Xicong Shen,Ying Liu,Fu Li,Chunguang Li

DOI: https://doi.org/10.1109/jiot.2023.3288886

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) has attracted widespread attention in the Internet of Things domain recently. With FL, multiple distributed devices can cooperatively train a global model by transmitting model updates without disclosing the original data. However, the distributed nature of FL makes it vulnerable to data poisoning attacks. In practice, malicious clients can launch the label-flipping attack (LFA) by simply tampering with the labels of local data, thus causing the global model to misclassify the samples of a selected class as the target class. Although some defense mechanisms have been proposed, they rely on specific assumptions about data distribution, and their performance degrades significantly when the data on clients are non-IID. Besides, most existing methods require clients to upload model updates in plaintext so that the server can identify and remove the malicious updates. But, direct transmission of model updates may still reveal private information. Considering these issues, we develop a label-flipping-robust and privacy-preserving FL (LFR-PPFL) algorithm, which is applicable to both independent and identically distributed (IID) and non-IID data. We first propose a detection method based on temporal analysis on cosine similarity to distinguish malicious clients from benign clients. Then, we propose a privacy-preserving computation protocol based on homomorphic encryption to implement this detection method and perform federated aggregation while protecting the privacy of clients. Besides, a detailed theoretical analysis is given to demonstrate the privacy guarantee of the proposed protocol. Experimental results on real-world data sets show that the proposed algorithm can effectively defend against LFAs under various data distributions.

Dongxiao Yu,Hengming Zhang,Yan Huang,Zhenzhen Xie

DOI: https://doi.org/10.1016/j.hcc.2024.100235

2024-01-01

High-Confidence Computing

Abstract:Federated Learning(FL) is currently a widely used collaborative learning framework, and the distinguished feature of FL is that the clients involved in training do not need to share raw data, but only transfer the model parameters to share knowledge, and finally get a global model with improved performance. However, recent studies have found that sharing model parameters may still lead to privacy leakage. From the shared model parameters, local training data can be reconstructed and thus lead to a threat to individual privacy and security. We observed that most of the current attacks are aimed at client-specific data reconstruction, while limited attention is paid to the information leakage of the global model. In our work, we propose a novel FL attack based on shared model parameters that can deduce the data distribution of the global model. Different from other FL attacks that aim to infer individual clients’ raw data, the data distribution inference attack proposed in this work shows that the attackers can have the capability to deduce the data distribution information behind the global model. We argue that such information is valuable since the training data behind a well-trained global model indicates the common knowledge of a specific task, such as social networks and e-commerce applications. To implement such an attack, our key idea is to adopt a deep reinforcement learning approach to guide the attack process, where the RL agent adjusts the pseudo-data distribution automatically until it is similar to the ground truth data distribution. By a carefully designed MDP process, our implementation ensures our attack can have stable performance and experimental results verify the effectiveness of our proposed inference attack.

Ehsan Nowroozi,Imran Haider,Rahim Taheri,Mauro Conti

2024-03-05

Abstract:Federated Learning (FL) is a machine learning (ML) approach that enables multiple decentralized devices or edge servers to collaboratively train a shared model without exchanging raw data. During the training and sharing of model updates between clients and servers, data and models are susceptible to different data-poisoning attacks.

Cryptography and Security,Artificial Intelligence,Computers and Society,Machine Learning,Networking and Internet Architecture

Giorgio Severi,Matthew Jagielski,Gökberk Yar,Yuxuan Wang,Alina Oprea,Cristina Nita-Rotaru

