Xueluan Gong,Yanjiao Chen,Qian Wang,Weihan Kong

DOI: https://doi.org/10.1109/mwc.017.2100714

IF: 12.777

2023-01-01

IEEE Wireless Communications

Abstract:The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.

Dazhong Rong,Qinming He,Jianhai Chen

DOI: https://doi.org/10.24963/ijcai.2022/306

2022-01-01

Abstract:Various attack methods against recommender systems have been proposed in the past years, and the security issues of recommender systems have drawn considerable attention. Traditional attacks attempt to make target items recommended to as many users as possible by poisoning the training data. Benifiting from the feature of protecting users' private data, federated recommendation can effectively defend such attacks. Therefore, quite a few works have devoted themselves to developing federated recommender systems. For proving current federated recommendation is still vulnerable, in this work we probe to design attack approaches targeting deep learning based recommender models in federated learning scenarios. Specifically, our attacks generate poisoned gradients for manipulated malicious users to upload based on two strategies (i.e., random approximation and hard user mining). Extensive experiments show that our well-designed attacks can effectively poison the target models, and the attack effectiveness sets the state-of-the-art.

Chen Zhang,Boyang Zhou,Zhiqiang He,Zeyuan Liu,Yanjiao Chen,Wenyuan Xu,Baochun Li

DOI: https://doi.org/10.1109/infocom53939.2023.10228981

2023-01-01

Abstract:Federated learning is exposed to model poisoning attacks as compromised clients may submit malicious model updates to pollute the global model. To defend against such attacks, robust aggregation rules are designed for the centralized server to winnow out outlier updates, and to significantly reduce the effectiveness of existing poisoning attacks. In this paper, we develop an advanced model poisoning attack against defensive aggregation rules. In particular, we exploit the catastrophic forgetting phenomenon during the process of continual learning to destroy the memory of the global model. Our proposed framework, called Oblivion, features two special components. The first component prioritizes the weights that have the most influence on the model accuracy for poisoning, which induces a more significant degradation on the global model than equally perturbing all weights. The second component smooths malicious model updates based on the number of selected compromised clients in the current round, adjusting the degree of poisoning to suit the dynamics of each training round. We implement a fully-functional prototype of Oblivion in PLATO, a real-world scalable federated learning framework. Our extensive experiments over three datasets demonstrate that Oblivion can boost the attack performance of model poisoning attacks against unknown defensive aggregation rules.

Jiale Zhang,Di Wu,Chengyong Liu,Bing Chen

DOI: https://doi.org/10.1007/978-981-15-9739-8_7

2020-01-01

Abstract:Recently, federated learning has shown its significant advantages in protecting training data privacy by maintaining a joint model across multiple clients. However, its model security issues have not only been recently explored but shown that federated learning exhibits inherent vulnerabilities on the active attacks launched by malicious participants. Poisoning is one of the most powerful active attacks where an inside attacker can upload the crafted local model updates to further impact the global model performance. In this paper, we first illustrate how the poisoning attack works in the context of federated learning. Then, we correspondingly propose a defense method that mainly relies upon a well-researched adversarial training technique: pivotal training, which improves the robustness of the global model with poisoned local updates. The main contribution of this work is that the countermeasure method is simple and scalable since it does not require complex accuracy validations, while only changing the optimization objectives and loss functions. We finally demonstrate the effectiveness of our proposed mitigation mechanisms through extensive experiments.

Feifei Qiao,Yubo Kong,Zhong Li

DOI: https://doi.org/10.1109/TCSS.2023.3263241

2024-04-01

IEEE Transactions on Computational Social Systems

Abstract:Federated learning is usually utilized as a fraud detection framework in the domain of financial risk management, which promotes the model accuracy without training data exchange. One of the challenges in federated learning is the GAN-based poisoning attack. The GAN-based poisoning attack is a type of intractable poisoning attack that causes global model accuracy degradation and privacy leak. Most of the existing defenses for GAN-based poisoning attack have the three problems: 1) dependence on validation datasets; 2) incompetence of dealing with incremental poisoning attack; and 3) privacy leak. To address the above problems, we present a privacy-aware and incremental defense (PID) method to detect malicious participants and protect privacy. In PID, we design a method to accumulate the offset of model parameters from participants in all current epochs to represent the moving tendency for model parameters. Thus, we can distinguish the adversaries from normal participants based on the accumulations in this incremental poisoning attack. We also use multiple trust domains to reduce the rate of misjudging benign participants as adversaries. Moreover, a differentiated differential privacy is utilized before the global model sending to protect the privacy of participants’ training datasets in PID. The experiments conducted on two real-world datasets under financial fraud detection scenario demonstrate that the PID reduces the fallout of adversaries detection (the rate of misjudging benign participants as adversaries) by at least 51.1% and improve the speed of detecting all malicious participants by at least 33.4% compared with two popular defense methods. Besides, the privacy preserving of PID is also effective.

