Federated learning (FL) offers a decentralized learning environment so that a group of clients can collaborate to train a global model at the server, while keeping their training data confidential. This paper studies how to launch over-the-air jamming attacks to disrupt the FL process when it is executed over a wireless network. As a wireless example, FL is applied to learn how to classify wireless signals collected by clients (spectrum sensors) at different locations (such as in cooperative sensing). An adversary can jam the transmissions for the local model updates from clients to the server (uplink attack), or the transmissions for the global model updates the server to clients (downlink attack), or both. Given a budget imposed on the number of clients that can be attacked per FL round, clients for the (uplink/downlink) attack are selected according to their local model accuracies that would be expected without an attack or ranked via spectrum observations. This novel attack is extended to general settings by accounting different processing speeds and attack success probabilities for clients. Compared to benchmark attack schemes, this attack approach degrades the FL performance significantly, thereby revealing new vulnerabilities of FL to jamming attacks in wireless networks.
翻译:联邦学习( FL) 提供了一个分散化的学习环境, 使一组客户可以合作在服务器上培训一个全球模型, 同时保持其培训数据保密。 本文研究如何在无线网络执行时发射超空干扰攻击以干扰 FL 进程。 作为无线的例子, FL 应用来学习如何对客户在不同地点收集的无线信号( 频谱传感器) 进行分类( 如合作遥感 ) 。 对手可以干扰从客户到服务器的本地模型更新( 上链攻击) 的传输, 或全球模型的传输将服务器更新到客户( 下链攻击), 或者两者兼而有。 鉴于对每个 FL 回合可能受到攻击的客户数量所强加的预算, 攻击的客户( 上链/ 下链路) 将根据本地模型选择( 上链路/ 下链路) 攻击的客户, 其预测不会受到攻击, 或者通过频谱观测排位排序。 这种新式的攻击可以扩大到一般环境,, 计算不同的处理速度和攻击客户的成功概率。 比较基准攻击计划, 这种攻击方法会大大降低 FL 的功能,, 从而揭示FL 攻击网络对FL 的无线攻击网络的无线攻击的新弱点。