Federated learning (FL) enables multiple clients to collaboratively train a global model without sharing their local data. Recent studies have highlighted the vulnerability of FL to Byzantine attacks, where malicious clients send poisoned updates to degrade model performance. Notably, many attacks have been developed targeting specific aggregation rules, whereas various defense mechanisms have been designed for dedicated threat models. This paper studies the resilience of an attack-agnostic FL scenario, where the server lacks prior knowledge of both the attackers' strategies and the number of malicious clients involved. We first introduce a hybrid defense against state-of-the-art attacks. Our goal is to identify a general-purpose aggregation rule that performs well on average while also avoiding worst-case vulnerabilities. By adaptively selecting from available defenses, we demonstrate that the server remains robust even when confronted with a substantial proportion of poisoned updates. To better understand this resilience, we then assess the attackers' capability using a proxy called client heterogeneity. We also emphasize that the existing FL defenses should not be regarded as secure, as demonstrated through the newly proposed Trapsetter attack. The proposed attack outperforms other state-of-the-art attacks by further reducing the model test accuracy by 8-10%. Our findings highlight the ongoing need for the development of Byzantine-resilient aggregation algorithms in FL.
翻译:暂无翻译