Computer Science

Wei Sun,Bo Gao,Ke Xiong,Yuwei Wang

2024-05-21

Abstract:As a distributed machine learning paradigm, federated learning (FL) is collaboratively carried out on privately owned datasets but without direct data access. Although the original intention is to allay data privacy concerns, "available but not visible" data in FL potentially brings new security threats, particularly poisoning attacks that target such "not visible" local data. Initial attempts have been made to conduct data poisoning attacks against FL systems, but cannot be fully successful due to their high chance of causing statistical anomalies. To unleash the potential for truly "invisible" attacks and build a more deterrent threat model, in this paper, a new data poisoning attack model named VagueGAN is proposed, which can generate seemingly legitimate but noisy poisoned data by untraditionally taking advantage of generative adversarial network (GAN) variants. Capable of manipulating the quality of poisoned data on demand, VagueGAN enables to trade-off attack effectiveness and stealthiness. Furthermore, a cost-effective countermeasure named Model Consistency-Based Defense (MCD) is proposed to identify GAN-poisoned data or models after finding out the consistency of GAN outputs. Extensive experiments on multiple datasets indicate that our attack method is generally much more stealthy as well as more effective in degrading FL performance with low complexity. Our defense method is also shown to be more competent in identifying GAN-poisoned data or models. The source codes are publicly available at \href{

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture

Jingjing Guo,Haiyang Li,Feiran Huang,Zhiquan Liu,Yanguo Peng,Xinghua Li,Jianfeng Ma,Varun G. Menon,Konstantin Kostromitin Igorevich,Varun G Menon,Konstantin Igorevich Kostromitin

DOI: https://doi.org/10.1109/tii.2022.3156645

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Recently, federated learning has received widespread attention, which will promote the implementation of artificial intelligence technology in various fields. Privacy-preserving technologies are applied to users' local models to protect users' privacy. Such operations make the server not see the true model parameters of each user, which opens wider door for a malicious user to upload malicious parameters and make the training result converge to an ineffective model. To solve this problem, in this article, we propose a poisoning attack defense framework for horizontal federated learning systems called ADFL. Specifically, we design a proof generation method for users to generate proofs to verify whether it is malicious or not. An aggregation rule is also proposed to make sure the global model has a high accuracy. Several verification experiments were conducted and the results show that our method can detect malicious user effectively and ensure the global model has a high accuracy.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Liang Yuan,Huajie Hu

DOI: https://doi.org/10.1109/SCSET58950.2023.00021

2023-04-01

Abstract:The emergence of federated learning framework sets protects user privacy and has solved the Isolated Data Island problem. However, existing federation attack methods mostly use label flipping for data poisoning attacks, while federated backdoor attacks require patching the target samples. The attacker can also arrange other generative networks at local nodes but has limited data reconstruction capability. Thus, this paper proposes a new poisoning attack method named adversarial example poisoning attack (AEP A). The attacker uses the distributed global model to create adversarial examples and uses the original clean label for federation training and attacks against the specific target class in the dataset. In the evaluation process, we conducted extensive experiments on the CfF AR-l 0 dataset. We also explored the toxicity of the adversarial examples under different generation methods, compared our method with the label-flipping attack, and finally showed the effectiveness of AEPA.

Computer Science

Geming Xia,Jian Chen,Chaodong Yu,Jun Ma

DOI: https://doi.org/10.1109/access.2023.3238823

IF: 3.9

2023-01-01

IEEE Access

Abstract:Federated learning faces many security and privacy issues. Among them, poisoning attacks can significantly impact global models, and malicious attackers can prevent global models from converging or even manipulating the prediction results of global models. Defending against poisoning attacks is a very urgent and challenging task. However, the systematic reviews of poisoning attacks and their corresponding defense strategies from a privacy-preserving perspective still need more effort. This survey provides an in-depth and up-to-date overview of poisoning attacks and corresponding defense strategies in federated learning. We first classify the poisoning attacks according to their methods and targets. Next, we analyze the differences and connections between the various categories of poisoning attacks. In addition, we classify the defense strategies against poisoning attacks in federated learning into three categories and analyze their advantages and disadvantages. Finally, we discuss the privacy protection problem in poisoning attacks and their countermeasure and propose potential research directions from the perspective of attack and defense, respectively.

