Xueluan Gong,Yanjiao Chen,Qian Wang,Weihan Kong

DOI: https://doi.org/10.1109/mwc.017.2100714

IF: 12.777

2023-01-01

IEEE Wireless Communications

Abstract:The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.

Yongkang Wang,Di-Hua Zhai,Dongyu Han,Yuyin Guan,Yuanqing Xia

DOI: https://doi.org/10.1109/jiot.2023.3325634

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is widely used in the Internet of Things (IoT) systems. However, FL is susceptible to backdoor attacks due to its inherently distributed and privacy-preserving nature. Existing studies assume that backdoor triggers on different malicious clients are universal, and most defense algorithms are designed to counter backdoor attacks based on this assumption. Recently, dynamic backdoor attacks have been proposed to undermine robust algorithms in centralized machine learning. We introduce dynamic backdoor attacks into the FL system and develop three types of dynamic backdoors named Aggregation, Single, and Continuous to target the FL system. To defend against such attacks, we propose a novel robust algorithm called MITDBA, which utilizes gramian information to capture high-order representations, then employs spectral signatures to detect and remove malicious clients, finally utilizes clipping operations to filter the selected local models during the aggregation process. We conduct attack and defense experiments on MNIST, CIFAR-10, and GTSRB datasets. The experimental results demonstrate that our designed attack strategies can successfully insert dynamic backdoors into the global model, bypassing the existing state-of-the-art defenses, but these attacks can be effectively mitigated by MITDBA.

Wei Yu,Saier Alharbi,Yifan Guo

DOI: https://doi.org/10.1109/JIOT.2024.3368754

IF: 10.6

2024-06-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) devices generate massive amounts of data from local devices, making federated learning (FL) a viable distributed machine learning paradigm to learn a global model while keeping private data locally in various IoT systems. However, recent studies show that FL’s decentralized nature makes it susceptible to backdoor attacks. Existing defenses like robust aggregation defenses have reduced attack success rates (ASRs) by identifying significant statistical differences between normal and backdoored models individually. However, these defenses fail to consider the potential collusion among attackers to bypass statistical measures utilized in defenses. In this article, we propose a novel attack approach, called collusive backdoor attacks (CBAs), which bypasses robust aggregation defense by considering both local backdoor training and post-training model manipulations among collusive attackers. Particularly, we introduce a nontrivial perturbation estimation scheme to add manipulations over model update vectors after local backdoor training and use the Gram-Schmidt process to speed up the estimation process. This makes the magnitude of the perturbed poisoned model to the same level as normal models, evading robust aggregation-based defense while maintaining attack efficacy. After that, we provide a pilot study to verify the feasibility of our perturbation estimation scheme, followed by its convergence analysis. By evaluating the attack performance on four representative data sets, our CBA approach maintains high ASRs under benchmark robust aggregation defenses in both independent and identically distributed (IID) and non-IID local data settings. Particularly, it increases the ASR by 126% on average compared to individual backdoor attacks.

Engineering,Computer Science

Xiong Xiao,Zhuo Tang,Li Yang,Yingjie Song,Jiawei Tan,Kenli Li

DOI: https://doi.org/10.1109/mnet.004.2200645

IF: 10.294

2023-01-01

IEEE Network

Abstract:As a novel distributed machine learning scheme, federated learning (FL) efficiently realizes the collaborative training of models by global participants while also protecting their data privacy. Due to the independence of participants' local data and the inability of the FL server to access the local data, many IIoT applications with strong data sensitivity are increasingly incorporating FL technology. However, it also exposes a great security vulnerability. Malicious adversaries manipulate local data to perform covert targeted poisoning attacks or other harmful behaviors to affect the global model. In addition, due to the diversity of IIoT data in actual scenarios, different data distribution scenarios can also cause different attack effects In this work, we devise a defense technique called FDSFL against multiple malicious adversaries and various targeted poisoning attacks involving both IID and non-IID data distribution scenarios. It runs on the server-side and mainly includes three execution modules: pairwise cosine similarity, clustering mechanism, and filtering strategy, which can dynamically filter malicious updates during the iterative training process. We demonstrate that our designed FDSFL outperforms the state-of-the-art in maintaining global model accuracy and reducing attack success rates through extensive experiments on three general datasets.