DOI: https://doi.org/10.48550/arXiv.2208.12911

2022-08-27

Abstract:Federated learning is a popular strategy for training models on distributed, sensitive data, while preserving data privacy. Prior work identified a range of security threats on federated learning protocols that poison the data or the model. However, federated learning is a networked system where the communication between clients and server plays a critical role for the learning task performance. We highlight how communication introduces another vulnerability surface in federated learning and study the impact of network-level adversaries on training federated learning models. We show that attackers dropping the network traffic from carefully selected clients can significantly decrease model accuracy on a target population. Moreover, we show that a coordinated poisoning campaign from a few clients can amplify the dropping attacks. Finally, we develop a server-side defense which mitigates the impact of our attacks by identifying and up-sampling clients likely to positively contribute towards target accuracy. We comprehensively evaluate our attacks and defenses on three datasets, assuming encrypted communication channels and attackers with partial visibility of the network.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Xiaohan Hao,Chao Lin,Wenhan Dong,Xinyi Huang,Hui Xiong

DOI: https://doi.org/10.1109/tifs.2023.3336521

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated Learning (FL) enables multiple clients to collaboratively train a model without sharing their private data. However, the deployment of FL in real-world applications is vulnerable to various attacks from both malicious servers and clients. While cryptographic methods are effective in resisting server-side attacks, they undermine the capability of client-side defenses that rely on plaintext updates. Several valuable defenses targeting hybrid attacks have been devised to address this challenge, concentrating on specific client-side threats. To improve scalability, we continue this research line to introduce a generic architecture covering more client-side attacks. In this paper, we propose a general architecture to enhance client-side defenses from plaintext to ciphertext domains. This architecture not only supports the server-side defenses, but also accommodates a broader range of client-side defenses, including Norm-based, Krum-based, and Cosine-based strategies. The core of our architecture is generic detection under ciphertext, which tackles the following conflict of integrating server-side and client-side defenses. That is, the former aims to protect parameters from exposure while the latter demands plaintext updates. We prove the security of our architecture through the Universal Composability framework. Additionally, we provide a comprehensive instantiation and extensive evaluations to demonstrate the effectiveness and robustness of our approach. Our experiments show that our architecture can maintain the effectiveness of current client-side defenses when parameters are encrypted, thus effectively resisting hybrid attacks.

Lixu Wang,Shichao Xu,Xiao Wang,Qi Zhu

DOI: https://doi.org/10.48550/arXiv.1910.06044

2019-10-27

Abstract:Federated learning (FL) has recently emerged as a new form of collaborative machine learning, where a common model can be learned while keeping all the training data on local devices. Although it is designed for enhancing the data privacy, we demonstrated in this paper a new direction in inference attacks in the context of FL, where valuable information about training data can be obtained by adversaries with very limited power. In particular, we proposed three new types of attacks to exploit this vulnerability. The first type of attack, Class Sniffing, can detect whether a certain label appears in training. The other two types of attacks can determine the quantity of each label, i.e., Quantity Inference attack determines the composition proportion of the training label owned by the selected clients in a single round, while Whole Determination attack determines that of the whole training process. We evaluated our attacks on a variety of tasks and datasets with different settings, and the corresponding results showed that our attacks work well generally. Finally, we analyzed the impact of major hyper-parameters to our attacks and discussed possible defenses.

Machine Learning,Cryptography and Security,Multiagent Systems

Sungwon Park,Sungwon Han,Fangzhao Wu,Sundong Kim,Bin Zhu,Xing Xie,Meeyoung Cha

DOI: https://doi.org/10.48550/arXiv.2307.09048

2023-07-18

Abstract:Federated learning enables learning from decentralized data sources without compromising privacy, which makes it a crucial technique. However, it is vulnerable to model poisoning attacks, where malicious clients interfere with the training process. Previous defense mechanisms have focused on the server-side by using careful model aggregation, but this may not be effective when the data is not identically distributed or when attackers can access the information of benign clients. In this paper, we propose a new defense mechanism that focuses on the client-side, called FedDefender, to help benign clients train robust local models and avoid the adverse impact of malicious model updates from attackers, even when a server-side defense cannot identify or remove adversaries. Our method consists of two main components: (1) attack-tolerant local meta update and (2) attack-tolerant global knowledge distillation. These components are used to find noise-resilient model parameters while accurately extracting knowledge from a potentially corrupted global model. Our client-side defense strategy has a flexible structure and can work in conjunction with any existing server-side strategies. Evaluations of real-world scenarios across multiple datasets show that the proposed method enhances the robustness of federated learning against model poisoning attacks.