Gan Sun,Yang Cong,Jiahua Dong,Qiang Wang,Lingjuan Lyu,Ji Liu

DOI: https://doi.org/10.1109/jiot.2021.3128646

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Federated machine learning which enables resource-constrained node devices (e.g., Internet of Things (IoT) devices and smartphones) to establish a knowledge-shared model while keeping the raw data local, could provide privacy preservation, and economic benefit by designing an effective communication protocol. However, this communication protocol can be adopted by attackers to launch data poisoning attacks for different nodes, which has been shown as a big threat to most machine learning models. Therefore, we in this article intend to study the model vulnerability of federated machine learning, and even on IoT systems. To be specific, we here attempt to attacking a popular federated multitask learning framework, which uses a general multitask learning framework to handle statistical challenges in the federated learning setting. The problem of calculating optimal poisoning attacks on federated multitask learning is formulated as a bilevel program, which is adaptive to the arbitrary selection of target nodes and source attacking nodes. We then propose a novel systems-aware optimization method, called as attack on federated learning (AT2FL), to efficiently derive the implicit gradients for poisoned data, and further attain optimal attack strategies in the federated machine learning. This is an earlier work, to our knowledge, that explores attacking federated machine learning via data poisoning. Finally, experiments on several real-world data sets demonstrate that when the attackers directly poison the target nodes or indirectly poison the related nodes via using the communication protocol, the federated multitask learning model is sensitive to both poisoning attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jianping Wu,Jiahe Jin,Chunming Wu

DOI: https://doi.org/10.3390/math12060901

IF: 2.4

2024-03-20

Mathematics

Abstract:Federated learning is a distributed learning method used to solve data silos and privacy protection in machine learning, aiming to train global models together via multiple clients without sharing data. However, federated learning itself introduces certain security threats, which pose significant challenges in its practical applications. This article focuses on the common security risks of data poisoning during the training phase of federated learning clients. First, the definition of federated learning, attack types, data poisoning methods, privacy protection technology and data security situational awareness are summarized. Secondly, the system architecture fragility, communication efficiency shortcomings, computing resource consumption and situation prediction robustness of federated learning are analyzed, and related issues that affect the detection of data poisoning attacks are pointed out. Thirdly, a review is provided from the aspects of building a trusted federation, optimizing communication efficiency, improving computing power technology and personalized the federation. Finally, the research hotspots of the federated learning data poisoning attack situation prediction are prospected.

mathematics

Geming Xia,Jian Chen,Xinyi Huang,Chaodong Yu,Zhong Zhang

DOI: https://doi.org/10.1109/compsac57700.2023.00101

2023-01-01

Abstract:Federated learning allows participants to share models (gradients) rather than raw data to collaboratively train a global model, enhancing participants' privacy protection but making the global model more vulnerable to poisoning attacks. Poisoning attacks not only lead to the degradation of model performance but also cause a security risk. A mainstream defense strategy against poisoning attacks is that the server identifies malicious models by analyzing the models uploaded by participants. However, the attackers can use the models uploaded by the participants to recover their privacy data, leading to a privacy disclosure. Therefore, participants need to encrypt or perturb the models before uploading them so that all individuals, including the server, cannot access the model, which poses a great challenge for the defense against poisoning attacks. Moreover, many existing defense strategies against poisoning attacks only work well when the data distribution is non-independently and identically distributed. To address these issues, we propose a novel defense strategy for poisoning attacks of federated learning called FL-PTD, which can judge whether the global model is subjected to poisoning attacks without accessing the participant's local model. Besides, Our method incorporates a trust evaluation mechanism, which computes reputation scores based on the historical behavior of participants to identify malicious participants. Finally, we verify our proposed method on several real world datasets. The experimental results show that our method can effectively defend against poisoning attacks and accurately identify attackers without compromising the model's performance.

