Federated learning (FL) is a popular distributed learning framework that trains a global model through iterative communications between a central server and edge devices. Recent works have demonstrated that FL is vulnerable to model poisoning attacks. Several server-based defense approaches (e.g. robust aggregation), have been proposed to mitigate such attacks. However, we empirically show that under extremely strong attacks, these defensive methods fail to guarantee the robustness of FL. More importantly, we observe that as long as the global model is polluted, the impact of attacks on the global model will remain in subsequent rounds even if there are no subsequent attacks. In this work, we propose a client-based defense, named White Blood Cell for Federated Learning (FL-WBC), which can mitigate model poisoning attacks that have already polluted the global model. The key idea of FL-WBC is to identify the parameter space where long-lasting attack effect on parameters resides and perturb that space during local training. Furthermore, we derive a certified robustness guarantee against model poisoning attacks and a convergence guarantee to FedAvg after applying our FL-WBC. We conduct experiments on FasionMNIST and CIFAR10 to evaluate the defense against state-of-the-art model poisoning attacks. The results demonstrate that our method can effectively mitigate model poisoning attack impact on the global model within 5 communication rounds with nearly no accuracy drop under both IID and Non-IID settings. Our defense is also complementary to existing server-based robust aggregation approaches and can further improve the robustness of FL under extremely strong attacks.
翻译:联邦学习(FL)是一个广受欢迎的分布式学习框架,它通过中央服务器和边缘装置之间的迭代通信,培训全球模式。最近的工作表明FL容易受中毒袭击模式的伤害。一些基于服务器的防御方法(例如强力聚合)已经提出,以减少此类袭击。然而,我们从经验上表明,在极其强烈的攻击下,这些防御方法无法保证FL的稳健性。更重要的是,我们注意到,只要全球模式受到污染,攻击全球模式的影响将继续存在于以后的几轮中,即使没有随后的攻击。我们在此工作中提议以客户为基础的防御,称为FL-WBC白血细胞(FL-WBC),它可以减轻已经污染全球模式的典型中毒袭击。FL-WBC的主要想法是确定参数空间,在当地培训期间,长期攻击效应存在并渗透着FL的稳健性攻击。此外,在应用FL-WBC之后,我们对FAvg进一步保证全球模式的稳健性攻击。我们在FAS-MIT和CIFAR-FAR-ID 10进行实验,可以有效地评估FFAR-FIFIF的准确性攻击,根据我们FIFIFF的模型, 10号的快速性攻击方法,在不能够评估我们当前的安全性攻击。