Federated learning is vulnerable to poisoning attacks in which malicious clients poison the global model via sending malicious model updates to the server. Existing defenses focus on preventing a small number of malicious clients from poisoning the global model via robust federated learning methods and detecting malicious clients when there are a large number of them. However, it is still an open challenge how to recover the global model from poisoning attacks after the malicious clients are detected. A naive solution is to remove the detected malicious clients and train a new global model from scratch, which incurs large cost that may be intolerable for resource-constrained clients such as smartphones and IoT devices. In this work, we propose FedRecover, which can recover an accurate global model from poisoning attacks with small cost for the clients. Our key idea is that the server estimates the clients' model updates instead of asking the clients to compute and communicate them during the recovery process. In particular, the server stores the global models and clients' model updates in each round, when training the poisoned global model. During the recovery process, the server estimates a client's model update in each round using its stored historical information. Moreover, we further optimize FedRecover to recover a more accurate global model using warm-up, periodic correction, abnormality fixing, and final tuning strategies, in which the server asks the clients to compute and communicate their exact model updates. Theoretically, we show that the global model recovered by FedRecover is close to or the same as that recovered by train-from-scratch under some assumptions. Empirically, our evaluation on four datasets, three federated learning methods, as well as untargeted and targeted poisoning attacks (e.g., backdoor attacks) shows that FedRecover is both accurate and efficient.
翻译:恶意客户通过向服务器发送恶意模型更新,毒害全球模型; 现有的防御侧重于防止少数恶意客户通过强大的联合学习方法,在大量客户出现时发现恶意客户,从而毒害全球模型; 然而,在发现恶意客户之后,如何从中毒袭击中恢复全球模型,这仍然是一个公开的挑战; 一个天真的解决方案是清除已发现的恶意客户,并从零开始训练一个新的全球模型,这给智能手机和 IoT 设备等资源受限制客户带来巨大的成本,而这些成本可能无法容忍。 在此工作中,我们建议 FedRecover, 它可以以客户的小额成本从中毒袭击中恢复准确的全球模型。 我们的主要想法是服务器估算客户的模型更新,而不是要求客户在发现恶意客户的中毒袭击后进行计算和传播。 一个天真的解决方案是清除所发现的恶意客户的模型和客户的更新,在每轮中培训有毒全球模型时,该服务器估计每轮客户的模型更新将使用其存储的准确的历史信息。 此外,我们进一步优化了FedReca Recover, 更新了其准确的 Eral 战略, 更新了它们的准确的准确的 Eral 。