Jiyuan Shen,Wenzhuo Yang,Zhaowei Chu,Jiani Fan,Dusit Niyato,Kwok-Yan Lam

2024-01-22

Abstract:With the rapid development of low-cost consumer electronics and cloud computing, Internet-of-Things (IoT) devices are widely adopted for supporting next-generation distributed systems such as smart cities and industrial control systems. IoT devices are often susceptible to cyber attacks due to their open deployment environment and limited computing capabilities for stringent security controls. Hence, Intrusion Detection Systems (IDS) have emerged as one of the effective ways of securing IoT networks by monitoring and detecting abnormal activities. However, existing IDS approaches rely on centralized servers to generate behaviour profiles and detect anomalies, causing high response time and large operational costs due to communication overhead. Besides, sharing of behaviour data in an open and distributed IoT network environment may violate on-device privacy requirements. Additionally, various IoT devices tend to capture heterogeneous data, which complicates the training of behaviour models. In this paper, we introduce Federated Learning (FL) to collaboratively train a decentralized shared model of IDS, without exposing training data to others. Furthermore, we propose an effective method called Federated Learning Ensemble Knowledge Distillation (FLEKD) to mitigate the heterogeneity problems across various clients. FLEKD enables a more flexible aggregation method than conventional model fusion techniques. Experiment results on the public dataset CICIDS2019 demonstrate that the proposed approach outperforms local training and traditional FL in terms of both speed and performance and significantly improves the system's ability to detect unknown attacks. Finally, we evaluate our proposed framework's performance in three potential real-world scenarios and show FLEKD has a clear advantage in experimental results.

Cryptography and Security

Minghui Li,Wei Wan,Yuxuan Ning,Shengshan Hu,Lulu Xue,Leo Yu Zhang,Yichen Wang

2024-05-06

Abstract:Federated learning (FL) has been demonstrated to be susceptible to backdoor attacks. However, existing academic studies on FL backdoor attacks rely on a high proportion of real clients with main task-related data, which is impractical. In the context of real-world industrial scenarios, even the simplest defense suffices to defend against the state-of-the-art attack, 3DFed. A practical FL backdoor attack remains in a nascent stage of development.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Chenghui Shi,Shouling Ji,Xudong Pan,Xuhong Zhang,Mi Zhang,Min Yang,Jun Zhou,Jianwei Yin,Ting Wang

DOI: https://doi.org/10.1109/tdsc.2024.3376790

2024-01-01

Abstract:Federated Learning (FL) is nowadays one of the most promising paradigms for privacy-preserving distributed learning. Without revealing its local private data to outsiders, a client in FL systems collaborates to build a global Deep Neural Network (DNN) by submitting its local model parameter update to a central server for iterative aggregation. With secure multi-party computation protocols, the submitted update of any client is also by design invisible to the server. Seemingly, this standard design is a win-win for client privacy and service provider utility. Ironically, any attacker may also use manipulated or impersonated client to submit almost any attack payloads under the umbrella of the FL protocol itself. In this work, we craft a practical backdoor attack on FL systems that is proved to be simultaneously effective and stealthy on diverse use cases of FL systems and leading commercial FL platforms in the real world. Basically, we first identify a small number of redundant neurons which tend to be rarely or slightly updated in the model, and then inject backdoor into these redundant neurons instead of the whole model. In this way, our backdoor attack can achieve a high attack success rate with a minor impact on the accuracy of the original task. As countermeasures, we further consider several common technical choices including robust aggregation mechanisms, differential privacy mechanism,s and network pruning. However, none of the defenses show desirable defense capability against our backdoor attack. Our results strongly highlight the vulnerability of existing FL systems against backdoor attacks and the urgent need to develop more effective defense mechanisms.