Cryptography and Security,Artificial Intelligence

Joseph Rance,Filip Svoboda

2024-07-26

Abstract:Federated Learning is an important emerging distributed training paradigm that keeps data private on clients. It is now well understood that by controlling only a small subset of FL clients, it is possible to introduce a backdoor to a federated learning model, in the presence of certain attributes. In this paper, we present a new type of attack that compromises the fairness of the trained model. Fairness is understood to be the attribute-level performance distribution of a trained model. It is particularly salient in domains where, for example, skewed accuracy discrimination between subpopulations could have disastrous consequences. We find that by employing a threat model similar to that of a backdoor attack, an attacker is able to influence the aggregated model to have an unfair performance distribution between any given set of attributes. Furthermore, we find that this attack is possible by controlling only a single client. While combating naturally induced unfairness in FL has previously been discussed in depth, its artificially induced kind has been neglected. We show that defending against attacks on fairness should be a critical consideration in any situation where unfairness in a trained model could benefit a user who participated in its training.

Machine Learning,Cryptography and Security

Yijiang Li,Ying Gao,Haohan Wang

2024-11-21

Abstract:We investigate a specific security risk in FL: a group of malicious clients has impacted the model during training by disguising their identities and acting as benign clients but later switching to an adversarial role. They use their data, which was part of the training set, to train a substitute model and conduct transferable adversarial attacks against the federated model. This type of attack is subtle and hard to detect because these clients initially appear to be benign. The key question we address is: How robust is the FL system to such covert attacks, especially compared to traditional centralized learning systems? We empirically show that the proposed attack imposes a high security risk to current FL systems. By using only 3\% of the client's data, we achieve the highest attack rate of over 80\%. To further offer a full understanding of the challenges the FL system faces in transferable attacks, we provide a comprehensive analysis over the transfer robustness of FL across a spectrum of configurations. Surprisingly, FL systems show a higher level of robustness than their centralized counterparts, especially when both systems are equally good at handling regular, non-malicious data. We attribute this increased robustness to two main factors: 1) Decentralized Data Training: Each client trains the model on its own data, reducing the overall impact of any single malicious client. 2) Model Update Averaging: The updates from each client are averaged together, further diluting any malicious alterations. Both practical experiments and theoretical analysis support our conclusions. This research not only sheds light on the resilience of FL systems against hidden attacks but also raises important considerations for their future application and development.

Machine Learning,Computer Vision and Pattern Recognition

Qammar, Attia,Ding, Jianguo,Ning, Huansheng

DOI: https://doi.org/10.1007/s10462-021-10098-w

IF: 9.588

2021-01-01

Artificial Intelligence Review

Abstract:Federated learning (FL) has received a great deal of research attention in the context of privacy protection restrictions. By jointly training deep learning models, a variety of training tasks can be competently performed with the help of invited participants. However, FL is concerned with a large number of attacks involving privacy and security aspects. This paper shows a federated learning workflow process and how a malicious client can exploit vulnerabilities in the FL system to attack the system. A systematic survey of existing research on the taxonomy of federated learning attack surface and the classification is presented. As with the FL attack surface, attackers compromise security, privacy, gain free incentives and abuse the Confidentiality, Integrity, and Availability (CIA) security triad. In addition, state-of-the-art defensive approaches against FL attacks are elaborated which help to protect and minimize the likelihood of attacks. FL models and tools for privacy attacks are explained, along with their best aspects and drawbacks. Finally, technical challenges and possible research guidelines are discussed as future work to build robust FL systems.

