Xueluan Gong,Yanjiao Chen,Qian Wang,Weihan Kong

DOI: https://doi.org/10.1109/mwc.017.2100714

IF: 12.777

2023-01-01

IEEE Wireless Communications

Abstract:The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.

Wenbo Yang,Jidong Yuan,Xiaokang Wang,Peixiang Zhao,Wenbo Yang,Jidong Yuan,Xiaokang Wang,Peixiang Zhao

DOI: https://doi.org/10.1016/j.engappai.2022.105218

IF: 8

2022-09-01

Engineering Applications of Artificial Intelligence

Abstract:Deep neural networks (DNNs) for time series classification have potential security concerns due to their vulnerability to adversarial attacks. Previous work that perturbs time series globally requires gradient information to generate adversarial examples, leading to being perceived easily. In this paper, we propose a gradient-free black-box method called TSadv to attack DNNs with local perturbations. First, we formalize the attack as a constrained optimization problem solved by a differential evolution algorithm without any inner information of the target model. Second, with the assumption that time series shapelets provide more discriminative information between different classes, the range of perturbations is designed based on their intervals. Experimental results show that our method can effectively attack DNNs on time series datasets that have potential security concerns and generate imperceptible adversarial samples flexibly. Besides, our approach decreases the mean squared error by approximately two orders of magnitude compared with the state-of-the-art method while retaining competitive attacking success rates.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

YANG Wen-bo,YUAN Ji-dong

DOI: https://doi.org/10.11896/jsjkx.210900254

2022-01-01

Abstract:Deep neural networks(DNNs) for time series classification have potential security concerns due to their vulnerability to adversarial attacks.The existing attack methods on time series performglobal perturbation based on gradient information,and the generated adversarial examples are easy to be perceived.This paper proposes a locally black-box method to attack DNNs without gradient information.First,the attack is described as a constrained optimization problem with the assumption that the method cannot get any inner information of the model,then the genetic algorithm is employed to solve it.Second,since time series shapelets provides the most discriminative information among different categories,it is designed as a local perturbation interval.Experimental results on UCR datasets that have potential security concerns indicate that the proposed method can effectively attack DNNs and generate adversarial samples.In addition,compared with the benchmark,the method significantly reduces the mean squared error while keeping a high success rate.

Pei Fang,Jinghui Chen

DOI: https://doi.org/10.48550/arXiv.2301.08170

2023-01-20

Abstract:Federated Learning (FL) is a popular distributed machine learning paradigm that enables jointly training a global model without sharing clients' data. However, its repetitive server-client communication gives room for backdoor attacks with aim to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. In response to such backdoor threats on federated learning, various defense measures have been proposed. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning in a practical setting by proposing a new federated backdoor attack method for possible countermeasures. Different from traditional training (on triggered data) and rescaling (the malicious client model) based backdoor injection, the proposed backdoor attack framework (1) directly modifies (a small proportion of) local model weights to inject the backdoor trigger via sign flips; (2) jointly optimize the trigger pattern with the client model, thus is more persistent and stealthy for circumventing existing defenses. In a case study, we examine the strength and weaknesses of recent federated backdoor defenses from three major categories and provide suggestions to the practitioners when training federated models in practice.

Machine Learning,Artificial Intelligence,Cryptography and Security

Yein Kim,Huili Chen,Farinaz Koushanfar

DOI: https://doi.org/10.48550/arXiv.2202.11196

2022-02-22

Abstract:The goal of federated learning (FL) is to train one global model by aggregating model parameters updated independently on edge devices without accessing users' private data. However, FL is susceptible to backdoor attacks where a small fraction of malicious agents inject a targeted misclassification behavior in the global model by uploading polluted model updates to the server. In this work, we propose DifFense, an automated defense framework to protect an FL system from backdoor attacks by leveraging differential testing and two-step MAD outlier detection, without requiring any previous knowledge of attack scenarios or direct access to local model parameters. We empirically show that our detection method prevents a various number of potential attackers while consistently achieving the convergence of the global model comparable to that trained under federated averaging (FedAvg). We further corroborate the effectiveness and generalizability of our method against prior defense techniques, such as Multi-Krum and coordinate-wise median aggregation. Our detection method reduces the average backdoor accuracy of the global model to below 4% and achieves a false negative rate of zero.