Boyu Hou,Jiqiang Gao,Xiaojie Guo,Thar Baker,Ying Zhang,Yanlong Wen,Zheli Liu

DOI: https://doi.org/10.1109/tii.2021.3112100

IF: 12.3

2022-05-01

IEEE Transactions on Industrial Informatics

Abstract:The federated learning provides an effective solution to train collaborative models over a large scale of participated Industrial Internet of Things (IIoT) applications with the help of a global server, building an intelligent life. However, the federated learning is vulnerable to the backdoor attack from strong malicious participants. The backdoor attack is inconspicuous and may result in devastating consequences. To resist the attack on IIoT applications, we propose the federated backdoor filter defense that can identify backdoor inputs and restore the data to availability by the blur-label-flipping strategy. We build multiple filters with eXplainable AI models on the server and send them to clients randomly, preventing advanced attackers from evading the defense. Our backdoor filters show significant backdoor recognition with the accuracy up to 99%. After the implementation of the blur-label-flipping strategy, victim's local model on suspicious backdoor samples can achieve the accuracy up to 88%.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Jie Yang,Jun Zheng,Haochen Wang,Jiaxing Li,Haipeng Sun,Weifeng Han,Nan Jiang,Yu-An Tan

DOI: https://doi.org/10.3390/s23031052

2023-01-17

Abstract:Federated learning has a distributed collaborative training mode, widely used in IoT scenarios of edge computing intelligent services. However, federated learning is vulnerable to malicious attacks, mainly backdoor attacks. Once an edge node implements a backdoor attack, the embedded backdoor mode will rapidly expand to all relevant edge nodes, which poses a considerable challenge to security-sensitive edge computing intelligent services. In the traditional edge collaborative backdoor defense method, only the cloud server is trusted by default. However, edge computing intelligent services have limited bandwidth and unstable network connections, which make it impossible for edge devices to retrain their models or update the global model. Therefore, it is crucial to detect whether the data of edge nodes are polluted in time. This paper proposes a layered defense framework for edge-computing intelligent services. At the edge, we combine the gradient rising strategy and attention self-distillation mechanism to maximize the correlation between edge device data and edge object categories and train a clean model as much as possible. On the server side, we first implement a two-layer backdoor detection mechanism to eliminate backdoor updates and use the attention self-distillation mechanism to restore the model performance. Our results show that the two-stage defense mode is more suitable for the security protection of edge computing intelligent services. It can not only weaken the effectiveness of the backdoor at the edge end but also conduct this defense at the server end, making the model more secure. The precision of our model on the main task is almost the same as that of the clean model.

Jiazhen Zhang,Chunbo Luo,Marcus Carpenter,Geyong Min

DOI: https://doi.org/10.1109/tii.2022.3216575

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:Considering that low-cost and resource-cons- trained sensors coupled inherently could be vulnerable to growing numbers of intrusion threats, industrial Internet-of-Things (IIoT) systems are faced with severe security concerns. Data sharing for building high-performance intrusion detection models is also prohibited due to the sensitivity, privacy, and high value of IIoT data. This article presents an anomaly-based intrusion detection system with federated learning for privacy-preserving machine learning in future IIoT networks. To tackle the urgent issue of training local models with non-independent and identically distributed (non-IID) data, we adopt instance-based transfer learning at local. Furthermore, to boost the performance of this system for IIoT intrusion detection, we propose a rank aggregation algorithm with a weighted voting approach. The proposed system achieves superior detection performance with 95.97% and 73.70% accuracy for AdaBoost and Random Forest, respectively, outperforming the baseline models by 12.72% and 14.8%.

Dingde Jiang,Zhihao Wang,Ye Wang,Lizhuang Tan,Jian Wang,Peiying Zhang

DOI: https://doi.org/10.1109/jiot.2024.3406602

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) in Industrial IoT (IIoT) facilitates collaborative model training across distributed edge devices, ensuring data privacy and localized insights without centralized data aggregation. However, the networked parameter sharing mechanism in FL renders it vulnerable to exploitation by man-in-the-middle (MITM) attackers, potentially disrupting the model training process. To mitigate this threat, this article presents a novel blockchain-reinforced FL architecture aimed at enabling cooperative intrusion detection. Initially, FL is leveraged to aggregate all learned information from edge servers, thereby disseminating extracted attack characteristics to all participants through gradient sharing. Subsequently, a blockchain-based parameter verification scheme is introduced to safeguard against tampered local parameters affecting the global model. Clients record model parameters in smart contracts deployed on a private chain, and parameter servers verify parameter confidentiality before aggregation, ensuring only valid parameters are considered. Finally, extensive experiments are conducted using an edge IIoT cybersecurity data set comprising 61 features spanning ten protocol layers and five attacks targeting IIoT connectivity protocols. Simulation results demonstrate that the proposed scheme significantly enhances intrusion detection accuracy, achieving a threefold improvement when two-thirds of federated nodes are subjected to MITM attacks.

