Yaxin Du,Rui Ye,Fengting Yuchi,Wanru Zhao,Jingjing Qu,Yanfeng Wang,Siheng Chen

2024-10-15

Abstract:By leveraging massively distributed data, federated learning (FL) enables collaborative instruction tuning of large language models (LLMs) in a privacy-preserving way. While FL effectively expands the data quantity, the issue of data quality remains under-explored in the current literature on FL for LLMs. To address this gap, we propose a new framework of federated instruction tuning of LLMs with data quality control (FedDQC), which measures data quality to facilitate the subsequent filtering and hierarchical training processes. Our approach introduces an efficient metric to assess each client's instruction-response alignment (IRA), identifying potentially noisy data through single-shot inference. Low-IRA samples are potentially noisy and filtered to mitigate their negative impacts. To further utilize this IRA value, we propose a quality-aware hierarchical training paradigm, where LLM is progressively fine-tuned from high-IRA to low-IRA data, mirroring the easy-to-hard learning process. We conduct extensive experiments on 4 synthetic and a real-world dataset, and compare our method with baselines adapted from centralized setting. Results show that our method consistently and significantly improves the performance of LLMs trained on mix-quality data in FL.

Machine Learning

Jiongxiao Wang,Jiazhao Li,Yiquan Li,Xiangyu Qi,Junjie Hu,Yixuan Li,Patrick McDaniel,Muhao Chen,Bo Li,Chaowei Xiao

2024-06-20

Abstract:Despite the general capabilities of Large Language Models (LLM), these models still request fine-tuning or adaptation with customized data when meeting specific business demands. However, this process inevitably introduces new threats, particularly against the Fine-tuning based Jailbreak Attack (FJAttack) under the setting of Language-Model-as-a-Service (LMaaS), where the model's safety has been significantly compromised by fine-tuning users' uploaded examples contain just a few harmful examples. Though potential defenses have been proposed that the service providers can integrate safety examples into the fine-tuning dataset to reduce safety issues, such approaches require incorporating a substantial amount of data, making it inefficient. To effectively defend against the FJAttack with limited safety examples under LMaaS, we propose the Backdoor Enhanced Safety Alignment method inspired by an analogy with the concept of backdoor attacks. In particular, service providers will construct prefixed safety examples with a secret prompt, acting as a "backdoor trigger". By integrating prefixed safety examples into the fine-tuning dataset, the subsequent fine-tuning process effectively acts as the "backdoor attack", establishing a strong correlation between the secret prompt and safety generations. Consequently, safe responses are ensured once service providers prepend this secret prompt ahead of any user input during inference. Our comprehensive experiments demonstrate that through the Backdoor Enhanced Safety Alignment with adding as few as 11 prefixed safety examples, the maliciously fine-tuned LLMs will achieve similar safety performance as the original aligned models without harming the benign performance. Furthermore, we also present the effectiveness of our method in a more practical setting where the fine-tuning data consists of both FJAttack examples and the fine-tuning task data.

Cryptography and Security,Computation and Language

Samuele Poppi,Zheng-Xin Yong,Yifei He,Bobbie Chern,Han Zhao,Aobo Yang,Jianfeng Chi

2024-10-24

Abstract:Recent advancements in Large Language Models (LLMs) have sparked widespread concerns about their safety. Recent work demonstrates that safety alignment of LLMs can be easily removed by fine-tuning with a few adversarially chosen instruction-following examples, i.e., fine-tuning attacks. We take a further step to understand fine-tuning attacks in multilingual LLMs. We first discover cross-lingual generalization of fine-tuning attacks: using a few adversarially chosen instruction-following examples in one language, multilingual LLMs can also be easily compromised (e.g., multilingual LLMs fail to refuse harmful prompts in other languages). Motivated by this finding, we hypothesize that safety-related information is language-agnostic and propose a new method termed Safety Information Localization (SIL) to identify the safety-related information in the model parameter space. Through SIL, we validate this hypothesis and find that only changing 20% of weight parameters in fine-tuning attacks can break safety alignment across all languages. Furthermore, we provide evidence to the alternative pathways hypothesis for why freezing safety-related parameters does not prevent fine-tuning attacks, and we demonstrate that our attack vector can still jailbreak LLMs adapted to new languages.