Jie Yang,Thar Baker,Sukhpal Singh Gill,Xiaochuan Yang,Weifeng Han,Yuanzhang Li

DOI: https://doi.org/10.1002/spe.3180

2022-12-12

Software Practice and Experience

Abstract:Federated learning (FL) is widely used in edge‐cloud collaborative training due to its distributed architecture and privacy‐preserving properties without sharing local data. FLTrust, the most state‐of‐the‐art FL defense method, is a federated learning defense system with trust guidance. However, we found that FLTrust is not very robust. Therefore, in the edge collaboration scenario, we mainly study the poisoning attack on the FLTrust defense system. Due to the aggregation rule, FLTrust, with trust guidance, the model updates of participants with a significant deviation from the root gradient direction will be eliminated, which makes the poisoning effect on the global model not obvious. To solve this problem, under the premise of not being deleted by the FLTrust aggregation rules, we construct malicious model updates that deviate from the trust gradient to the greatest extent to achieve model poisoning attacks. First, we utilize the rotation of high‐dimensional vectors around axes to construct malicious vectors with fixed orientations. Second, the malicious vector is constructed by the gradient inversion method to achieve an efficient and fast attack. Finally, a method of optimizing random noise is used to construct a malicious vector with a fixed direction. Experimental results show that our attack method reduces the model accuracy by 20%, severely undermining the usability of the model. Attacks are also successful hundreds of times faster than the FLTrust adaptive attack method.

Pei Fang,Jinghui Chen

DOI: https://doi.org/10.48550/arXiv.2301.08170

2023-01-20

Abstract:Federated Learning (FL) is a popular distributed machine learning paradigm that enables jointly training a global model without sharing clients' data. However, its repetitive server-client communication gives room for backdoor attacks with aim to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. In response to such backdoor threats on federated learning, various defense measures have been proposed. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning in a practical setting by proposing a new federated backdoor attack method for possible countermeasures. Different from traditional training (on triggered data) and rescaling (the malicious client model) based backdoor injection, the proposed backdoor attack framework (1) directly modifies (a small proportion of) local model weights to inject the backdoor trigger via sign flips; (2) jointly optimize the trigger pattern with the client model, thus is more persistent and stealthy for circumventing existing defenses. In a case study, we examine the strength and weaknesses of recent federated backdoor defenses from three major categories and provide suggestions to the practitioners when training federated models in practice.

Machine Learning,Artificial Intelligence,Cryptography and Security

Vale Tolpegin,Stacey Truex,Mehmet Emre Gursoy,Ling Liu

DOI: https://doi.org/10.1007/978-3-030-58951-6_24

2020-01-01

Abstract:Federated learning (FL) is an emerging paradigm for distributed training of large-scale deep neural networks in which participants’ data remains on their own devices with only model updates being shared with a central server. However, the distributed nature of FL gives rise to new threats caused by potentially malicious participants. In this paper, we study targeted data poisoning attacks against FL systems in which a malicious subset of the participants aim to poison the global model by sending model updates derived from mislabeled data. We first demonstrate that such data poisoning attacks can cause substantial drops in classification accuracy and recall, even with a small percentage of malicious participants. We additionally show that the attacks can be targeted, i.e., they have a large negative impact only on classes that are under attack. We also study attack longevity in early/late round training, the impact of malicious participant availability, and the relationships between the two. Finally, we propose a defense strategy that can help identify malicious participants in FL to circumvent poisoning attacks, and demonstrate its effectiveness.