Jia Huang,Zhen Chen,Sheng-Zheng Liu,Hao Zhang,Hai-Xia Long

DOI: https://doi.org/10.3390/s24124002

IF: 3.9

2024-06-20

Sensors

Abstract:The security of the Industrial Internet of Things (IIoT) is of vital importance, and the Network Intrusion Detection System (NIDS) plays an indispensable role in this. Although there is an increasing number of studies on the use of deep learning technology to achieve network intrusion detection, the limited local data of the device may lead to poor model performance because deep learning requires large-scale datasets for training. Some solutions propose to centralize the local datasets of devices for deep learning training, but this may involve user privacy issues. To address these challenges, this study proposes a novel federated learning (FL)-based approach aimed at improving the accuracy of network intrusion detection while ensuring data privacy protection. This research combines convolutional neural networks with attention mechanisms to develop a new deep learning intrusion detection model specifically designed for the IIoT. Additionally, variational autoencoders are incorporated to enhance data privacy protection. Furthermore, an FL framework enables multiple IIoT clients to jointly train a shared intrusion detection model without sharing their raw data. This strategy significantly improves the model's detection capability while effectively addressing data privacy and security issues. To validate the effectiveness of the proposed method, a series of experiments were conducted on a real-world Internet of Things (IoT) network intrusion dataset. The experimental results demonstrate that our model and FL approach significantly improve key performance metrics such as detection accuracy, precision, and false-positive rate (FPR) compared to traditional local training methods and existing models.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jianhua Li,Lingjuan Lyu,Ximeng Liu,Xuyun Zhang,Xixiang Lyu

DOI: https://doi.org/10.1109/TII.2021.3088938

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Due to resource constraints and working surroundings, many IIoT nodes are easily hacked and turn into zombies from which to launch attacks. It is challenging to detect such networked zombies rooted behind the Internet for any individual defender. In this article, we combine federated learning (FL) and fog/edge computing to combat malicious codes. Our protocol trains a global optimized model based on distributed datasets of collaborators while removing the data and communication constraints. The FL-based detection protocol maximizes the values of distributed data samples, resulting in an accurate model timely. On top of the protocol, we place mitigation intelligence in a distributed and collaborative manner. Our approach improves accuracy, eliminates mitigation time, and enlarges attackers' expense within a defense alliance. Comprehensive evaluations confirm that the cost incurred is 2.7 times larger, the mitigation response time is 72% lower, and the accuracy is 47% higher on average. Besides, the protocol evaluation shows the detection accuracy is approximately 98% in the FL, which is almost the same as centralized training.

Sahaya Beni Prathiba,Yeshwanth Govindarajan,Vishal Pranav Amirtha Ganesan,Anirudh Ramachandran,Arikumar K. Selvaraj,Ali Kashif Bashir,Thippa Reddy Gadekallu

DOI: https://doi.org/10.1109/access.2024.3401039

IF: 3.9

2024-05-22

IEEE Access

Abstract:Ensuring robustness against adversarial attacks is imperative for Machine Learning (ML) systems within the critical infrastructures of the Industrial Internet of Things (IIoT). This paper addresses vulnerabilities in IIoT systems, particularly in distributed environments like Federated Learning (FL) by presenting a resilient framework - Secure Federated Learning (SFL) specifically designed to mitigate data and model poisoning, as well as Sybil attacks within these networks. Sybil attacks, involving the creation of multiple fake identities, and poisoning attacks significantly compromise the integrity and reliability of ML models in FL environments. Our SFL framework leverages a Digital Twin (DT) as a critical aggregation checkpoint to counteract data and model poisoning attacks in IIoT's distributed settings. The DT serves as a protective mechanism during the model update aggregation phase, substantially enhancing the system's resilience. To further secure IIoT infrastructures, SFL employs blockchain-based Non-Fungible Tokens (NFTs) to authenticate participant identities, effectively preventing Sybil attacks by ensuring traceability and accountability among distributed nodes. Experimental evaluation within IIoT scenarios demonstrates that SFL substantially enhances defensive capabilities, maintaining the integrity and robustness of model learning. Comparative results reveal that the SFL framework, when applied to IIoT federated environments, achieves a commendable 97% accuracy, outperforming conventional FL approaches. SFL also demonstrates a remarkable reduction in loss rate, recording just 0.07 compared to the 0.14 loss rate experienced by standard FL systems. These findings highlight the efficiency and applicability of the SFL framework in enhancing data security and traceability within the IIoT ecosystem.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhao Zhang,Yong Zhang,Hao Li,Shenbo Liu,Wei Chen,Zhigang Zhang,Lijun Tang

