Xueluan Gong,Yanjiao Chen,Qian Wang,Weihan Kong

DOI: https://doi.org/10.1109/mwc.017.2100714

IF: 12.777

2023-01-01

IEEE Wireless Communications

Abstract:The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.

Yongkang Wang,Dihua Zhai,Yufeng Zhan,Yuanqing Xia

DOI: https://doi.org/10.48550/arxiv.2201.03772

2022-01-01

Abstract: Federated learning (FL) is a distributed machine learning paradigm where enormous scattered clients (e.g. mobile devices or IoT devices) collaboratively train a model under the orchestration of a central server (e.g. service provider), while keeping the training data decentralized. Unfortunately, FL is susceptible to a variety of attacks, including backdoor attack, which is made substantially worse in the presence of malicious attackers. Most of algorithms usually assume that the malicious at tackers no more than benign clients or the data distribution is independent identically distribution (IID). However, no one knows the number of malicious attackers and the data distribution is usually non identically distribution (Non-IID). In this paper, we propose RFLBAT which utilizes principal component analysis (PCA) technique and Kmeans clustering algorithm to defend against backdoor attack. Our algorithm RFLBAT does not bound the number of backdoored attackers and the data distribution, and requires no auxiliary information outside of the learning process. We conduct extensive experiments including a variety of backdoor attack types. Experimental results demonstrate that RFLBAT outperforms the existing state-of-the-art algorithms and is able to resist various backdoor attack scenarios including different number of attackers (DNA), different Non-IID scenarios (DNS), different number of clients (DNC) and distributed backdoor attack (DBA).

Yongkang Wang,Di-Hua Zhai,Yuanqing Xia

DOI: https://doi.org/10.1016/j.knosys.2024.111660

IF: 8.139

2024-03-21

Knowledge-Based Systems

Abstract:Federated learning (FL) is vulnerable to backdoor attacks, which aim to cause the misclassification on samples with a specific backdoor. Most existing algorithms are restricted by some conditions, such as the data distribution across the joint clients, the number of attackers and some auxiliary information, thereby being limited in the practical FL. In this paper, we propose RoPE containing three parts: using principal component analysis to extract the important features of model gradients; leveraging expectation–maximization to separate malicious clients from benign ones in accordance to the important features; removing the potential malicious gradients within the selected cluster with Isolated Forest. RoPE requires no restricted assumptions during the training process. We evaluate the performance of RoPE on three image classification tasks under non-independent and identically distributed scenario (non-iid) against centralized backdoor attacks with various ratios of attackers and distributed backdoor attacks, respectively. We also evaluate the performance of RoPE against other backdoor attack scenarios, including independent and identically distributed (iid) scheme, elaborately designed attack schemes. The results show that RoPE can defend against these backdoor attacks and outperform the existing algorithms. In addition, we also explore the impact of different numbers of features on RoPE's performance and conduct ablation experiments.

computer science, artificial intelligence

Chulin Xie,Minghao Chen,Pin-Yu Chen,Bo Li

DOI: https://doi.org/10.48550/arXiv.2106.08283

2021-06-16

Abstract:Federated Learning (FL) as a distributed learning paradigm that aggregates information from diverse clients to train a shared global model, has demonstrated great success. However, malicious clients can perform poisoning attacks and model replacement to introduce backdoors into the trained global model. Although there have been intensive studies designing robust aggregation methods and empirical robust federated training protocols against backdoors, existing approaches lack robustness certification. This paper provides the first general framework, Certifiably Robust Federated Learning (CRFL), to train certifiably robust FL models against backdoors. Our method exploits clipping and smoothing on model parameters to control the global model smoothness, which yields a sample-wise robustness certification on backdoors with limited magnitude. Our certification also specifies the relation to federated learning parameters, such as poisoning ratio on instance level, number of attackers, and training iterations. Practically, we conduct comprehensive experiments across a range of federated datasets, and provide the first benchmark for certified robustness against backdoor attacks in federated learning. Our code is available at <a class="link-external link-https" href="https://github.com/AI-secure/CRFL" rel="external noopener nofollow">this https URL</a>.

Machine Learning

Xu Dai,Dan Li,Haotong Han,Erfu Wang

DOI: https://doi.org/10.1109/JCICE61382.2024.00041

2024-05-10

Abstract:The widespread adoption of deep learning has led to recurring data security issues. Consequently, there is an even greater need to preserve data privacy, resulting in data becoming increasingly challenging to share and creating what are often referred to as ‘data islands’, which FL effectively addresses. FL, a new deep learning paradigm, enables collaborative model training across multiple terminals distributively, facilitating data sharing and machine learning modeling while ensuring robust data privacy protection. Individual client could be backdoor attacked by poisoning the data. This paper introduces a robust defense method for backdoor attacks based on reverse trigger engineering, model hardening, and attention distillation mechanisms. In this paper, we conduct a lot of experiments on different classical datasets with different settings, and the results demonstrates that the proposed strategy improve robustness by reducing the attack success rate while preserving main task accuracy.