Computation and Language,Artificial Intelligence,Cryptography and Security,Machine Learning

Hangn Su,Jianhong Zhou,Xianhua Niu,Gang Feng

DOI: https://doi.org/10.48550/arXiv.2312.04597

2023-12-06

Cryptography and Security

Abstract:As a key technology in 6G research, federated learning (FL) enables collaborative learning among multiple clients while ensuring individual data privacy. However, malicious attackers among the participating clients can intentionally tamper with the training data or the trained model, compromising the accuracy and trustworthiness of the system. To address this issue, in this paper, we propose a hierarchical audit-based FL (HiAudit-FL) framework, with the aim to enhance the reliability and security of the learning process. The hierarchical audit process includes two stages, namely model-audit and parameter-audit. In the model-audit stage, a low-overhead audit method is employed to identify suspicious clients. Subsequently, in the parameter-audit stage, a resource-consuming method is used to detect all malicious clients with higher accuracy among the suspicious ones. Specifically, we execute the model audit method among partial clients for multiple rounds, which is modeled as a partial observation Markov decision process (POMDP) with the aim to enhance the robustness and accountability of the decision-making in complex and uncertain environments. Meanwhile, we formulate the problem of identifying malicious attackers through a multi-round audit as an active sequential hypothesis testing problem and leverage a diffusion model-based AI-Enabled audit selection strategy (ASS) to decide which clients should be audited in each round. To accomplish efficient and effective audit selection, we design a DRL-ASS algorithm by incorporating the ASS in a deep reinforcement learning (DRL) framework. Our simulation results demonstrate that HiAudit-FL can effectively identify and handle potential malicious users accurately, with small system overhead.

Jie Yang,Thar Baker,Sukhpal Singh Gill,Xiaochuan Yang,Weifeng Han,Yuanzhang Li

DOI: https://doi.org/10.1002/spe.3180

2022-12-12

Software Practice and Experience

Abstract:Federated learning (FL) is widely used in edge‐cloud collaborative training due to its distributed architecture and privacy‐preserving properties without sharing local data. FLTrust, the most state‐of‐the‐art FL defense method, is a federated learning defense system with trust guidance. However, we found that FLTrust is not very robust. Therefore, in the edge collaboration scenario, we mainly study the poisoning attack on the FLTrust defense system. Due to the aggregation rule, FLTrust, with trust guidance, the model updates of participants with a significant deviation from the root gradient direction will be eliminated, which makes the poisoning effect on the global model not obvious. To solve this problem, under the premise of not being deleted by the FLTrust aggregation rules, we construct malicious model updates that deviate from the trust gradient to the greatest extent to achieve model poisoning attacks. First, we utilize the rotation of high‐dimensional vectors around axes to construct malicious vectors with fixed orientations. Second, the malicious vector is constructed by the gradient inversion method to achieve an efficient and fast attack. Finally, a method of optimizing random noise is used to construct a malicious vector with a fixed direction. Experimental results show that our attack method reduces the model accuracy by 20%, severely undermining the usability of the model. Attacks are also successful hundreds of times faster than the FLTrust adaptive attack method.