DOI: https://doi.org/10.1016/j.engappai.2024.108826

IF: 8

2024-01-01

Engineering Applications of Artificial Intelligence

Abstract:As a promising paradigm, Federated Learning (FL)-based distributed intrusion detection offers potent protection for the network security of Industrial Internet of Things (IIoT) systems. Nonetheless, the practical deployment of IIoT systems occurs in a highly-complex and dynamic distributed environment. The ever-growing and dynamically-evolving cyber attacks will render the FL-based intrusion detection model inefficient, since FL cannot gracefully learn from the dynamic traffic data streams to identify new attacks. To address this issue, we propose the evolutionary distributed intrusion detection system based on federated continual representation learning, designed to continually capture effective feature representations of emerging attacks from dynamic traffic data streams. Specifically, we develop the supervised contrastive loss and the global information-aware regularization loss to alleviate the catastrophic forgetting on the previously observed attacks and mitigate the data heterogeneity across clients. Besides, we propose the prototype variance-based memory update strategy to ensure the effective memory replay data. Extensive experimental results demonstrate our proposed method outperforms the state-of-the-art methods by 13.3%–31.5% in terms of average accuracy on a real energy intrusion detection dataset.

Yao Shan,Yu Yao,Xiaoming Zhou,Tong Zhao,Bo Hu,Lei Wang

DOI: https://doi.org/10.1109/jiot.2023.3324302

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The Industrial Internet of Things (IIoT) offers the manufacturing sector opportunities for transformation and upgrade but also carries significant security risks. Traditional federated learning (FL) as a potential security solution is challenging in complicated application environments with heterogeneous data, imbalanced data, and poisoning attacks. To address these challenges, we construct a clustered FL Framework for IIoT intrusion detection (CFL-IDS) based on local models’ evaluation metrics (EMs). First, we designed an intrusion detection model with a dynamic focal loss (DFL) for all edge nodes (ENs). This model’s performance is enhanced under various imbalanced data partitions by dynamically altering the focus on samples during the loss minimization training process. Second, the time series of EMs of local models to reflect the data distribution of ENs implicitly, and use clustering algorithms to facilitate knowledge sharing among those ENs with similar data distribution to co-optimize a common model for them. Finally, an intelligent cooperative model aggregation mechanism (ICMAM) adaptively adjusts each local model’s weight distribution, which substantially improves the benefits of FL and alleviate subpar models’ alleviates interference from subpar models to FL. Experiments demonstrate that CFL-IDS has stronger robustness and displays superior performance under data imbalance and non-independent and identically distributed (non-IID) situations while being effective against poisoning attacks.

Xiaohuan Bi,Xi Li

2024-10-23

Abstract:Federated learning (FL) enables decentralized model training while preserving privacy. Recently, integrating Foundation Models (FMs) into FL has boosted performance but also introduced a novel backdoor attack mechanism. Attackers can exploit the FM's capabilities to embed backdoors into synthetic data generated by FMs used for model fusion, subsequently infecting all client models through knowledge sharing without involvement in the long-lasting FL process. These novel attacks render existing FL backdoor defenses ineffective, as they primarily detect anomalies among client updates, which may appear uniformly malicious under this attack. Our work proposes a novel data-free defense strategy by constraining abnormal activations in the hidden feature space during model aggregation on the server. The activation constraints, optimized using synthetic data alongside FL training, mitigate the attack while barely affecting model performance, as the parameters remain untouched. Extensive experiments demonstrate its effectiveness against both novel and classic backdoor attacks, outperforming existing defenses while maintaining model performance.