Computer Science

Mustafa Safa Ozdayi,Murat Kantarcioglu,Yulia R. Gel

DOI: https://doi.org/10.48550/arXiv.2007.03767

2021-07-30

Abstract:Federated learning (FL) allows a set of agents to collaboratively train a model without sharing their potentially sensitive data. This makes FL suitable for privacy-preserving applications. At the same time, FL is susceptible to adversarial attacks due to decentralized and unvetted data. One important line of attacks against FL is the backdoor attacks. In a backdoor attack, an adversary tries to embed a backdoor functionality to the model during training that can later be activated to cause a desired misclassification. To prevent backdoor attacks, we propose a lightweight defense that requires minimal change to the FL protocol. At a high level, our defense is based on carefully adjusting the aggregation server's learning rate, per dimension and per round, based on the sign information of agents' updates. We first conjecture the necessary steps to carry a successful backdoor attack in FL setting, and then, explicitly formulate the defense based on our conjecture. Through experiments, we provide empirical evidence that supports our conjecture, and we test our defense against backdoor attacks under different settings. We observe that either backdoor is completely eliminated, or its accuracy is significantly reduced. Overall, our experiments suggest that our defense significantly outperforms some of the recently proposed defenses in the literature. We achieve this by having minimal influence over the accuracy of the trained models. In addition, we also provide convergence rate analysis for our proposed scheme.

Machine Learning,Cryptography and Security

Zeyu Qin,Liuyi Yao,Daoyuan Chen,Yaliang Li,Bolin Ding,Minhao Cheng

2023-06-05

Abstract:In this work, besides improving prediction accuracy, we study whether personalization could bring robustness benefits to backdoor attacks. We conduct the first study of backdoor attacks in the pFL framework, testing 4 widely used backdoor attacks against 6 pFL methods on benchmark datasets FEMNIST and CIFAR-10, a total of 600 experiments. The study shows that pFL methods with partial model-sharing can significantly boost robustness against backdoor attacks. In contrast, pFL methods with full model-sharing do not show robustness. To analyze the reasons for varying robustness performances, we provide comprehensive ablation studies on different pFL methods. Based on our findings, we further propose a lightweight defense method, Simple-Tuning, which empirically improves defense performance against backdoor attacks. We believe that our work could provide both guidance for pFL application in terms of its robustness and offer valuable insights to design more robust FL methods in the future. We open-source our code to establish the first benchmark for black-box backdoor attacks in pFL: <a class="link-external link-https" href="https://github.com/alibaba/FederatedScope/tree/backdoor-bench" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security

Zekai Chen,Fuyi Wang,Zhiwei Zheng,Ximeng Liu,Yujie Lin

2023-07-01

Abstract:Federated learning (FL) enables multiple clients to collaboratively train deep learning models while considering sensitive local datasets' privacy. However, adversaries can manipulate datasets and upload models by injecting triggers for federated backdoor attacks (FBA). Existing defense strategies against FBA consider specific and limited attacker models, and a sufficient amount of noise to be injected only mitigates rather than eliminates FBA. To address these deficiencies, we introduce a Flexible Federated Backdoor Defense Framework (Fedward) to ensure the elimination of adversarial backdoors. We decompose FBA into various attacks, and design amplified magnitude sparsification (AmGrad) and adaptive OPTICS clustering (AutoOPTICS) to address each attack. Meanwhile, Fedward uses the adaptive clipping method by regarding the number of samples in the benign group as constraints on the boundary. This ensures that Fedward can maintain the performance for the Non-IID scenario. We conduct experimental evaluations over three benchmark datasets and thoroughly compare them to state-of-the-art studies. The results demonstrate the promising defense performance from Fedward, moderately improved by 33% $\sim$ 75 in clustering defense methods, and 96.98%, 90.74%, and 89.8% for Non-IID to the utmost extent for the average FBA success rate over MNIST, FMNIST, and CIFAR10, respectively.

Machine Learning,Cryptography and Security

Jingxuan Zhou,Zhengyi Zhong,Ji Wang,Xiongtao Zhang,Fuxu Chen,Chun Yan

DOI: https://doi.org/10.1109/BigDIA53151.2021.9619731

2021-01-01

Abstract:Federated learning(FL), one of the most popular distributed machine learning algorithms, allows participants to collaborate on updating models without sharing local data. At the same time, FL is vulnerable to malicious attacks due to the secrecy of the data. Backdoor attacks, as one of many malicious attacks, attempt to add a backdoor to the global model, which will lead to misclassification after...

Chenghui Shi,Shouling Ji,Xudong Pan,Xuhong Zhang,Mi Zhang,Min Yang,Jun Zhou,Jianwei Yin,Ting Wang

DOI: https://doi.org/10.1109/tdsc.2024.3376790

2024-01-01

Abstract:Federated Learning (FL) is nowadays one of the most promising paradigms for privacy-preserving distributed learning. Without revealing its local private data to outsiders, a client in FL systems collaborates to build a global Deep Neural Network (DNN) by submitting its local model parameter update to a central server for iterative aggregation. With secure multi-party computation protocols, the submitted update of any client is also by design invisible to the server. Seemingly, this standard design is a win-win for client privacy and service provider utility. Ironically, any attacker may also use manipulated or impersonated client to submit almost any attack payloads under the umbrella of the FL protocol itself. In this work, we craft a practical backdoor attack on FL systems that is proved to be simultaneously effective and stealthy on diverse use cases of FL systems and leading commercial FL platforms in the real world. Basically, we first identify a small number of redundant neurons which tend to be rarely or slightly updated in the model, and then inject backdoor into these redundant neurons instead of the whole model. In this way, our backdoor attack can achieve a high attack success rate with a minor impact on the accuracy of the original task. As countermeasures, we further consider several common technical choices including robust aggregation mechanisms, differential privacy mechanism,s and network pruning. However, none of the defenses show desirable defense capability against our backdoor attack. Our results strongly highlight the vulnerability of existing FL systems against backdoor attacks and the urgent need to develop more effective defense mechanisms.

Pei Fang,Jinghui Chen

DOI: https://doi.org/10.48550/arXiv.2301.08170

2023-01-20

Abstract:Federated Learning (FL) is a popular distributed machine learning paradigm that enables jointly training a global model without sharing clients' data. However, its repetitive server-client communication gives room for backdoor attacks with aim to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. In response to such backdoor threats on federated learning, various defense measures have been proposed. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning in a practical setting by proposing a new federated backdoor attack method for possible countermeasures. Different from traditional training (on triggered data) and rescaling (the malicious client model) based backdoor injection, the proposed backdoor attack framework (1) directly modifies (a small proportion of) local model weights to inject the backdoor trigger via sign flips; (2) jointly optimize the trigger pattern with the client model, thus is more persistent and stealthy for circumventing existing defenses. In a case study, we examine the strength and weaknesses of recent federated backdoor defenses from three major categories and provide suggestions to the practitioners when training federated models in practice.

Machine Learning,Artificial Intelligence,Cryptography and Security

Hui Zeng,Tongqing Zhou,Xinyi Wu,Zhiping Cai

DOI: https://doi.org/10.1109/srds55811.2022.00017

2022-01-01

Abstract:The privacy-preserving nature of Federated Learning (FL) exposes such a distributed learning paradigm to the planting of backdoors with locally corrupted data. We discover that FL backdoors, under a new on-off multi-shot attack form, are essentially stealthy against existing defenses that are built on model statistics and spectral analysis. First-hand observations of such attacks show that the backdoored models are indistinguishable from normal ones w.r.t. both low-level and high-level representations. We thus emphasize that a critical redemption, if not the only, for the tricky stealthiness is reactive tracing and posterior mitigation. A three-step remedy framework is then proposed by exploring the temporal and inferential correlations of models on a trapped sample from an attack. In particular, we use shift ensemble detection and co-occurrence analysis for adversary identification, and repair the model via malicious ingredients removal under theoretical error guarantee. Extensive experiments on various backdoor settings demonstrate that our framework can achieve accuracy on attack round identification of ∼80% and on attackers of ∼50%, which are ∼28.76% better than existing proactive defenses. Meanwhile, it can successfully eliminate the influence of backdoors with only a 5%∼6% performance drop.