Jian Chen,Xuxin Zhang,Rui Zhang,Chen Wang,Ling Liu

DOI: https://doi.org/10.1109/tifs.2021.3080522

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Machine learning techniques have been widely applied to various applications. However, they are potentially vulnerable to data poisoning attacks, where sophisticated attackers can disrupt the learning procedure by injecting a fraction of malicious samples into the training dataset. Existing defense techniques against poisoning attacks are largely attack-specific: they are designed for one specific type of attacks but do not work for other types, mainly due to the distinct principles they follow. Yet few general defense strategies have been developed. In this paper, we propose De-Pois, an attack-agnostic defense against poisoning attacks. The key idea of De-Pois is to train a mimic model the purpose of which is to imitate the behavior of the target model trained by clean samples. We take advantage of Generative Adversarial Networks (GANs) to facilitate informative training data augmentation as well as the mimic model construction. By comparing the prediction differences between the mimic model and the target model, De-Pois is thus able to distinguish the poisoned samples from clean ones, without explicit knowledge of any ML algorithms or types of poisoning attacks. We implement four types of poisoning attacks and evaluate De-Pois with five typical defense methods on different realistic datasets. The results demonstrate that De-Pois is effective and efficient for detecting poisoned data against all the four types of poisoning attacks, with both the accuracy and F1-score over 0.9 on average.

computer science, theory & methods,engineering, electrical & electronic

Xiaolin Chen,Daoguang Zan,Wei Li,Bei Guan,Yongji Wang

2024-01-17

Abstract:In vertical federated learning (VFL), commercial entities collaboratively train a model while preserving data privacy. However, a malicious participant's poisoning attack may degrade the performance of this collaborative model. The main challenge in achieving the poisoning attack is the absence of access to the server-side top model, leaving the malicious participant without a clear target model. To address this challenge, we introduce an innovative end-to-end poisoning framework P-GAN. Specifically, the malicious participant initially employs semi-supervised learning to train a surrogate target model. Subsequently, this participant employs a GAN-based method to produce adversarial perturbations to degrade the surrogate target model's performance. Finally, the generator is obtained and tailored for VFL poisoning. Besides, we develop an anomaly detection algorithm based on a deep auto-encoder (DAE), offering a robust defense mechanism to VFL scenarios. Through extensive experiments, we evaluate the efficacy of P-GAN and DAE, and further analyze the factors that influence their performance.

Machine Learning,Artificial Intelligence,Cryptography and Security

Jiangang Shu,Xiaohua Jia,Guoxi Zhang

DOI: https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys57074.2022.00188

2022-12-01

Abstract:Recent studies have shown that federated learning is vulnerable to a new type of poisoning attack, called model poisoning attack. One or more malicious clients send crafted local model updates to the server to poison the global model. The training data between federated learning clients is non-IID, which makes the updates submitted by the clients various. The poisoned update from the malicious client can be hidden between various benign updates. Many anomaly detection mechanisms are limited. Client detection is a flexible detection method suitable for non-IID data distribution in federated learning. The core idea of client-side detection is to evaluate the model using various client-side data, which is used for training and detecting model poisoning attacks. However, the effectiveness of this scheme depends on the authenticity of the report returned by the client. Malicious clients can return false reports to evade detection. In this paper, we adopt the idea of group testing and use the COMP algorithm to improve the detection process. We conduct experiments in settings with different proportions of malicious clients. Experimental results show that our scheme can tolerate a higher proportion of malicious clients. In the CIFAR-10 based semantic backdoor attack, our scheme is effective when the proportion of malicious clients is 20%. In MNIST-based semantic backdoor attacks, our scheme is effective when the proportion of malicious clients is 25%.

Computer Science

Arjun Nitin Bhagoji,Supriyo Chakraborty,Prateek Mittal,Seraphin Calo

DOI: https://doi.org/10.48550/arXiv.1811.12470

IF: 5.414

2018-11-29

Machine Learning

Abstract:Federated learning distributes model training among a multitude of agents, who, guided by privacy concerns, perform training using their local data but share only model parameter updates, for iterative aggregation at the server. In this work, we explore the threat of model poisoning attacks on federated learning initiated by a single, non-colluding malicious agent where the adversarial objective is to cause the model to misclassify a set of chosen inputs with high confidence. We explore a number of strategies to carry out this attack, starting with simple boosting of the malicious agent's update to overcome the effects of other agents' updates. To increase attack stealth, we propose an alternating minimization strategy, which alternately optimizes for the training loss and the adversarial objective. We follow up by using parameter estimation for the benign agents' updates to improve on attack success. Finally, we use a suite of interpretability techniques to generate visual explanations of model decisions for both benign and malicious models and show that the explanations are nearly visually indistinguishable. Our results indicate that even a highly constrained adversary can carry out model poisoning attacks while simultaneously maintaining stealth, thus highlighting the vulnerability of the federated learning setting and the need to develop effective defense strategies.

