisticated poisoning attacks. Specifically, we first utilize distribution learning to simulate the clients' data distributions. Then, we use the maximum mean discrepancy (MMD) to calculate the pairwise similarity of the current local model data distribution, its historical data distribution, and global model data distribution. Finally, we use policy learning to adaptively determine the aggregation weights based on the above similarities. Experiments on four real-world datasets demonstrate that the proposed defense model significantly outperforms widely adopted defense models for sophisticated attacks.
Read more6/21/2024
📈
0
A Data-Driven Defense against Edge-case Model Poisoning Attacks on Federated Learning
Kiran Purohit, Soumi Das, Sourangshu Bhattacharya, Santu Rana
Federated Learning systems are increasingly subjected to a multitude of model poisoning attacks from clients. Among these, edge-case attacks that target a small fraction of the input space are nearly impossible to detect using existing defenses, leading to a high attack success rate. We propose an effective defense using an external defense dataset, which provides information about the attack target. The defense dataset contains a mix of poisoned and clean examples, with only a few known to be clean. The proposed method, DataDefense, uses this dataset to learn a poisoned data detector model which marks each example in the defense dataset as poisoned or clean. It also learns a client importance model that estimates the probability of a client update being malicious. The global model is then updated as a weighted average of the client models' updates. The poisoned data detector and the client importance model parameters are updated using an alternating minimization strategy over the Federated Learning rounds. Extensive experiments on standard attack scenarios demonstrate that DataDefense can defend against model poisoning attacks where other state-of-the-art defenses fail. In particular, DataDefense is able to reduce the attack success rate by at least ~ 40% on standard attack setups and by more than 80% on some setups. Furthermore, DataDefense requires very few defense examples (as few as five) to achieve a near-optimal reduction in attack success rate.
Read more8/15/2024
🔎
0
Mitigating Malicious Attacks in Federated Learning via Confidence-aware Defense
Qilei Li, Ahmed M. Abdelmoniem
Federated Learning (FL) is a distributed machine learning diagram that enables multiple clients to collaboratively train a global model without sharing their private local data. However, FL systems are vulnerable to attacks that are happening in malicious clients through data poisoning and model poisoning, which can deteriorate the performance of aggregated global model. Existing defense methods typically focus on mitigating specific types of poisoning and are often ineffective against unseen types of attack. These methods also assume an attack happened moderately while is not always holds true in real. Consequently, these methods can significantly fail in terms of accuracy and robustness when detecting and addressing updates from attacked malicious clients. To overcome these challenges, in this work, we propose a simple yet effective framework to detect malicious clients, namely Confidence-Aware Defense (CAD), that utilizes the confidence scores of local models as criteria to evaluate the reliability of local updates. Our key insight is that malicious attacks, regardless of attack type, will cause the model to deviate from its previous state, thus leading to increased uncertainty when making predictions. Therefore, CAD is comprehensively effective for both model poisoning and data poisoning attacks by accurately identifying and mitigating potential malicious updates, even under varying degrees of attacks and data heterogeneity. Experimental results demonstrate that our method significantly enhances the robustness of FL systems against various types of attacks across various scenarios by achieving higher model accuracy and stability.
Read more8/20/2024
0
RFLPA: A Robust Federated Learning Framework against Poisoning Attacks with Secure Aggregation
Peihua Mai, Ran Yan, Yan Pang
Federated learning (FL) allows multiple devices to train a model collaboratively without sharing their data. Despite its benefits, FL is vulnerable to privacy leakage and poisoning attacks. To address the privacy concern, secure aggregation (SecAgg) is often used to obtain the aggregation of gradients on sever without inspecting individual user updates. Unfortunately, existing defense strategies against poisoning attacks rely on the analysis of local updates in plaintext, making them incompatible with SecAgg. To reconcile the conflicts, we propose a robust federated learning framework against poisoning attacks (RFLPA) based on SecAgg protocol. Our framework computes the cosine similarity between local updates and server updates to conduct robust aggregation. Furthermore, we leverage verifiable packed Shamir secret sharing to achieve reduced communication cost of $O(M+N)$ per user, and design a novel dot-product aggregation algorithm to resolve the issue of increased information leakage. Our experimental results show that RFLPA significantly reduces communication and computation overhead by over $75%$ compared to the state-of-the-art method, BREA, while maintaining competitive accuracy.
Read more5/27/2024