Xiangyu Qi,Ashwinee Panda,Kaifeng Lyu,Xiao Ma,Subhrajit Roy,Ahmad Beirami,Prateek Mittal,Peter Henderson

2024-06-10

Abstract:The safety alignment of current Large Language Models (LLMs) is vulnerable. Relatively simple attacks, or even benign fine-tuning, can jailbreak aligned models. We argue that many of these vulnerabilities are related to a shared underlying issue: safety alignment can take shortcuts, wherein the alignment adapts a model's generative distribution primarily over only its very first few output tokens. We refer to this issue as shallow safety alignment. In this paper, we present case studies to explain why shallow safety alignment can exist and provide evidence that current aligned LLMs are subject to this issue. We also show how these findings help explain multiple recently discovered vulnerabilities in LLMs, including the susceptibility to adversarial suffix attacks, prefilling attacks, decoding parameter attacks, and fine-tuning attacks. Importantly, we discuss how this consolidated notion of shallow safety alignment sheds light on promising research directions for mitigating these vulnerabilities. For instance, we show that deepening the safety alignment beyond just the first few tokens can often meaningfully improve robustness against some common exploits. Finally, we design a regularized finetuning objective that makes the safety alignment more persistent against fine-tuning attacks by constraining updates on initial tokens. Overall, we advocate that future safety alignment should be made more than just a few tokens deep.

Cryptography and Security,Artificial Intelligence

Xiong Xiao,Zhuo Tang,Li Yang,Yingjie Song,Jiawei Tan,Kenli Li

DOI: https://doi.org/10.1109/mnet.004.2200645

IF: 10.294

2023-01-01

IEEE Network

Abstract:As a novel distributed machine learning scheme, federated learning (FL) efficiently realizes the collaborative training of models by global participants while also protecting their data privacy. Due to the independence of participants' local data and the inability of the FL server to access the local data, many IIoT applications with strong data sensitivity are increasingly incorporating FL technology. However, it also exposes a great security vulnerability. Malicious adversaries manipulate local data to perform covert targeted poisoning attacks or other harmful behaviors to affect the global model. In addition, due to the diversity of IIoT data in actual scenarios, different data distribution scenarios can also cause different attack effects In this work, we devise a defense technique called FDSFL against multiple malicious adversaries and various targeted poisoning attacks involving both IID and non-IID data distribution scenarios. It runs on the server-side and mainly includes three execution modules: pairwise cosine similarity, clustering mechanism, and filtering strategy, which can dynamically filter malicious updates during the iterative training process. We demonstrate that our designed FDSFL outperforms the state-of-the-art in maintaining global model accuracy and reducing attack success rates through extensive experiments on three general datasets.

Rui Ye,Wenhao Wang,Jingyi Chai,Dihan Li,Zexi Li,Yinda Xu,Yaxin Du,Yanfeng Wang,Siheng Chen

2024-02-10

Abstract:Trained on massive publicly available data, large language models (LLMs) have demonstrated tremendous success across various fields. While more data contributes to better performance, a disconcerting reality is that high-quality public data will be exhausted in a few years. In this paper, we offer a potential next step for contemporary LLMs: collaborative and privacy-preserving LLM training on the underutilized distributed private data via federated learning (FL), where multiple data owners collaboratively train a shared model without transmitting raw data. To achieve this, we build a concise, integrated, and research-friendly framework/codebase, named OpenFedLLM. It covers federated instruction tuning for enhancing instruction-following capability, federated value alignment for aligning with human values, and 7 representative FL algorithms. Besides, OpenFedLLM supports training on diverse domains, where we cover 8 training datasets; and provides comprehensive evaluations, where we cover 30+ evaluation metrics. Through extensive experiments, we observe that all FL algorithms outperform local training on training LLMs, demonstrating a clear performance improvement across a variety of settings. Notably, in a financial benchmark, Llama2-7B fine-tuned by applying any FL algorithm can outperform GPT-4 by a significant margin while the model obtained through individual training cannot, demonstrating strong motivation for clients to participate in FL. The code is available at this https URL.