Cryptography and Security,Machine Learning

Chenghui Shi,Shouling Ji,Xudong Pan,Xuhong Zhang,Mi Zhang,Min Yang,Jun Zhou,Jianwei Yin,Ting Wang

DOI: https://doi.org/10.1109/tdsc.2024.3376790

2024-01-01

Abstract:Federated Learning (FL) is nowadays one of the most promising paradigms for privacy-preserving distributed learning. Without revealing its local private data to outsiders, a client in FL systems collaborates to build a global Deep Neural Network (DNN) by submitting its local model parameter update to a central server for iterative aggregation. With secure multi-party computation protocols, the submitted update of any client is also by design invisible to the server. Seemingly, this standard design is a win-win for client privacy and service provider utility. Ironically, any attacker may also use manipulated or impersonated client to submit almost any attack payloads under the umbrella of the FL protocol itself. In this work, we craft a practical backdoor attack on FL systems that is proved to be simultaneously effective and stealthy on diverse use cases of FL systems and leading commercial FL platforms in the real world. Basically, we first identify a small number of redundant neurons which tend to be rarely or slightly updated in the model, and then inject backdoor into these redundant neurons instead of the whole model. In this way, our backdoor attack can achieve a high attack success rate with a minor impact on the accuracy of the original task. As countermeasures, we further consider several common technical choices including robust aggregation mechanisms, differential privacy mechanism,s and network pruning. However, none of the defenses show desirable defense capability against our backdoor attack. Our results strongly highlight the vulnerability of existing FL systems against backdoor attacks and the urgent need to develop more effective defense mechanisms.

Hui Zeng,Tongqing Zhou,Xinyi Wu,Zhiping Cai

DOI: https://doi.org/10.1109/srds55811.2022.00017

2022-01-01

Abstract:The privacy-preserving nature of Federated Learning (FL) exposes such a distributed learning paradigm to the planting of backdoors with locally corrupted data. We discover that FL backdoors, under a new on-off multi-shot attack form, are essentially stealthy against existing defenses that are built on model statistics and spectral analysis. First-hand observations of such attacks show that the backdoored models are indistinguishable from normal ones w.r.t. both low-level and high-level representations. We thus emphasize that a critical redemption, if not the only, for the tricky stealthiness is reactive tracing and posterior mitigation. A three-step remedy framework is then proposed by exploring the temporal and inferential correlations of models on a trapped sample from an attack. In particular, we use shift ensemble detection and co-occurrence analysis for adversary identification, and repair the model via malicious ingredients removal under theoretical error guarantee. Extensive experiments on various backdoor settings demonstrate that our framework can achieve accuracy on attack round identification of ∼80% and on attackers of ∼50%, which are ∼28.76% better than existing proactive defenses. Meanwhile, it can successfully eliminate the influence of backdoors with only a 5%∼6% performance drop.

Hao Wang,Xuejiao Mu,Dong Wang,Qiang Xu,Kaiju Li

DOI: https://doi.org/10.1109/jiot.2024.3415628

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning can complete collaborative model training without transfering local data, which can greatly improve the training efficiency. However, Federated learning is susceptible data and model backdoor attacks. To address data backdoor attack, in this paper, we propose a defense method named TSF. TSF transforms data from time domain to frequency domain and subsequently designs a low-pass filter to mitigate the impact of high-frequency signals introduced by backdoor samples. Additionally, we undergo homomorphic encryption on local updates to prevent the server from inferring user’s data. We also introduce a defense method against model backdoor attack named CFSD-DP. CFSD-DP screens malicious updates using cosine similarity detection in the ciphertext domain. It perturbs the global model using differential privacy mechanism to mitigate the impact of model backdoor attack. It can effectively detect malicious updates and safeguard the privacy of the global model. Experimental results show that the proposed TSF and CFSD-DP have 73.8% degradation in backdoor accuracy while only 3% impact on the main task accuracy compared with state-of-the-art schemes. Code is available at https://github.com/whwh456/TSF.

