A Learning-Based Attack Framework to Break SOTA Poisoning Defenses in Federated Learning

Yuxin Yang,Qiang Li,Chenfei Nie,Yuan Hong,Meng Pang,Binghui Wang
2024-07-25
Abstract:Federated Learning (FL) is a novel client-server distributed learning framework that can protect data privacy. However, recent works show that FL is vulnerable to poisoning attacks. Many defenses with robust aggregators (AGRs) are proposed to mitigate the issue, but they are all broken by advanced attacks. Very recently, some renewed robust AGRs are designed, typically with novel clipping or/and filtering strate-gies, and they show promising defense performance against the advanced poisoning attacks. In this paper, we show that these novel robust AGRs are also vulnerable to carefully designed poisoning attacks. Specifically, we observe that breaking these robust AGRs reduces to bypassing the clipping or/and filtering of malicious clients, and propose an optimization-based attack framework to leverage this observation. Under the framework, we then design the customized attack against each robust AGR. Extensive experiments on multiple datasets and threat models verify our proposed optimization-based attack can break the SOTA AGRs. We hence call for novel defenses against poisoning attacks to FL. Code is available at: <a class="link-external link-https" href="https://github.com/Yuxin104/" rel="external noopener nofollow">this https URL</a> BreakSTOAPoisoningDefenses.
Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is: **Existing state - of - the - art (SOTA) robust aggregation algorithms (AGRs) in federated learning (FL) are still vulnerable to well - designed poisoning attacks**. Although these AGRs adopt new clipping or filtering strategies to resist advanced poisoning attacks, the authors find that they can still be bypassed. Specifically, the paper points out: 1. **Vulnerability of existing defense mechanisms**: Although some of the latest AGRs (such as FLAME, MDAM, FLDetector and CC) perform well against advanced poisoning attacks, they can still be broken through by well - designed attack means. 2. **Core issues of the attack**: The authors observe that the key to breaking these robust AGRs is to enable malicious clients to bypass their clipping or filtering mechanisms. To this end, they propose an optimization - based attack framework. By adjusting the malicious gradients to meet the constraints of AGRs, these defense mechanisms are successfully bypassed. ### Main contributions of the paper: - **Revealing the vulnerability of existing AGRs**: It shows that even the current state - of - the - art AGRs cannot fully resist well - designed poisoning attacks. - **Proposing an optimization - based attack framework**: This framework can generate malicious gradients that can bypass existing AGRs and is applicable to multiple attack scenarios (including targeted and non - targeted attacks). - **Extensive experimental verification**: Through experiments on multiple datasets and threat models, the effectiveness of the proposed attack framework is verified. ### Specific methods of the attack: - **Attacks against FLAME, MDAM and FLDetector**: By adjusting the malicious gradients to avoid the clipping and filtering mechanisms. - **Attacks against CC and its variants**: By constructing malicious gradients of a specific length to bypass the central clipping. In conclusion, this paper aims to reveal that there are still security vulnerabilities in the current robust aggregation algorithms in federated learning, and proves this by proposing a general - purpose attack framework, calling on the research community to develop more powerful defense mechanisms.