Machine Learning,Computation and Language,Distributed, Parallel, and Cluster Computing,Multiagent Systems

Wen Yang,Luyao Peng,Xiangyun Tang,Yu Weng

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics60724.2023.00072

2024-01-01

Abstract:Federated Learning(FL) is a promising distributed learning architecture. However, it faces significant threats from malicious attacks, including adversarial samples and backdoor attacks. Although some work has proposed defences against these two types of attacks, there are already attacks that combine the two, known as synergetic attacks. This synergetic attack typically uses adversarial samples to create triggers and then implants a trojan into the global model via a backdoor attack. which has not been defended by previous single defence strategies and has not received any attention. To the best of our knowledge, we are the first to focus on this type of synergistic attacks in FL. To address this issue, we propose MATFL, which introduces majority aggregation into the adversarial learning framework. We conduct extensive experiments to analyze the effectiveness and aggregation efficiency of MATFL considering five defense methods across four attack scenarios. The results demonstrate that our MATFL can effectively defend against synergetic attacks while striking a balance between defence effectiveness, global model accuracy, and aggregation efficiency.

Qilei Li,Ahmed M. Abdelmoniem

2024-08-17

Abstract:Federated Learning (FL) is a distributed machine learning diagram that enables multiple clients to collaboratively train a global model without sharing their private local data. However, FL systems are vulnerable to attacks that are happening in malicious clients through data poisoning and model poisoning, which can deteriorate the performance of aggregated global model. Existing defense methods typically focus on mitigating specific types of poisoning and are often ineffective against unseen types of attack. These methods also assume an attack happened moderately while is not always holds true in real. Consequently, these methods can significantly fail in terms of accuracy and robustness when detecting and addressing updates from attacked malicious clients. To overcome these challenges, in this work, we propose a simple yet effective framework to detect malicious clients, namely Confidence-Aware Defense (CAD), that utilizes the confidence scores of local models as criteria to evaluate the reliability of local updates. Our key insight is that malicious attacks, regardless of attack type, will cause the model to deviate from its previous state, thus leading to increased uncertainty when making predictions. Therefore, CAD is comprehensively effective for both model poisoning and data poisoning attacks by accurately identifying and mitigating potential malicious updates, even under varying degrees of attacks and data heterogeneity. Experimental results demonstrate that our method significantly enhances the robustness of FL systems against various types of attacks across various scenarios by achieving higher model accuracy and stability.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition,Distributed, Parallel, and Cluster Computing

Shanshan Han,Baturalp Buyukates,Zijian Hu,Han Jin,Weizhao Jin,Lichao Sun,Xiaoyang Wang,Wenxuan Wu,Chulin Xie,Yuhang Yao,Kai Zhang,Qifan Zhang,Yuhui Zhang,Carlee Joe-Wong,Salman Avestimehr,Chaoyang He

2024-06-21

Abstract:This paper introduces FedSecurity, an end-to-end benchmark that serves as a supplementary component of the FedML library for simulating adversarial attacks and corresponding defense mechanisms in Federated Learning (FL). FedSecurity eliminates the need for implementing the fundamental FL procedures, e.g., FL training and data loading, from scratch, thus enables users to focus on developing their own attack and defense strategies. It contains two key components, including FedAttacker that conducts a variety of attacks during FL training, and FedDefender that implements defensive mechanisms to counteract these attacks. FedSecurity has the following features: i) It offers extensive customization options to accommodate a broad range of machine learning models (e.g., Logistic Regression, ResNet, and GAN) and FL optimizers (e.g., FedAVG, FedOPT, and FedNOVA); ii) it enables exploring the effectiveness of attacks and defenses across different datasets and models; and iii) it supports flexible configuration and customization through a configuration file and some APIs. We further demonstrate FedSecurity's utility and adaptability through federated training of Large Language Models (LLMs) to showcase its potential on a wide range of complex applications.