Haiyan Zhang,Xinghua Li,Mengfan Xu,Ximeng Liu,Tong Wu,Jian Weng,Robert H. Deng

DOI: https://doi.org/10.1109/tkde.2024.3420778

2024-01-01

Abstract:There is substantial attention to federated learning with its ability to train a powerful global model collaboratively while protecting data privacy. Despite its many advantages, federated learning is vulnerable to backdoor attacks, where an adversary injects malicious weights into the global model, making the global model's targeted predictions incorrect. Existing defenses based on identifying and eliminating malicious weights ignore the similarity variation of the local weights during iterations in the malicious model detection and the presence of benign weights in the malicious model during the malicious local weight elimination, resulting in a poor defense and a degradation of global model accuracy. In this paper, we defend against backdoor attacks from the perspective of local models. First, a malicious model detection method based on interpretability techniques is proposed. The method appends a sampling check after clustering to identify malicious models accurately. We further design a malicious local weight elimination method based on local weight contributions. This method preserves the benign weights in the malicious model to maintain their contributions to the global model. Finally, we analyze the security of the proposed method in terms of model closeness and then verify the effectiveness of the proposed method through experiments. In comparison with existing defenses, the results show that BADFL improves the global model accuracy by 23.14% while reducing the attack success rate to 0.04% in the best case.

Ji FENG,Qi-Zhi CAI,Yuan JIANG

DOI: https://doi.org/10.1360/ssi-2019-0145

2021-01-01

Scientia Sinica Informationis

Abstract:Federated machine learning systems have gained more and more attention and popularity in both academia and industry because they can obtain a shared model among multiple parties without explicitly sharing the training data. Such a system is believed to have a good potential of protecting data privacy compared with the traditional machine learning frameworks. On the other hand, training time attacks are a procedure of purposefully modifying training data, hoping to manipulate the behavior of the corresponding trained system during test time. DeepConfuse, for instance, is one recent advance in generating adversarial training data with high efficiency. In this work, we extend the DeepConfuse framework so that it can be used in federated machine learning. This is the first training time attack for a federated learning system. The empirical results showed that the federated learning system is even more vulnerable under the DeepConfuse attack in terms of $\delta$-accuracy loss.

Yuexin Xuan,Xiaojun Chen,Zhendong Zhao,Bisheng Tang,Ye Dong

2023-06-19

Abstract:Federated learning (FL), which aims to facilitate data collaboration across multiple organizations without exposing data privacy, encounters potential security risks. One serious threat is backdoor attacks, where an attacker injects a specific trigger into the training dataset to manipulate the model's prediction. Most existing FL backdoor attacks are based on horizontal federated learning (HFL), where the data owned by different parties have the same features. However, compared to HFL, backdoor attacks on vertical federated learning (VFL), where each party only holds a disjoint subset of features and the labels are only owned by one party, are rarely studied. The main challenge of this attack is to allow an attacker without access to the data labels, to perform an effective attack. To this end, we propose BadVFL, a novel and practical approach to inject backdoor triggers into victim models without label information. BadVFL mainly consists of two key steps. First, to address the challenge of attackers having no knowledge of labels, we introduce a SDD module that can trace data categories based on gradients. Second, we propose a SDP module that can improve the attack's effectiveness by enhancing the decision dependency between the trigger and attack target. Extensive experiments show that BadVFL supports diverse datasets and models, and achieves over 93% attack success rate with only 1% poisoning rate.

Cryptography and Security,Machine Learning

Yongkang Wang,Di-Hua Zhai,Dongyu Han,Yuyin Guan,Yuanqing Xia

DOI: https://doi.org/10.1109/jiot.2023.3325634

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is widely used in the Internet of Things (IoT) systems. However, FL is susceptible to backdoor attacks due to its inherently distributed and privacy-preserving nature. Existing studies assume that backdoor triggers on different malicious clients are universal, and most defense algorithms are designed to counter backdoor attacks based on this assumption. Recently, dynamic backdoor attacks have been proposed to undermine robust algorithms in centralized machine learning. We introduce dynamic backdoor attacks into the FL system and develop three types of dynamic backdoors named Aggregation, Single, and Continuous to target the FL system. To defend against such attacks, we propose a novel robust algorithm called MITDBA, which utilizes gramian information to capture high-order representations, then employs spectral signatures to detect and remove malicious clients, finally utilizes clipping operations to filter the selected local models during the aggregation process. We conduct attack and defense experiments on MNIST, CIFAR-10, and GTSRB datasets. The experimental results demonstrate that our designed attack strategies can successfully insert dynamic backdoors into the global model, bypassing the existing state-of-the-art defenses, but these attacks can be effectively mitigated by MITDBA.