Chuan Ma,Jun Li,Ming Ding,Kang Wei,Wen Chen,H. Vincent Poor

DOI: https://doi.org/10.1109/jiot.2021.3079472

IF: 10.6

2021-12-15

IEEE Internet of Things Journal

Abstract:Owing to the low communication costs and privacy-promoting capabilities, federated learning (FL) has become a promising tool for training effective machine learning models among distributed clients. However, with the distributed architecture, low-quality models could be uploaded to the aggregator server by unreliable clients, leading to a degradation or even a collapse of training. In this article, we model these unreliable behaviors of clients and propose a defensive mechanism to mitigate such a security risk. Specifically, we first investigate the impact on the models caused by unreliable clients by deriving a convergence upper bound on the loss function based on the gradient descent updates. Our bounds reveal that with a fixed amount of total computational resources, there exists an optimal number of local training iterations in terms of convergence performance. We further design a novel defensive mechanism, named deep neural network-based secure aggregation (DeepSA). Our experimental results validate our theoretical analysis. In addition, the effectiveness of DeepSA is verified by comparing with other state-of-the-art defensive mechanisms.

computer science, information systems,telecommunications,engineering, electrical & electronic

Suchul Lee

DOI: https://doi.org/10.1109/access.2024.3426534

IF: 3.9

2024-07-19

IEEE Access

Abstract:Federated learning (FL) is a deep learning paradigm that allows clients to train deep learning models distributively, keeping raw data local rather than sending it to the cloud, thereby reducing security and privacy concerns. Although FL is designed to be inherently secure, it still has many vulnerabilities. In this paper, we consider an FL scenario where clients are subjected to an adversarial attack that exploits vulnerabilities in the decision-making process of deep learning models to induce misclassification. We observed that adversarial training has a trade-off relationship in which, as classification performance for adversarial examples increases, classification performance for normal samples decreases. To effectively utilize this trade-off relationship in adversarial training, we propose an adaptive selection scheme of the loss function depending on whether the FL client is attacked. The proposed scheme was experimentally proven to achieve the best robust accuracy while minimizing the decrease in natural accuracy. Further, we combined the proposed scheme with Byzantine-robust aggregation. We expected model training to converge stably because Byzantine-robust aggregation prevents highly distorted models from being aggregated, but we obtained experimental results that were contrary to our expectations.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jingxuan Zhou,Zhengyi Zhong,Ji Wang,Xiongtao Zhang,Fuxu Chen,Chun Yan

DOI: https://doi.org/10.1109/BigDIA53151.2021.9619731

2021-01-01

Abstract:Federated learning(FL), one of the most popular distributed machine learning algorithms, allows participants to collaborate on updating models without sharing local data. At the same time, FL is vulnerable to malicious attacks due to the secrecy of the data. Backdoor attacks, as one of many malicious attacks, attempt to add a backdoor to the global model, which will lead to misclassification after...

Kun Gao,Tianqing Zhu,Dayong Ye,Wanlei Zhou

DOI: https://doi.org/10.1016/j.knosys.2024.111983

IF: 8.139

2024-05-29

Knowledge-Based Systems

Abstract:Federated learning (FL) has been used as a promising approach to breaking the dilemma between the data privacy and the learning from large collections of distributed data. Without sharing data, the server trains a global model with high accuracy only by accessing the gradient of each client. However, recent research has revealed that FL is vulnerable to gradient inversion attacks, where the server can reconstruct clients' training data by inverting their uploaded gradients. Current defense methods share the common limitation that they need to either perturb the training data or the gradients. However, this perturbation will inevitably reduce the accuracy of the global model. To overcome these limitations, this paper proposes a defense method by allowing clients to train local models without using training data but rather using the statistical information of the data. Inspired by the statistical machine unlearning method, which uses statistical information to train models, combined with knowledge distillation to lightweight local models, our method further isolates the relationship between gradients and training data by transferring the model to a simpler model. Knowledge distillation typically involves extracting knowledge from a teacher model and transferring it to a student model without the need for the original training data. With this method, on the one hand, the server can reconstruct only the statistical information of the student model data, which is semantically meaningless to humans. On the other hand, using the statistical information of the data to train the global model can guarantee the model's accuracy. Experimental results show that our method outperforms existing defense methods in various aspects, including reconstruction accuracy, model accuracy and training efficiency.