Cryptography and Security,Artificial Intelligence

Shanshan Han,Baturalp Buyukates,Zijian Hu,Han Jin,Weizhao Jin,Lichao Sun,Xiaoyang Wang,Wenxuan Wu,Chulin Xie,Yuhang Yao,Kai Zhang,Qifan Zhang,Yuhui Zhang,Carlee Joe-Wong,Salman Avestimehr,Chaoyang He

DOI: https://doi.org/10.1145/3637528.3671545

2024-01-01

Abstract:This paper introduces FedSecurity, an end-to-end benchmark that serves as asupplementary component of the FedML library for simulating adversarial attacksand corresponding defense mechanisms in Federated Learning (FL). FedSecurityeliminates the need for implementing the fundamental FL procedures, e.g., FLtraining and data loading, from scratch, thus enables users to focus ondeveloping their own attack and defense strategies. It contains two keycomponents, including FedAttacker that conducts a variety of attacks during FLtraining, and FedDefender that implements defensive mechanisms to counteractthese attacks. FedSecurity has the following features: i) It offers extensivecustomization options to accommodate a broad range of machine learning models(e.g., Logistic Regression, ResNet, and GAN) and FL optimizers (e.g., FedAVG,FedOPT, and FedNOVA); ii) it enables exploring the effectiveness of attacks anddefenses across different datasets and models; and iii) it supports flexibleconfiguration and customization through a configuration file and some APIs. Wefurther demonstrate FedSecurity's utility and adaptability through federatedtraining of Large Language Models (LLMs) to showcase its potential on a widerange of complex applications.

Yu Fu,Wen Xiao,Jia Chen,Jiachen Li,Evangelos Papalexakis,Aichi Chien,Yue Dong

2024-05-24

Abstract:Recent studies reveal that Large Language Models (LLMs) face challenges in balancing safety with utility, particularly when processing long texts for NLP tasks like summarization and translation. Despite defenses against malicious short questions, the ability of LLMs to safely handle dangerous long content, such as manuals teaching illicit activities, remains unclear. Our work aims to develop robust defenses for LLMs in processing malicious documents alongside benign NLP task queries. We introduce a defense dataset comprised of safety-related examples and propose single-task and mixed-task losses for instruction tuning. Our empirical results demonstrate that LLMs can significantly enhance their capacity to safely manage dangerous content with appropriate instruction tuning. Additionally, strengthening the defenses of tasks most susceptible to misuse is effective in protecting LLMs against processing harmful information. We also observe that trade-offs between utility and safety exist in defense strategies, where Llama2, utilizing our proposed approach, displays a significantly better balance compared to Llama1.

Computation and Language,Cryptography and Security

Yao Qiang,Xiangyu Zhou,Saleh Zare Zade,Mohammad Amin Roshani,Prashant Khanduri,Douglas Zytko,Dongxiao Zhu

2024-10-23

Abstract:The advent of Large Language Models (LLMs) has marked significant achievements in language processing and reasoning capabilities. Despite their advancements, LLMs face vulnerabilities to data poisoning attacks, where adversaries insert backdoor triggers into training data to manipulate outputs for malicious purposes. This work further identifies additional security risks in LLMs by designing a new data poisoning attack tailored to exploit the instruction tuning process. We propose a novel gradient-guided backdoor trigger learning (GBTL) algorithm to identify adversarial triggers efficiently, ensuring an evasion of detection by conventional defenses while maintaining content integrity. Through experimental validation across various tasks, including sentiment analysis, domain generation, and question answering, our poisoning strategy demonstrates a high success rate in compromising various LLMs' outputs. We further propose two defense strategies against data poisoning attacks, including in-context learning (ICL) and continuous learning (CL), which effectively rectify the behavior of LLMs and significantly reduce the decline in performance. Our work highlights the significant security risks present during the instruction tuning of LLMs and emphasizes the necessity of safeguarding LLMs against data poisoning attacks.

