Poisoning Attacks on Federated Learning-based Wireless Traffic Prediction

Read original: arXiv:2404.14389 - Published 4/23/2024 by Zifan Zhang, Minghong Fang, Jiayuan Huang, Yuchen Liu

Poisoning Attacks on Federated Learning-based Wireless Traffic Prediction

Overview

This paper investigates the issue of poisoning attacks on federated learning-based wireless traffic prediction.
Federated learning is a distributed machine learning approach where multiple devices collaborate to train a shared model without sharing their local data.
Poisoning attacks are a type of data poisoning where an adversary injects malicious data into the training process to degrade the model's performance.
The authors explore how such poisoning attacks can impact wireless traffic prediction models trained using federated learning.

Plain English Explanation

Federated learning is a way for multiple devices, like smartphones or smart home devices, to work together to train a shared machine learning model without having to share their private data. This is useful for things like predicting wireless network traffic, where each device has data about the traffic it sees, but they don't want to share that data directly.

However, this federated approach opens the door to a type of attack called a "poisoning attack." In a poisoning attack, a bad actor tries to inject malicious data into the training process to trick the model and make it perform poorly.

This paper looks at how these poisoning attacks can impact wireless traffic prediction models that are trained using federated learning. The authors investigate different ways an attacker could try to poison the training data and how that affects the final model's accuracy. They also explore potential defenses against these types of attacks.

Understanding these poisoning threats is important as federated learning becomes more widely used, especially for sensitive applications like network management, where the security and reliability of the models is crucial.

Technical Explanation

The paper first provides an overview of related works on gradient leakage in federated learning and defenses against data poisoning attacks. It then introduces the problem of poisoning attacks on federated learning-based wireless traffic prediction.

The authors propose two types of poisoning attacks:

Injection Attack: The attacker injects malicious data points into the training dataset to skew the model's predictions.
Targeted Attack: The attacker specifically targets certain geographical regions or time periods by poisoning the data from those regions/times.

To evaluate the impact of these attacks, the authors conduct experiments using a real-world wireless traffic dataset. They compare the performance of the federated learning model under normal conditions and when subjected to the proposed poisoning attacks.

The results show that both injection and targeted attacks can significantly degrade the model's prediction accuracy, with the targeted attack being more effective. The authors also investigate the tradeoffs between model accuracy and attack resilience when adjusting the federated learning hyperparameters.

Critical Analysis

The paper provides a thorough exploration of poisoning attacks on federated learning-based wireless traffic prediction. However, there are a few areas that could be further addressed:

Potential Defenses: While the paper mentions some general defenses against data poisoning, such as robust federated learning techniques, it does not delve deeply into specific defenses tailored to the wireless traffic prediction scenario.
Impact on Personalized Models: The paper focuses on a global federated learning model, but personalized wireless federated learning models could be more vulnerable to targeted poisoning attacks.
Real-world Applicability: The experiments are conducted on a single dataset, and it would be valuable to test the attacks and potential defenses on a broader range of wireless traffic datasets and scenarios.
Ethical Considerations: The paper does not discuss the ethical implications of these poisoning attacks, such as the potential misuse of such techniques or the need for responsible disclosure and mitigation strategies.

Conclusion

This paper presents a detailed study on the vulnerability of federated learning-based wireless traffic prediction models to poisoning attacks. The proposed injection and targeted attacks demonstrate the significant impact such attacks can have on model performance.

As federated learning continues to gain traction for sensitive applications like network management, understanding and mitigating these types of security threats will be crucial to ensure the reliability and trustworthiness of the models. The insights from this research can help inform the development of more robust and attack-resilient federated learning systems for wireless traffic prediction and beyond.

This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!

Follow @aimodelsfyi on 𝕏 →

Related Papers

Poisoning Attacks on Federated Learning-based Wireless Traffic Prediction

Zifan Zhang, Minghong Fang, Jiayuan Huang, Yuchen Liu

Federated Learning (FL) offers a distributed framework to train a global control model across multiple base stations without compromising the privacy of their local network data. This makes it ideal for applications like wireless traffic prediction (WTP), which plays a crucial role in optimizing network resources, enabling proactive traffic flow management, and enhancing the reliability of downstream communication-aided applications, such as IoT devices, autonomous vehicles, and industrial automation systems. Despite its promise, the security aspects of FL-based distributed wireless systems, particularly in regression-based WTP problems, remain inadequately investigated. In this paper, we introduce a novel fake traffic injection (FTI) attack, designed to undermine the FL-based WTP system by injecting fabricated traffic distributions with minimal knowledge. We further propose a defense mechanism, termed global-local inconsistency detection (GLID), which strategically removes abnormal model parameters that deviate beyond a specific percentile range estimated through statistical methods in each dimension. Extensive experimental evaluations, performed on real-world wireless traffic datasets, demonstrate that both our attack and defense strategies significantly outperform existing baselines.