Xueluan Gong,Yuji Wang,Shuaike Li,Mengyuan Sun,Songze Li,Qian Wang,Kwok-Yan Lam,Chen Chen

2024-11-27

Abstract:Federated Learning (FL) emerged as a paradigm for conducting machine learning across broad and decentralized datasets, promising enhanced privacy by obviating the need for direct data sharing. However, recent studies show that attackers can steal private data through model manipulation or gradient analysis. Existing attacks are constrained by low theft quantity or low-resolution data, and they are often detected through anomaly monitoring in gradients or weights. In this paper, we propose a novel data-reconstruction attack leveraging malicious code injection, supported by two key techniques, i.e., distinctive and sparse encoding design and block partitioning. Unlike conventional methods that require detectable changes to the model, our method stealthily embeds a hidden model using parameter sharing to systematically extract sensitive data. The Fibonacci-based index design ensures efficient, structured retrieval of memorized data, while the block partitioning method enhances our method's capability to handle high-resolution images by dividing them into smaller, manageable units. Extensive experiments on 4 datasets confirmed that our method is superior to the five state-of-the-art data-reconstruction attacks under the five respective detection methods. Our method can handle large-scale and high-resolution data without being detected or mitigated by state-of-the-art data reconstruction defense methods. In contrast to baselines, our method can be directly applied to both FedAVG and FedSGD scenarios, underscoring the need for developers to devise new defenses against such vulnerabilities. We will open-source our code upon acceptance.

Computation and Language,Cryptography and Security

Xiaohuan Bi,Xi Li

2024-10-23

Abstract:Federated learning (FL) enables decentralized model training while preserving privacy. Recently, integrating Foundation Models (FMs) into FL has boosted performance but also introduced a novel backdoor attack mechanism. Attackers can exploit the FM's capabilities to embed backdoors into synthetic data generated by FMs used for model fusion, subsequently infecting all client models through knowledge sharing without involvement in the long-lasting FL process. These novel attacks render existing FL backdoor defenses ineffective, as they primarily detect anomalies among client updates, which may appear uniformly malicious under this attack. Our work proposes a novel data-free defense strategy by constraining abnormal activations in the hidden feature space during model aggregation on the server. The activation constraints, optimized using synthetic data alongside FL training, mitigate the attack while barely affecting model performance, as the parameters remain untouched. Extensive experiments demonstrate its effectiveness against both novel and classic backdoor attacks, outperforming existing defenses while maintaining model performance.

Machine Learning,Cryptography and Security

Tuan Nguyen,Dung Thuy Nguyen,Khoa D Doan,Kok-Seng Wong

2024-07-06

Abstract:Despite the promise of Federated Learning (FL) for privacy-preserving model training on distributed data, it remains susceptible to backdoor attacks. These attacks manipulate models by embedding triggers (specific input patterns) in the training data, forcing misclassification as predefined classes during deployment. Traditional single-trigger attacks and recent work on cooperative multiple-trigger attacks, where clients collaborate, highlight limitations in attack realism due to coordination requirements. We investigate a more alarming scenario: non-cooperative multiple-trigger attacks. Here, independent adversaries introduce distinct triggers targeting unique classes. These parallel attacks exploit FL's decentralized nature, making detection difficult. Our experiments demonstrate the alarming vulnerability of FL to such attacks, where individual backdoors can be successfully learned without impacting the main task. This research emphasizes the critical need for robust defenses against diverse backdoor attacks in the evolving FL landscape. While our focus is on empirical analysis, we believe it can guide backdoor research toward more realistic settings, highlighting the crucial role of FL in building robust defenses against diverse backdoor threats. The code is available at \url{https://anonymous.4open.science/r/nba-980F/}.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Chamara Sandeepa,Bartlomiej Siniarski,Shen Wang,Madhusanka Liyanage

DOI: https://doi.org/10.1109/trustcom60117.2023.00044

2024-01-01

Abstract:Federated Learning (FL) is an emerging privacy-preserved distributed Machine Learning (ML) technique where multiple clients can contribute to training an ML model without sharing private data. Even though FL offers a certain level of privacy by design, recent works show that FL is vulnerable to numerous privacy attacks. One of the key features of FL is the continuous training of FL models over many cycles through time. Observing changes in FL models over time can lead to inferring information on changes to private and sensitive data used in the FL process. However, this potential leakage of private information is not yet investigated significantly. Therefore, this paper introduces a new form of inference-based privacy attacks called FL Time Inference Attacks (FL-TIA). These attacks can reveal private time-related properties such as the presence or absence of a sensitive feature over time and if it is periodical. We consider two forms of such FL-TIA: i.e. identifying changes in membership of target data records over training rounds and detecting significant events in clients over time by observing differences in FL models. We use the network Intrusion Detection System (IDS) as a use case to demonstrate the impact of our attack. We propose a continuous updating attack model method for membership variation detection by sustaining the accuracy of the attack. Furthermore, we provide an efficient detection method that can identify model changes using cosine similarity metric and one-shot mapping on shadow model training.