Machine Learning,Computation and Language,Cryptography and Security

Jianyi Zhang,Saeed Vahidian,Martin Kuo,Chunyuan Li,Ruiyi Zhang,Tong Yu,Yufan Zhou,Guoyin Wang,Yiran Chen

2024-01-30

Abstract:While "instruction-tuned" generative large language models (LLMs) have demonstrated an impressive ability to generalize to new tasks, the training phases heavily rely on large amounts of diverse and high-quality instruction data (such as ChatGPT and GPT-4). Unfortunately, acquiring high-quality data, especially when it comes to human-written data, can pose significant challenges both in terms of cost and accessibility. Moreover, concerns related to privacy can further limit access to such data, making the process of obtaining it a complex and nuanced undertaking. Consequently, this hinders the generality of the tuned models and may restrict their effectiveness in certain contexts. To tackle this issue, our study introduces a new approach called Federated Instruction Tuning (FedIT), which leverages federated learning (FL) as the learning framework for the instruction tuning of LLMs. This marks the first exploration of FL-based instruction tuning for LLMs. This is especially important since text data is predominantly generated by end users. Therefore, it is imperative to design and adapt FL approaches to effectively leverage these users' diverse instructions stored on local devices, while preserving privacy and ensuring data security. In the current paper, by conducting widely used GPT-4 auto-evaluation, we demonstrate that by exploiting the heterogeneous and diverse sets of instructions on the client's end with the proposed framework FedIT, we improved the performance of LLMs compared to centralized training with only limited local instructions. Further, in this paper, we developed a Github repository named Shepherd. This repository offers a foundational framework for exploring federated fine-tuning of LLMs using heterogeneous instructions across diverse categories.

Computation and Language,Distributed, Parallel, and Cluster Computing,Systems and Control

Qi Guo,Di Wu,Yong Qi,Saiyu Qi,Qian Li

DOI: https://doi.org/10.1007/978-3-031-17143-7_20

2022-01-01

Abstract:Federated Learning (FL) is vulnerable to model poisoning attacks that hurt the joint training global model by sending malicious updates. Existing defenses rely heavily on restrictions on clients' model updates to defend against attacks. However, the global model can be attacked by elaborate malicious perturbation under defensive restriction due to the sensitivity of the model to perturbations, which leads the model to be vulnerable. Therefore, in this work, we investigate the defense against attacks from a novel perspective of the model stability towards perturbation on parameters. We propose a new method named Federated Learning with Model Jacobian Regularization (FLMJR) to enhance the robustness of FL. Considering prediction volatility of the model is determined by the model-output Jacobian, we reduce the Jacobian regularization to improve model stability towards model perturbations while maintaining the model's accuracy. We conduct extensive experiments under both IID and NonIID settings to evaluate the defense against state-of-the-art model poisoning attacks, which demonstrates that our method not only has superior fidelity and robustness, but can also be easily integrated to further improve the robustness of existing server-based robust aggregation approaches (e.g., Fedavg, Trimean, Median, Bulyan, and FLTrust).

Shenghui Li,Edith C.-H. Ngai,Fanghua Ye,Thiemo Voigt

2024-11-29

Abstract:Federated Parameter-Efficient Fine-Tuning (FedPEFT) has emerged as a promising paradigm for privacy-preserving and efficient adaptation of Pre-trained Language Models (PLMs) in Federated Learning (FL) settings. It preserves data privacy by keeping the data decentralized and training the model on local devices, ensuring that raw data never leaves the user's device. Moreover, the integration of PEFT methods such as LoRA significantly reduces the number of trainable parameters compared to fine-tuning the entire model, thereby minimizing communication costs and computational overhead. Despite its potential, the security implications of FedPEFT remain underexplored. This paper introduces a novel security threat to FedPEFT, termed PEFT-as-an-Attack (PaaA), which exposes how PEFT can be exploited as an attack vector to circumvent PLMs' safety alignment and generate harmful content in response to malicious prompts. Our evaluation of PaaA reveals that with less than 1% of the model's parameters set as trainable, and a small subset of clients acting maliciously, the attack achieves an approximate 80% attack success rate using representative PEFT methods such as LoRA. To mitigate this threat, we further investigate potential defense strategies, including Robust Aggregation Schemes (RASs) and Post-PEFT Safety Alignment (PPSA). However, our empirical analysis highlights the limitations of these defenses, i.e., even the most advanced RASs, such as DnC and ClippedClustering, struggle to defend against PaaA in scenarios with highly heterogeneous data distributions. Similarly, while PPSA can reduce attack success rates to below 10%, it severely degrades the model's accuracy on the target task. Our results underscore the urgent need for more effective defense mechanisms that simultaneously ensure security and maintain the performance of the FedPEFT paradigm.