Machine Learning,Cryptography and Security

Shihua Sun,Pragya Sharma,Kenechukwu Nwodo,Angelos Stavrou,Haining Wang

2024-08-14

Abstract:The rapid proliferation of Internet of Things (IoT) devices across multiple sectors has escalated serious network security concerns. This has prompted ongoing research in Machine Learning (ML)-based Intrusion Detection Systems (IDSs) for cyber-attack classification. Traditional ML models require data transmission from IoT devices to a centralized server for traffic analysis, raising severe privacy concerns. To address this issue, researchers have studied Federated Learning (FL)-based IDSs that train models across IoT devices while keeping their data localized. However, the heterogeneity of data, stemming from distinct vulnerabilities of devices and complexity of attack vectors, poses a significant challenge to the effectiveness of FL models. While current research focuses on adapting various ML models within the FL framework, they fail to effectively address the issue of attack class imbalance among devices, which significantly degrades the classification accuracy of minority attacks. To overcome this challenge, we introduce FedMADE, a novel dynamic aggregation method, which clusters devices by their traffic patterns and aggregates local models based on their contributions towards overall performance. We evaluate FedMADE against other FL algorithms designed for non-IID data and observe up to 71.07% improvement in minority attack classification accuracy. We further show that FedMADE is robust to poisoning attacks and incurs only a 4.7% (5.03 seconds) latency overhead in each communication round compared to FedAvg, without increasing the computational load of IoT devices.

Cryptography and Security,Networking and Internet Architecture

Zekai Chen,Fuyi Wang,Zhiwei Zheng,Ximeng Liu,Yujie Lin

2023-07-01

Abstract:Federated learning (FL) enables multiple clients to collaboratively train deep learning models while considering sensitive local datasets' privacy. However, adversaries can manipulate datasets and upload models by injecting triggers for federated backdoor attacks (FBA). Existing defense strategies against FBA consider specific and limited attacker models, and a sufficient amount of noise to be injected only mitigates rather than eliminates FBA. To address these deficiencies, we introduce a Flexible Federated Backdoor Defense Framework (Fedward) to ensure the elimination of adversarial backdoors. We decompose FBA into various attacks, and design amplified magnitude sparsification (AmGrad) and adaptive OPTICS clustering (AutoOPTICS) to address each attack. Meanwhile, Fedward uses the adaptive clipping method by regarding the number of samples in the benign group as constraints on the boundary. This ensures that Fedward can maintain the performance for the Non-IID scenario. We conduct experimental evaluations over three benchmark datasets and thoroughly compare them to state-of-the-art studies. The results demonstrate the promising defense performance from Fedward, moderately improved by 33% $\sim$ 75 in clustering defense methods, and 96.98%, 90.74%, and 89.8% for Non-IID to the utmost extent for the average FBA success rate over MNIST, FMNIST, and CIFAR10, respectively.

Machine Learning,Cryptography and Security

Yongkang Wang,Dihua Zhai,Yufeng Zhan,Yuanqing Xia

DOI: https://doi.org/10.48550/arxiv.2201.03772

2022-01-01

Abstract: Federated learning (FL) is a distributed machine learning paradigm where enormous scattered clients (e.g. mobile devices or IoT devices) collaboratively train a model under the orchestration of a central server (e.g. service provider), while keeping the training data decentralized. Unfortunately, FL is susceptible to a variety of attacks, including backdoor attack, which is made substantially worse in the presence of malicious attackers. Most of algorithms usually assume that the malicious at tackers no more than benign clients or the data distribution is independent identically distribution (IID). However, no one knows the number of malicious attackers and the data distribution is usually non identically distribution (Non-IID). In this paper, we propose RFLBAT which utilizes principal component analysis (PCA) technique and Kmeans clustering algorithm to defend against backdoor attack. Our algorithm RFLBAT does not bound the number of backdoored attackers and the data distribution, and requires no auxiliary information outside of the learning process. We conduct extensive experiments including a variety of backdoor attack types. Experimental results demonstrate that RFLBAT outperforms the existing state-of-the-art algorithms and is able to resist various backdoor attack scenarios including different number of attackers (DNA), different Non-IID scenarios (DNS), different number of clients (DNC) and distributed backdoor attack (DBA).