computer science, artificial intelligence

Qi Tan,Qi Li,Yi Zhao,Zhuotao Liu,Xiaobing Guo,Ke Xu

2024-03-03

Abstract:Federated Learning (FL) trains a black-box and high-dimensional model among different clients by exchanging parameters instead of direct data sharing, which mitigates the privacy leak incurred by machine learning. However, FL still suffers from membership inference attacks (MIA) or data reconstruction attacks (DRA). In particular, an attacker can extract the information from local datasets by constructing DRA, which cannot be effectively throttled by existing techniques, e.g., Differential Privacy (DP).

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Yilei Wang,Qingzhe Lv,Huang Zhang,Minghao Zhao,Yuhong Sun,Lingkai Ran,Tao Li

DOI: https://doi.org/10.1007/s11280-023-01159-x

2023-01-01

World Wide Web

Abstract:Federated learning is an emerging paradigm that enables multiple organizations to jointly train a model without revealing their private data. As an important variant, vertical federated learning (VFL) deals with cases in which collaborating organizations own data of the same set of users but with disjoint features. It is generally regarded that VFL is more secure than horizontal federated learning. However, recent research (USENIX Security’22) reveals that it is still possible to conduct label inference attacks in VFL, in which attacker can acquire privately owned labels of other participants; even VFL constructed with model splitting (the kind of VFL architecture with higher security guarantee) cannot escape it. To solve this issue, in this paper, we propose the dispersed training framework. It utilizes secret sharing to break the correlations between the bottom model and the training data. Accordingly, even if the attacker receives the gradients in the training phase, he is incapable to deduce the feature representation of labels from the bottom model. Besides, we design a customized model aggregation method such that the shared model can be privately combined, and the linearity of secret sharing schemes ensures the training accuracy to be preserved. Theoretical and experimental analyses indicate the satisfactory performance and effectiveness of our framework.

Xianghua Xie,Chen Hu,Hanchi Ren,Jingjing Deng

DOI: https://doi.org/10.1016/j.neucom.2023.127225

IF: 6

2024-01-10

Neurocomputing

Abstract:Federated Learning (FL) has emerged as a powerful paradigm for training Machine Learning (ML), particularly Deep Learning (DL) models on multiple devices or servers while maintaining data localized at owners' sites. Without centralizing data, FL holds promise for scenarios where data integrity, privacy and security and are critical. However, this decentralized training process also opens up new avenues for opponents to launch unique attacks, where it has been becoming an urgent need to understand the vulnerabilities and corresponding defense mechanisms from a learning algorithm perspective. This review paper takes a comprehensive look at malicious attacks against FL, categorizing them from new perspectives on attack origins and targets, and providing insights into their methodology and impact. In this survey, we focus on threat models targeting the learning process of FL systems. Based on the source and target of the attack, we categorize existing threat models into four types, Data to Model (D2M), Model to Data (M2D), Model to Model (M2M) and composite attacks. For each attack type, we discuss the defense strategies proposed, highlighting their effectiveness, assumptions and potential areas for improvement. Defense strategies have evolved from using a singular metric to excluding malicious clients, to employing a multifaceted approach examining client models at various phases. In this survey paper, our research indicates that the to-learn data, the learning gradients, and the learned model at different stages all can be manipulated to initiate malicious attacks that range from undermining model performance, reconstructing private local data, and to inserting backdoors. We have also seen these threat are becoming more insidious. While earlier studies typically amplified malicious gradients, recent endeavors subtly alter the least significant weights in local models to bypass defense measures. This literature review provides a holistic understanding of the current FL threat landscape and highlights the importance of developing robust, efficient, and privacy-preserving defenses to ensure the safe and trusted adoption of FL in real-world applications. The categorized bibliography can be found at: https://github.com/Rand2AI/Awesome-Vulnerability-of-Federated-Learning .

computer science, artificial intelligence