Cryptography and Security,Artificial Intelligence

Xin Yi,Shunfan Zheng,Linlin Wang,Xiaoling Wang,Liang He

2024-05-15

Abstract:The current safeguard mechanisms for large language models (LLMs) are indeed susceptible to jailbreak attacks, making them inherently fragile. Even the process of fine-tuning on apparently benign data for downstream tasks can jeopardize safety. One potential solution is to conduct safety fine-tuning subsequent to downstream fine-tuning. However, there's a risk of catastrophic forgetting during safety fine-tuning, where LLMs may regain safety measures but lose the task-specific knowledge acquired during downstream fine-tuning. In this paper, we introduce a safety realignment framework through subspace-oriented model fusion (SOMF), aiming to combine the safeguard capabilities of initially aligned model and the current fine-tuned model into a realigned model. Our approach begins by disentangling all task vectors from the weights of each fine-tuned model. We then identify safety-related regions within these vectors by subspace masking techniques. Finally, we explore the fusion of the initial safely aligned LLM with all task vectors based on the identified safety subspace. We validate that our safety realignment framework satisfies the safety requirements of a single fine-tuned model as well as multiple models during their fusion. Our findings confirm that SOMF preserves safety without notably compromising performance on downstream tasks, including instruction following in Chinese, English, and Hindi, as well as problem-solving capabilities in Code and Math.

Computation and Language

Vale Tolpegin,Stacey Truex,Mehmet Emre Gursoy,Ling Liu

DOI: https://doi.org/10.1007/978-3-030-58951-6_24

2020-01-01

Abstract:Federated learning (FL) is an emerging paradigm for distributed training of large-scale deep neural networks in which participants’ data remains on their own devices with only model updates being shared with a central server. However, the distributed nature of FL gives rise to new threats caused by potentially malicious participants. In this paper, we study targeted data poisoning attacks against FL systems in which a malicious subset of the participants aim to poison the global model by sending model updates derived from mislabeled data. We first demonstrate that such data poisoning attacks can cause substantial drops in classification accuracy and recall, even with a small percentage of malicious participants. We additionally show that the attacks can be targeted, i.e., they have a large negative impact only on classes that are under attack. We also study attack longevity in early/late round training, the impact of malicious participant availability, and the relationships between the two. Finally, we propose a defense strategy that can help identify malicious participants in FL to circumvent poisoning attacks, and demonstrate its effectiveness.

Gaolei Li,Jun Wu,Shenghong Li,Wu Yang,Changlian Li

DOI: https://doi.org/10.1109/tii.2022.3173996

IF: 12.3

2022-12-17

IEEE Transactions on Industrial Informatics

Abstract:Software-defined industrial Internet of things (SD-IIoT) exploits federated learning to process the sensitive data at edges, while adaptive poisoning attacks threat the security of SD-IIoT. To address this problem, this article proposes a multi-tentacle federated learning (MTFL) framework, which is essential to guarantee the trustness of training data in SD-IIoT. In MTFL, participants with similar learning tasks are assigned to the same tentacle group. To identify adaptive poisoning attacks, a tentacle distribution-based efficient poisoning attack detection (TD-EPAD) algorithm is presented. And also, to minimize the impact of adaptive poisoning data, a stochastic tentacle data exchanging (STDE) protocol is also proposed. Simultaneously, to protect the tentacle's privacy in STDE, all exchanged data will be processed by differential privacy technology. A MTFL prototype system is implemented, which provides extensive ablation experiments and comparison experiments, demonstrating that the accuracy of the global model under attack scenario can be improved with 40%.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial