Shiyuan Zuo,Rongfei Fan,Han Hu,Ning Zhang,Shimin Gong

2023-08-21

Abstract:In this paper, we propose a robust aggregation method for federated learning (FL) that can effectively tackle malicious Byzantine attacks. At each user, model parameter is firstly updated by multiple steps, which is adjustable over iterations, and then pushed to the aggregation center directly. This decreases the number of interactions between the aggregation center and users, allows each user to set training parameter in a flexible way, and reduces computation burden compared with existing works that need to combine multiple historical model parameters. At the aggregation center, geometric median is leveraged to combine the received model parameters from each user. Rigorous proof shows that zero optimality gap is achieved by our proposed method with linear convergence, as long as the fraction of Byzantine attackers is below half. Numerical results verify the effectiveness of our proposed method.

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Krishna Pillutla,Sham M. Kakade,Zaid Harchaoui

DOI: https://doi.org/10.1109/TSP.2022.3153135

2022-01-17

Abstract:Federated learning is the centralized training of statistical models from decentralized data on mobile devices while preserving the privacy of each device. We present a robust aggregation approach to make federated learning robust to settings when a fraction of the devices may be sending corrupted updates to the server. The approach relies on a robust aggregation oracle based on the geometric median, which returns a robust aggregate using a constant number of iterations of a regular non-robust averaging oracle. The robust aggregation oracle is privacy-preserving, similar to the non-robust secure average oracle it builds upon. We establish its convergence for least squares estimation of additive models. We provide experimental results with linear models and deep networks for three tasks in computer vision and natural language processing. The robust aggregation approach is agnostic to the level of corruption; it outperforms the classical aggregation approach in terms of robustness when the level of corruption is high, while being competitive in the regime of low corruption. Two variants, a faster one with one-step robust aggregation and another one with on-device personalization, round off the paper.

Machine Learning,Cryptography and Security

Wei Wan,Shengshan Hu,Jianrong Lu,Leo Yu Zhang,Hai Jin,Yuanyuan He

DOI: https://doi.org/10.24963/ijcai.2022/106

2023-08-07

Abstract:Federated learning (FL) enables multiple clients to collaboratively train an accurate global model while protecting clients' data privacy. However, FL is susceptible to Byzantine attacks from malicious participants. Although the problem has gained significant attention, existing defenses have several flaws: the server irrationally chooses malicious clients for aggregation even after they have been detected in previous rounds; the defenses perform ineffectively against sybil attacks or in the heterogeneous data setting. To overcome these issues, we propose MAB-RFL, a new method for robust aggregation in FL. By modelling the client selection as an extended multi-armed bandit (MAB) problem, we propose an adaptive client selection strategy to choose honest clients that are more likely to contribute high-quality updates. We then propose two approaches to identify malicious updates from sybil and non-sybil attacks, based on which rewards for each client selection decision can be accurately evaluated to discourage malicious behaviors. MAB-RFL achieves a satisfying balance between exploration and exploitation on the potential benign clients. Extensive experimental results show that MAB-RFL outperforms existing defenses in three attack scenarios under different percentages of attackers.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Diego Cajaraville-Aboy,Ana Fernández-Vilas,Rebeca P. Díaz-Redondo,Manuel Fernández-Veiga

2024-09-26

Abstract:Federated Learning (FL) emerges as a distributed machine learning approach that addresses privacy concerns by training AI models locally on devices. Decentralized Federated Learning (DFL) extends the FL paradigm by eliminating the central server, thereby enhancing scalability and robustness through the avoidance of a single point of failure. However, DFL faces significant challenges in optimizing security, as most Byzantine-robust algorithms proposed in the literature are designed for centralized scenarios. In this paper, we present a novel Byzantine-robust aggregation algorithm to enhance the security of Decentralized Federated Learning environments, coined WFAgg. This proposal handles the adverse conditions and strength robustness of dynamic decentralized topologies at the same time by employing multiple filters to identify and mitigate Byzantine attacks. Experimental results demonstrate the effectiveness of the proposed algorithm in maintaining model accuracy and convergence in the presence of various Byzantine attack scenarios, outperforming state-of-the-art centralized Byzantine-robust aggregation schemes (such as Multi-Krum or Clustering). These algorithms are evaluated on an IID image classification problem in both centralized and decentralized scenarios.

Machine Learning,Artificial Intelligence

Jian Xu,Bing Guo,Fei Chen,Yan Shen,Shengxin Dai,Cheng Dai

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom59178.2023.00110

2023-01-01

Abstract:Nowadays, federated learning emerges as a new technique to preserve data privacy in distributed machine learning by limiting local data to the client and only aggregating model parameters from multiple parties on the server side. However, it also faces consequent threats from malicious clients, and some methods have been proposed without sufficient defense capability and efficient aggregation. To address these problems, we propose a novel aggregation algorithm, which incorporates PCA operation and clustering to select the excellent client in each round; and brings in a momentum-accelerated historical quality gradient-based approach to increase the weight when the performances of the global model are consistently degraded, which can achieve faster convergence on the basis of ensuring that the update direction of the global model is not manipulated by malicious nodes. Experimental results on the MNIST datasets show that our algorithm is only 0.93% lower than FedAvg under a no-attack scenario, and exhibits faster convergence compared to Krum, Multi-Krum, and Trimmed Mean Aggregation, and the accuracy improves 10.68%,35.83%,19.65% under Black-Box Edge Attack, Sign Flipping Attack, and Same Value Attack.

Wenrui Li,Hanlin Gu,Sheng Wan,Zhirong Lu,Wei Xi,Lixin Fan,Qiang Yang,Badong Chen

DOI: https://doi.org/10.1109/icdcs60910.2024.00086

2024-01-01

Abstract:Federated learning empowers privacy-preserving, multi-party secure model training without the necessity of sharing raw data. In recent years, knowledge distillation has emerged as a promising solution to address the significant challenge of model heterogeneity within federated learning. However, current research often overlooks the potential threats posed by Byzantine attacks, which can significantly compromise the security of federated distillation. Previous work on Byzantine attacks has been primarily focused on manipulating local gradients to compromise global model, lacking attacks on logits in knowledge distillation scenarios. In this paper, we introduce two innovative attacks, shedding light on the inherent risks in federated distillation. The proposed attacks include a top-k attack, which perturbs the top k values of logits in each column, and an impersonation attack, which emulates knowledge significantly deviating from the norm. To counter such attacks, we propose a robust aggregation strategy-FedTGD (Federated Top Guard Distillation), designed to ensure robust distillation with heterogeneous models. Specifically, FedTGD incorporates Density-Based Spatial Clustering of Applications with Noise (DBSCAN) and maximum cosine similarity on top-k values of logits to select benign knowledge. Experimental evaluations conducted on FEMNIST and CIFAR100 datasets, considering scenarios for both IID and Non-IID, reveal that top-k attack results in a substantial 27.16% accuracy reduction for FedMD. In contrast, our aggregation method shows a marginal 0.7% accuracy decrease under top-k attacks, outperforming state-of-the-art baselines.

Yongkang Wang,Yuanqing Xia,Yufeng Zhan

DOI: https://doi.org/10.1109/cac53003.2021.9727486

2021-01-01

Abstract:Federated learning is a distributed machine learning paradigm, where physically distributed computing nodes collaboratively train a global model. In federated learning, workers usually do not share training data with others, and thus some workers are malicious workers, who can change parameters (e.g., weights/gradients) in their models to degrade the global model’s training accuracy. This is generally called Byzantine attack. Existing solutions are either limited resistance to Byzantine attacks or not applicable to federated learning. In this paper, we propose ELITE, a robust parameter aggregation algorithm to defend federated learning from Byzantine attacks. Inspired by the observation that the parameters of malicious workers usually distract from the parameters of benign workers, we introduce entropy to efficiently detect malicious workers. We evaluate the performance of ELITE on image classification model training under three typical attacks, and experimental results show that ELITE can resist various Byzantine attacks and outperforms existing algorithms by improving the model accuracy at most up to 80%.

Jiahao Xu,Zikai Zhang,Rui Hu

2024-09-03

Abstract:Federated Learning (FL) enables multiple clients to collaboratively train a model without sharing their local data. Yet the FL system is vulnerable to well-designed Byzantine attacks, which aim to disrupt the model training process by uploading malicious model updates. Existing robust aggregation rule-based defense methods overlook the diversity of magnitude and direction across different layers of the model updates, resulting in limited robustness performance, particularly in non-IID settings. To address these challenges, we propose the Layer-Adaptive Sparsified Model Aggregation (LASA) approach, which combines pre-aggregation sparsification with layer-wise adaptive aggregation to improve robustness. Specifically, LASA includes a pre-aggregation sparsification module that sparsifies updates from each client before aggregation, reducing the impact of malicious parameters and minimizing the interference from less important parameters for the subsequent filtering process. Based on sparsified updates, a layer-wise adaptive filter then adaptively selects benign layers using both magnitude and direction metrics across all clients for aggregation. We provide the detailed theoretical robustness analysis of LASA and the resilience analysis for the FL integrated with LASA. Extensive experiments are conducted on various IID and non-IID datasets. The numerical results demonstrate the effectiveness of LASA. Code is available at \url{<a class="link-external link-https" href="https://github.com/JiiahaoXU/LASA" rel="external noopener nofollow">this https URL</a>}.

Machine Learning

Jingwei Yi,Fangzhao Wu,Huishuai Zhang,Bin Zhu,Tao Qi,Guangzhong Sun,Xing Xie

2023-07-26

Abstract:Federated learning (FL) enables multiple clients to collaboratively train models without sharing their local data, and becomes an important privacy-preserving machine learning framework. However, classical FL faces serious security and robustness problem, e.g., malicious clients can poison model updates and at the same time claim large quantities to amplify the impact of their model updates in the model aggregation. Existing defense methods for FL, while all handling malicious model updates, either treat all quantities benign or simply ignore/truncate the quantities of all clients. The former is vulnerable to quantity-enhanced attack, while the latter leads to sub-optimal performance since the local data on different clients is usually in significantly different sizes. In this paper, we propose a robust quantity-aware aggregation algorithm for federated learning, called FedRA, to perform the aggregation with awareness of local data quantities while being able to defend against quantity-enhanced attacks. More specifically, we propose a method to filter malicious clients by jointly considering the uploaded model updates and data quantities from different clients, and performing quantity-aware weighted averaging on model updates from remaining clients. Moreover, as the number of malicious clients participating in the federated learning may dynamically change in different rounds, we also propose a malicious client number estimator to predict how many suspicious clients should be filtered in each round. Experiments on four public datasets demonstrate the effectiveness of our FedRA method in defending FL against quantity-enhanced attacks.

Cryptography and Security,Artificial Intelligence,Machine Learning

Yanna Jiang,Baihe Ma,Xu Wang,Guangsheng Yu,Caijun Sun,Wei Ni,Ren Ping Liu

DOI: https://doi.org/10.48550/arXiv.2307.08324

2023-07-17

Abstract:As a distributed learning, Federated Learning (FL) faces two challenges: the unbalanced distribution of training data among participants, and the model attack by Byzantine nodes. In this paper, we consider the long-tailed distribution with the presence of Byzantine nodes in the FL scenario. A novel two-layer aggregation method is proposed for the rejection of malicious models and the advisable selection of valuable models containing tail class data information. We introduce the concept of think tank to leverage the wisdom of all participants. Preliminary experiments validate that the think tank can make effective model selections for global aggregation.

Machine Learning,Cryptography and Security

Ali Reza Ghavamipour,Benjamin Zi Hao Zhao,Oguzhan Ersoy,Fatih Turkmen

2024-04-28

Abstract:Decentralized machine learning (DL) has been receiving an increasing interest recently due to the elimination of a single point of failure, present in Federated learning setting. Yet, it is threatened by the looming threat of Byzantine clients who intentionally disrupt the learning process by broadcasting arbitrary model updates to other clients, seeking to degrade the performance of the global model. In response, robust aggregation schemes have emerged as promising solutions to defend against such Byzantine clients, thereby enhancing the robustness of Decentralized Learning. Defenses against Byzantine adversaries, however, typically require access to the updates of other clients, a counterproductive privacy trade-off that in turn increases the risk of inference attacks on those same model updates.

Cryptography and Security,Artificial Intelligence

Puning Zhao,Fei Yu,Zhiguo Wan

2024-03-25

Abstract:Federated learning systems are susceptible to adversarial attacks. To combat this, we introduce a novel aggregator based on Huber loss minimization, and provide a comprehensive theoretical analysis. Under independent and identically distributed (i.i.d) assumption, our approach has several advantages compared to existing methods. Firstly, it has optimal dependence on $\epsilon$, which stands for the ratio of attacked clients. Secondly, our approach does not need precise knowledge of $\epsilon$. Thirdly, it allows different clients to have unequal data sizes. We then broaden our analysis to include non-i.i.d data, such that clients have slightly different distributions.

Machine Learning,Artificial Intelligence

Youpeng Li,Xinda Wang,Fuxun Yu,Lichao Sun,Wenbin Zhang,Xuyu Wang

2024-10-17

Abstract:Federated learning (FL), an emerging distributed machine learning paradigm, has been applied to various privacy-preserving scenarios. However, due to its distributed nature, FL faces two key issues: the non-independent and identical distribution (non-IID) of user data and vulnerability to Byzantine threats. To address these challenges, in this paper, we propose FedCAP, a robust FL framework against both data heterogeneity and Byzantine attacks. The core of FedCAP is a model update calibration mechanism to help a server capture the differences in the direction and magnitude of model updates among clients. Furthermore, we design a customized model aggregation rule that facilitates collaborative training among similar clients while accelerating the model deterioration of malicious clients. With a Euclidean norm-based anomaly detection mechanism, the server can quickly identify and permanently remove malicious clients. Moreover, the impact of data heterogeneity and Byzantine attacks can be further mitigated through personalization on the client side. We conduct extensive experiments, comparing multiple state-of-the-art baselines, to demonstrate that FedCAP performs well in several non-IID settings and shows strong robustness under a series of poisoning attacks.

Machine Learning,Artificial Intelligence,Cryptography and Security

Jiqiang Gao,Baolei Zhang,Xiaojie Guo,Thar Baker,Min Li,Zheli Liu

DOI: https://doi.org/10.1109/tii.2022.3145837

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Big data, due to its promotion for industrial intelligence, has become the cornerstone of the Industry 4.0 era. Federated learning, proposed by Google, can effectively integrate data from different devices and different domains to train models under the premise of privacy preservation. Unfortunately, this new training paradigm faces security risks both on the client side and server side. This article proposes a new federated learning scheme to defend from client-side malicious uploads (e.g., backdoor attacks). In addition, we use cryptography techniques to prevent server-side privacy attacks (e.g., membership inference). The secure partial aggregation protocol we designed improves the privacy and robustness of federated learning. The experiments show that models can achieve high accuracy of over 90% with a proper upload proportion, while the accuracy of the backdoor attack decreased from 99.5% to 0% with the best result. Meanwhile, we prove that our protocol can disable privacy attacks.

Sihan Mao,Jianguang Zhang,Xiaodong Hu,Xiaolin Zheng

DOI: https://doi.org/10.1109/cscwd61410.2024.10580498

2024-01-01

Abstract:Federated learning involves a group of workers and a central server to train a machine learning model in a distributed manner. However, the distributed structure poses challenges in terms of communication efficiency and robustness against malicious attacks. Our work assumes the presence of Byzantine attackers among workers and considers Byzantine robustness in federated learning. In order to overcome the challenges of communication and Byzantine attacks, we propose a novel method called Byzantine-robust compressed and momentum-based variance reduction (BR-CoMVaR). This method innovatively combines Byzantine-robustness aggregation, gradient difference compression, and momentum-based variance reduction. Gradient difference compression helps to mitigate the effect of compression noise, while momentum-based variance reduction reduces the variance in local stochastic gradients and accelerates convergence. The incorporation of these two techniques with Byzantine-robustness aggregation further enhances the defense capability against Byzantine attacks and improves overall Byzantine robustness. Moreover, the extensive experimental results display the superior performance of BR-CoMVaR compared with other three most related algorithms.

Yuchen Liu,Chen,Lingjuan Lyu,Fangzhao Wu,Sai Wu,Gang Chen

DOI: https://doi.org/10.48550/arxiv.2302.06079

2023-01-01

Abstract:Federated learning provides a privacy-aware learning framework by enabling participants to jointly train models without exposing their private data. However, federated learning has exhibited vulnerabilities to Byzantine attacks, where the adversary aims to destroy the convergence and performance of the global model. Meanwhile, we observe that most existing robust AGgregation Rules (AGRs) fail to stop the aggregated gradient deviating from the optimal gradient (the average of honest gradients) in the non-IID setting. We attribute the reason of the failure of these AGRs to two newly proposed concepts: identification failure and integrity failure. The identification failure mainly comes from the exacerbated curse of dimensionality in the non-IID setting. The integrity failure is a combined result of conservative filtering strategy and gradient heterogeneity. In order to address both failures, we propose GAIN, a gradient decomposition scheme that can help adapt existing robust algorithms to heterogeneous datasets. We also provide convergence analysis for integrating existing robust AGRs into GAIN. Experiments on various real-world datasets verify the efficacy of our proposed GAIN.