Yihang Lin,Pengyuan Zhou,Zhiqian Wu,Yong Liao

2023-12-18

Abstract:Federated learning allows clients to collaboratively train a global model without uploading raw data for privacy preservation. This feature, i.e., the inability to review participants' datasets, has recently been found responsible for federated learning's vulnerability in the face of backdoor attacks. Existing defense methods fall short from two perspectives: 1) they consider only very specific and limited attacker models and unable to cope with advanced backdoor attacks, such as distributed backdoor attacks, which break down the global trigger into multiple distributed triggers. 2) they conduct detection based on model granularity thus the performance gets impacted by the model dimension. To address these challenges, we propose Federated Layer Detection (FLD), a novel model filtering approach for effectively defending against backdoor attacks. FLD examines the models based on layer granularity to capture the complete model details and effectively detect potential backdoor models regardless of model dimension. We provide theoretical analysis and proof for the convergence of FLD. Extensive experiments demonstrate that FLD effectively mitigates state-of-the-art backdoor attacks with negligible impact on the accuracy of the primary task.

Machine Learning,Cryptography and Security

Hongyun Cai,Jiahao Wang,Lijing Gao,Fengyu Li

DOI: https://doi.org/10.1016/j.knosys.2024.111511

IF: 8.139

2024-04-01

Knowledge-Based Systems

Abstract:Federated learning (FL) is susceptible to backdoor attacks, where malicious model updates are covertly inserted into the model’s aggregation process, which can result in inaccurate predictions for certain inputs, compromising the integrity of FL. Existing defenses, which aim to identify and remove potentially poisoned model updates, may incorrectly exclude model updates from benign clients with heterogeneous data even in the absence of an attack, compromising the model’s usability and resulting in unfair treatment of these benign clients. For defense approaches that utilize adaptive model parameter clipping and noise injection, the continuous injection of noise also considerably deteriorates the model’s usability. To address the aforementioned issues, a novel defense named FLMAAcBD ( F ederated L earning M odel A nomalous Ac tivation B ehavior D etection) is proposed, which adopts a backdoor anomaly detection module for the global model and a backdoor removal module for potentially malicious model updates to defend against backdoor attacks. Extensive experiments on three datasets validate that FLMAAcBD can defend against various backdoor attacks. Moreover, compared with the baseline methods, FLMAAcBD has less impact on the model’s usability.

computer science, artificial intelligence

Ye Liu,Shan Chang,Denghui Li,Shaohuai Shi,Bo Li

DOI: https://doi.org/10.1109/mnet.2024.3486228

IF: 10.294

2024-01-01

IEEE Network

Abstract:Federated Learning (FL) enables privacy-preserving collaborative training and builds a federation through exchanges of immutable data such as model parameters or gradient updates. FL remains vulnerable to a variety of attacks during critical processes like local model training and parameter transmission, in which the backdoor attack is particularly evident. In this paper, we propose a novel backdoor data poisoning attack method, RoPe-Door, using a trigger generation algorithm to improve the robustness and persistence of attacks even under Byzantine aggregation methods. We conduct extensive experiments on four image classification tasks to evaluate the effectiveness of RoPe-Door. The experimental results demonstrate that, compared to backdoor attacks using random triggers, RoPe-Door exhibits significant advantages in robustness, persistence, and attack effectiveness under both IID and Non-IID data settings.

Yinbin Miao,Rongpeng Xie,Xinghua Li,Zhiquan Liu,Kim-Kwang Raymond Choo,Robert H. Deng

DOI: https://doi.org/10.1109/tdsc.2024.3354736

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Due to the powerful representation ability and superior performance of Deep Neural Networks (DNN), Federated Learning (FL) based on DNN has attracted much attention from both academic and industrial fields. However, its transmitted plaintext data causes privacy disclosure. FL based on Local Differential Privacy (LDP) solutions can provide privacy protection to a certain extent, but these solutions still cannot achieve adaptive perturbation in DNN model. In addition, this kind of schemes cause high communication overheads due to the curse of dimensionality of DNN, and are naturally vulnerable to backdoor attacks due to the inherent distributed characteristic. To solve these issues, we propose an Efficient and Secure Federated Learning scheme (ESFL) against backdoor attacks by using adaptive LDP and compressive sensing. Formal security analysis proves that ESFL satisfies $\epsilon$-LDP security. Extensive experiments using three datasets demonstrate that ESFL can solve the problems of traditional LDP-based FL schemes without a loss of model accuracy and efficiently resist the backdoor attacks.

computer science, information systems, software engineering, hardware & architecture

Tao Liu,Wu Yang,Chen Xu,Jiguang Lv,Huanran Wang,Yuhang Zhang,Shuchun Xu,Dapeng Man