4/23/2024

Poisoning with A Pill: Circumventing Detection in Federated Learning

Hanxi Guo, Hao Wang, Tao Song, Tianhang Zheng, Yang Hua, Haibing Guan, Xiangyu Zhang

Without direct access to the client's data, federated learning (FL) is well-known for its unique strength in data privacy protection among existing distributed machine learning techniques. However, its distributive and iterative nature makes FL inherently vulnerable to various poisoning attacks. To counteract these threats, extensive defenses have been proposed to filter out malicious clients, using various detection metrics. Based on our analysis of existing attacks and defenses, we find that there is a lack of attention to model redundancy. In neural networks, various model parameters contribute differently to the model's performance. However, existing attacks in FL manipulate all the model update parameters with the same strategy, making them easily detectable by common defenses. Meanwhile, the defenses also tend to analyze the overall statistical features of the entire model updates, leaving room for sophisticated attacks. Based on these observations, this paper proposes a generic and attack-agnostic augmentation approach designed to enhance the effectiveness and stealthiness of existing FL poisoning attacks against detection in FL, pointing out the inherent flaws of existing defenses and exposing the necessity of fine-grained FL security. Specifically, we employ a three-stage methodology that strategically constructs, generates, and injects poison (generated by existing attacks) into a pill (a tiny subnet with a novel structure) during the FL training, named as pill construction, pill poisoning, and pill injection accordingly. Extensive experimental results show that FL poisoning attacks enhanced by our method can bypass all the popular defenses, and can gain an up to 7x error rate increase, as well as on average a more than 2x error rate increase on both IID and non-IID data, in both cross-silo and cross-device FL systems.

7/23/2024

🔎

Poisoning Attacks on Federated Learning for Autonomous Driving

Sonakshi Garg, Hugo Jonsson, Gustav Kalander, Axel Nilsson, Bhhaanu Pirange, Viktor Valadi, Johan Ostman

Federated Learning (FL) is a decentralized learning paradigm, enabling parties to collaboratively train models while keeping their data confidential. Within autonomous driving, it brings the potential of reducing data storage costs, reducing bandwidth requirements, and to accelerate the learning. FL is, however, susceptible to poisoning attacks. In this paper, we introduce two novel poisoning attacks on FL tailored to regression tasks within autonomous driving: FLStealth and Off-Track Attack (OTA). FLStealth, an untargeted attack, aims at providing model updates that deteriorate the global model performance while appearing benign. OTA, on the other hand, is a targeted attack with the objective to change the global model's behavior when exposed to a certain trigger. We demonstrate the effectiveness of our attacks by conducting comprehensive experiments pertaining to the task of vehicle trajectory prediction. In particular, we show that, among five different untargeted attacks, FLStealth is the most successful at bypassing the considered defenses employed by the server. For OTA, we demonstrate the inability of common defense strategies to mitigate the attack, highlighting the critical need for new defensive mechanisms against targeted attacks within FL for autonomous driving.

5/3/2024

Tracing Back the Malicious Clients in Poisoning Attacks to Federated Learning

Yuqi Jia, Minghong Fang, Hongbin Liu, Jinghuai Zhang, Neil Zhenqiang Gong

Poisoning attacks compromise the training phase of federated learning (FL) such that the learned global model misclassifies attacker-chosen inputs called target inputs. Existing defenses mainly focus on protecting the training phase of FL such that the learnt global model is poison free. However, these defenses often achieve limited effectiveness when the clients' local training data is highly non-iid or the number of malicious clients is large, as confirmed in our experiments. In this work, we propose FLForensics, the first poison-forensics method for FL. FLForensics complements existing training-phase defenses. In particular, when training-phase defenses fail and a poisoned global model is deployed, FLForensics aims to trace back the malicious clients that performed the poisoning attack after a misclassified target input is identified. We theoretically show that FLForensics can accurately distinguish between benign and malicious clients under a formal definition of poisoning attack. Moreover, we empirically show the effectiveness of FLForensics at tracing back both existing and adaptive poisoning attacks on five benchmark datasets.

7/11/2024