Anqi Zhou,Yezheng Liu,Yidong Chai,Hongyi Zhu,Xinyue Ge,Yuanchun Jiang,Meng Wang

2024-06-30

Abstract:Federated Learning (FL) has garnered widespread adoption across various domains such as finance, healthcare, and cybersecurity. Nonetheless, FL remains under significant threat from backdoor attacks, wherein malicious actors insert triggers into trained models, enabling them to perform certain tasks while still meeting FL's primary objectives. In response, robust aggregation methods have been proposed, which can be divided into three types: ex-ante, ex-durante, and ex-post methods. Given the complementary nature of these methods, combining all three types is promising yet unexplored. Such a combination is non-trivial because it requires leveraging their advantages while overcoming their disadvantages. Our study proposes a novel whole-process certifiably robust aggregation (WPCRA) method for FL, which enhances robustness against backdoor attacks across three phases: ex-ante, ex-durante, and ex-post. Moreover, since the current geometric median estimation method fails to consider differences among clients, we propose a novel weighted geometric median estimation algorithm (WGME). This algorithm estimates the geometric median of model updates from clients based on each client's weight, further improving the robustness of WPCRA against backdoor attacks. We also theoretically prove that WPCRA offers improved certified robustness guarantees with a larger certified radius. We evaluate the advantages of our methods based on the task of loan status prediction. Comparison with baselines shows that our methods significantly improve FL's robustness against backdoor attacks. This study contributes to the literature with a novel WPCRA method and a novel WGME algorithm. Our code is available at <a class="link-external link-https" href="https://github.com/brick-brick/WPCRAM" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Machine Learning

Yin Zhu,Junqing Gong,Kai Zhang,Haifeng Qian

DOI: https://doi.org/10.1109/tdsc.2024.3380669

2024-01-01

Abstract:In cross-device federated learning, verifiable secure aggregation enables clients to aggregate their locally trained model parameters through a malicious server to obtain a global model. To prevent the malicious server from tampering with the results, solutions have been proposed to ensure verifiability during this aggregation process. However, previous solutions either failed to achieve non-interactivity, which is critical in the cross-device setting, or failed to achieve malicious server resistance due to their underlying approach. Thus in this paper, we propose a lightweight non-interactive multi-client verifiable computation scheme (lwMVC) and then construct the malicious-resistant non-interactive verifiable aggregation (MRNIVA) for cross-device federated learning by the newly introduced underlying approach lwMVC. By combining Half Gates and non-iterative proxy oblivious-transfer, lwMVC meets both the non-interactivity and malicious resistance properties. Then, after solving the user dropout and efficiency problem, we construct the MRNIVA by lwMVC. Since we focus on the cross-device scenario, we conduct experiments on a Single Board Computer. The experiment result demonstrates that MRNIVA remains efficient compared to previous works after achieving both non-interactive and malicious resistance properties. As far as we know, we are the first to carry out verifiable aggregation experiments using such resource-constrained devices.

Jie Peng,Zhaoxian Wu,Qing Ling,Tianyi Chen

DOI: https://doi.org/10.1016/j.ins.2022.10.120

IF: 8.1

2022-01-01

Information Sciences

Abstract:We consider the federated learning problem where data on workers are not independent and identically distributed (i.i.d.). During the learning process, an unknown number of Byzantine workers may send malicious messages to the central node, leading to remarkable learning error. Most of the Byzantine-robust methods address this issue by using robust aggregation rules to aggregate the received messages, but rely on the assumption that all the regular workers have i.i.d. data, which is not the case in many federated learning applications. In light of the significance of reducing stochastic gradient noise for mitigating the effect of Byzantine attacks, we use a resampling strategy to reduce the impact of both inner variation (that describes the sample heterogeneity on every regular worker) and outer variation (that describes the sample heterogeneity among the regular workers), along with a stochastic average gradient algorithm to gradually eliminate the inner variation. The variance-reduced messages are then aggregated with a robust geometric median operator. We prove that the proposed method reaches a neighborhood of the optimal solution at a linear convergence rate and the learning error is determined by the number of Byzantine workers. Numerical experiments corroborate the theoretical results and show that the proposed method outperforms the state-of-the-arts in the non-i.i.d. setting.

Yanli Li,Weiping Ding,Huaming Chen,Wei Bao,Dong Yuan

DOI: https://doi.org/10.1016/j.ins.2024.120475

IF: 8.1

2024-05-01

Information Sciences

Abstract:Federated learning (FL) is a promising approach that allows many clients to jointly train a model without sharing the raw data. Due to the clients&#x27; different preferences, the class imbalance issue frequently occurs in real-world FL problems and poses threats for poisoning attacks to the existing FL methods. In this work, we first propose a new attack called Class Imbalance Attack that can degrade the testing accuracy of a particular class(es) to even 0 under the state-of-the-art robust FL methods. To defend against such attacks, we further propose a Class-Balanced FL method with a novel contribution-wise Byzantine-robust aggregation rule. In the designed rule, an honest score and a contribution score will be assigned to each client dynamically according to the server model. The server itself will be initiated with a small dataset, and a model (called server model) will be maintained. These two scores will be subsequently used to calculate the weighted average of the client gradients for each training iteration. The experiments are conducted on five datasets against state-of-the-art poisoning attacks, including the Class Imbalance Attack. The empirical results demonstrate the effectiveness of the proposed Class-Balanced FL method.

computer science, information systems