Chunyong Yin,Qingkui Zeng

DOI: https://doi.org/10.1109/TCSS.2023.3296885

2024-04-01

IEEE Transactions on Computational Social Systems

Abstract:Federated learning (FL) is an emerging paradigm that allows participants to collaboratively train deep learning tasks while protecting the privacy of their local data. However, the absence of central server control in distributed environments exposes a vulnerability to data poisoning attacks, where adversaries manipulate the behavior of compromised clients by poisoning local data. In particular, data poisoning attacks against FL can have a drastic impact when the participant’s local data is non-independent and identically distributed (non-IID). Most existing defense strategies have demonstrated promising results in mitigating FL poisoning attacks, however, fail to maintain their effectiveness with non-IID data. In this work, we propose an effective defense framework, FL data augmentation (FLDA), which defends against data poisoning attacks through local data mixup on the clients. In addition, to mitigate the non-IID effect by exploiting the limited local data, we propose a gradient detection strategy to reduce the proportion of malicious clients and raise benign clients. Experimental results on datasets show that FLDA can effectively reduce the poisoning success rate and improve the global model training accuracy under poisoning attacks for non-IID data. Furthermore, FLDA can increase the FL accuracy by more than 12% after detecting malicious clients.

Computer Science

Junchuan Lianga,Rong Wang,Chaosheng Feng,Chin-Chen Chang

2023-06-06

Abstract:As one kind of distributed machine learning technique, federated learning enables multiple clients to build a model across decentralized data collaboratively without explicitly aggregating the data. Due to its ability to break data silos, federated learning has received increasing attention in many fields, including finance, healthcare, and education. However, the invisibility of clients' training data and the local training process result in some security issues. Recently, many works have been proposed to research the security attacks and defenses in federated learning, but there has been no special survey on poisoning attacks on federated learning and the corresponding defenses. In this paper, we investigate the most advanced schemes of federated learning poisoning attacks and defenses and point out the future directions in these areas.

Cryptography and Security

Ali Raza,Shujun Li,Kim-Phuc Tran,Ludovic Koehl

DOI: https://doi.org/10.48550/arXiv.2207.08486

2023-05-09

Abstract:Adversarial attacks such as poisoning attacks have attracted the attention of many machine learning researchers. Traditionally, poisoning attacks attempt to inject adversarial training data in order to manipulate the trained model. In federated learning (FL), data poisoning attacks can be generalized to model poisoning attacks, which cannot be detected by simpler methods due to the lack of access to local training data by the detector. State-of-the-art poisoning attack detection methods for FL have various weaknesses, e.g., the number of attackers has to be known or not high enough, working with i.i.d. data only, and high computational complexity. To overcome above weaknesses, we propose a novel framework for detecting poisoning attacks in FL, which employs a reference model based on a public dataset and an auditor model to detect malicious updates. We implemented a detector based on the proposed framework and using a one-class support vector machine (OC-SVM), which reaches the lowest possible computational complexity O(K) where K is the number of clients. We evaluated our detector's performance against state-of-the-art (SOTA) poisoning attacks for two typical applications of FL: electrocardiograph (ECG) classification and human activity recognition (HAR). Our experimental results validated the performance of our detector over other SOTA detection methods.

Machine Learning,Cryptography and Security

Kiran Purohit,Soumi Das,Sourangshu Bhattacharya,Santu Rana

2024-08-14

Abstract:Federated Learning systems are increasingly subjected to a multitude of model poisoning attacks from clients. Among these, edge-case attacks that target a small fraction of the input space are nearly impossible to detect using existing defenses, leading to a high attack success rate. We propose an effective defense using an external defense dataset, which provides information about the attack target. The defense dataset contains a mix of poisoned and clean examples, with only a few known to be clean. The proposed method, DataDefense, uses this dataset to learn a poisoned data detector model which marks each example in the defense dataset as poisoned or clean. It also learns a client importance model that estimates the probability of a client update being malicious. The global model is then updated as a weighted average of the client models' updates. The poisoned data detector and the client importance model parameters are updated using an alternating minimization strategy over the Federated Learning rounds. Extensive experiments on standard attack scenarios demonstrate that DataDefense can defend against model poisoning attacks where other state-of-the-art defenses fail. In particular, DataDefense is able to reduce the attack success rate by at least ~ 40% on standard attack setups and by more than 80% on some setups. Furthermore, DataDefense requires very few defense examples (as few as five) to achieve a near-optimal reduction in attack success rate.

Machine Learning,Cryptography and Security