2024-11-06

Abstract:Federated learning, a novel paradigm designed to protect data privacy, is vulnerable to backdoor attacks due to its distributed nature. Current research often designs attacks based on a single attacker with a single backdoor, overlooking more realistic and complex threats in federated learning. We propose a more practical threat model for federated learning: the distributed multi-target backdoor. In this model, multiple attackers control different clients, embedding various triggers and targeting different classes, collaboratively implanting backdoors into the global model via central aggregation. Empirical validation shows that existing methods struggle to maintain the effectiveness of multiple backdoors in the global model. Our key insight is that similar backdoor triggers cause parameter conflicts and injecting new backdoors disrupts gradient directions, significantly weakening some backdoors performance. To solve this, we propose a Distributed Multi-Target Backdoor Attack (DMBA), ensuring efficiency and persistence of backdoors from different malicious clients. To avoid parameter conflicts, we design a multi-channel dispersed frequency trigger strategy to maximize trigger differences. To mitigate gradient interference, we introduce backdoor replay in local training to neutralize conflicting gradients. Extensive validation shows that 30 rounds after the attack, Attack Success Rates of three different backdoors from various clients remain above 93%. The code will be made publicly available after the review period.

Computer Vision and Pattern Recognition

Yongkang Wang,Di-Hua Zhai,Yuanqing Xia

DOI: https://doi.org/10.1016/j.cose.2023.103414

IF: 5.105

2023-01-01

Computers & Security

Abstract:Federated learning (FL) is a distributed machine learning paradigm that enables scattered clients to collaboratively train a shared global model. FL is suitable for privacy-preserving applications due to keeping the training data decentralized. However, FL is susceptible to backdoor attacks which attempt to embed backdoor triggers into the global model during the training process, and later activate them to cause a desired misclassification. In this paper, to effectively defend against backdoor attacks in the FL system, we propose SCFL including three parts: first, the Singular Value Decomposition (SVD) technique is used to extract the significant features of model updates; second, the k-means clustering algorithm is used to cluster the significant features; finally, cosine similarity is used to measure the distance between two model updates and the optimal clients are selected to aggregate the global model after clipping. Unlike most robust algorithms, SCFL does not limit the number of attackers to be less than that of benign clients, nor does restrict the data distribution among all clients to be independent and identically distributed (IID). Moreover, SCFL does not require any auxiliary information outside of the learning process. We conduct extensive experiments including various types of backdoor attacks. Experimental results demonstrate that SCFL can effectively defend against these backdoor attacks and outperform the existing state-of-the-art algorithms.

Yein Kim,Huili Chen,Farinaz Koushanfar

DOI: https://doi.org/10.48550/arXiv.2202.11196

2022-02-22

Abstract:The goal of federated learning (FL) is to train one global model by aggregating model parameters updated independently on edge devices without accessing users' private data. However, FL is susceptible to backdoor attacks where a small fraction of malicious agents inject a targeted misclassification behavior in the global model by uploading polluted model updates to the server. In this work, we propose DifFense, an automated defense framework to protect an FL system from backdoor attacks by leveraging differential testing and two-step MAD outlier detection, without requiring any previous knowledge of attack scenarios or direct access to local model parameters. We empirically show that our detection method prevents a various number of potential attackers while consistently achieving the convergence of the global model comparable to that trained under federated averaging (FedAvg). We further corroborate the effectiveness and generalizability of our method against prior defense techniques, such as Multi-Krum and coordinate-wise median aggregation. Our detection method reduces the average backdoor accuracy of the global model to below 4% and achieves a false negative rate of zero.

Cryptography and Security,Machine Learning

Yuxi Mi,Yiheng Sun,Jihong Guan,Shuigeng Zhou

2023-08-24

Abstract:Federated learning has seen increased adoption in recent years in response to the growing regulatory demand for data privacy. However, the opaque local training process of federated learning also sparks rising concerns about model faithfulness. For instance, studies have revealed that federated learning is vulnerable to backdoor attacks, whereby a compromised participant can stealthily modify the model's behavior in the presence of backdoor triggers. This paper proposes an effective defense against the attack by examining shared model updates. We begin with the observation that the embedding of backdoors influences the participants' local model weights in terms of the magnitude and orientation of their model gradients, which can manifest as distinguishable disparities. We enable a robust identification of backdoors by studying the statistical distribution of the models' subsets of gradients. Concretely, we first segment the model gradients into fragment vectors that represent small portions of model parameters. We then employ anomaly detection to locate the distributionally skewed fragments and prune the participants with the most outliers. We embody the findings in a novel defense method, ARIBA. We demonstrate through extensive analyses that our proposed methods effectively mitigate state-of-the-art backdoor attacks with minimal impact on task utility.

Artificial Intelligence