Xi Li,Songhe Wang,Chen Wu,Hao Zhou,Jiaqi Wang

2023-11-01

Abstract:Federated learning (FL) represents a novel paradigm to machine learning, addressing critical issues related to data privacy and security, yet suffering from data insufficiency and imbalance. The emergence of foundation models (FMs) provides a promising solution to the problems with FL. For instance, FMs could serve as teacher models or good starting points for FL. However, the integration of FM in FL presents a new challenge, exposing the FL systems to potential threats. This paper investigates the robustness of FL incorporating FMs by assessing their susceptibility to backdoor attacks. Contrary to classic backdoor attacks against FL, the proposed attack (1) does not require the attacker fully involved in the FL process; (2) poses a significant risk in practical FL scenarios; (3) is able to evade existing robust FL frameworks/ FL backdoor defenses; (4) underscores the researches on the robustness of FL systems integrated with FMs. The effectiveness of the proposed attack is demonstrated by extensive experiments with various well-known models and benchmark datasets encompassing both text and image classification domains.

Distributed, Parallel, and Cluster Computing

Minghui Li,Wei Wan,Yuxuan Ning,Shengshan Hu,Lulu Xue,Leo Yu Zhang,Yichen Wang

2024-05-06

Abstract:Federated learning (FL) has been demonstrated to be susceptible to backdoor attacks. However, existing academic studies on FL backdoor attacks rely on a high proportion of real clients with main task-related data, which is impractical. In the context of real-world industrial scenarios, even the simplest defense suffices to defend against the state-of-the-art attack, 3DFed. A practical FL backdoor attack remains in a nascent stage of development.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Yinbin Miao,Rongpeng Xie,Xinghua Li,Zhiquan Liu,Kim-Kwang Raymond Choo,Robert H. Deng

DOI: https://doi.org/10.1109/tdsc.2024.3354736

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Due to the powerful representation ability and superior performance of Deep Neural Networks (DNN), Federated Learning (FL) based on DNN has attracted much attention from both academic and industrial fields. However, its transmitted plaintext data causes privacy disclosure. FL based on Local Differential Privacy (LDP) solutions can provide privacy protection to a certain extent, but these solutions still cannot achieve adaptive perturbation in DNN model. In addition, this kind of schemes cause high communication overheads due to the curse of dimensionality of DNN, and are naturally vulnerable to backdoor attacks due to the inherent distributed characteristic. To solve these issues, we propose an Efficient and Secure Federated Learning scheme (ESFL) against backdoor attacks by using adaptive LDP and compressive sensing. Formal security analysis proves that ESFL satisfies $\epsilon$-LDP security. Extensive experiments using three datasets demonstrate that ESFL can solve the problems of traditional LDP-based FL schemes without a loss of model accuracy and efficiently resist the backdoor attacks.

computer science, information systems, software engineering, hardware & architecture

Qammar, Attia,Ding, Jianguo,Ning, Huansheng

DOI: https://doi.org/10.1007/s10462-021-10098-w

IF: 9.588

2021-01-01

Artificial Intelligence Review

Abstract:Federated learning (FL) has received a great deal of research attention in the context of privacy protection restrictions. By jointly training deep learning models, a variety of training tasks can be competently performed with the help of invited participants. However, FL is concerned with a large number of attacks involving privacy and security aspects. This paper shows a federated learning workflow process and how a malicious client can exploit vulnerabilities in the FL system to attack the system. A systematic survey of existing research on the taxonomy of federated learning attack surface and the classification is presented. As with the FL attack surface, attackers compromise security, privacy, gain free incentives and abuse the Confidentiality, Integrity, and Availability (CIA) security triad. In addition, state-of-the-art defensive approaches against FL attacks are elaborated which help to protect and minimize the likelihood of attacks. FL models and tools for privacy attacks are explained, along with their best aspects and drawbacks. Finally, technical challenges and possible research guidelines are discussed as future work to build robust FL systems.