Federated embodied agent learning protects the data privacy of individual visual environments by keeping data locally at each client (the individual environment) during training. However, since the local data is inaccessible to the server under federated learning, attackers may easily poison the training data of the local client to build a backdoor in the agent without notice. Deploying such an agent raises the risk of potential harm to humans, as the attackers may easily navigate and control the agent as they wish via the backdoor. Towards Byzantine-robust federated embodied agent learning, in this paper, we study the attack and defense for the task of vision-and-language navigation (VLN), where the agent is required to follow natural language instructions to navigate indoor environments. First, we introduce a simple but effective attack strategy, Navigation as Wish (NAW), in which the malicious client manipulates local trajectory data to implant a backdoor into the global model. Results on two VLN datasets (R2R and RxR) show that NAW can easily navigate the deployed VLN agent regardless of the language instruction, without affecting its performance on normal test sets. Then, we propose a new Prompt-Based Aggregation (PBA) to defend against the NAW attack in federated VLN, which provides the server with a ''prompt'' of the vision-and-language alignment variance between the benign and malicious clients so that they can be distinguished during training. We validate the effectiveness of the PBA method on protecting the global model from the NAW attack, which outperforms other state-of-the-art defense methods by a large margin in the defense metrics on R2R and RxR.
翻译:联邦内装剂学习通过在培训期间保持每个客户(个人环境)的当地数据,保护个人视觉环境的数据隐私;然而,由于服务器在联合学习中无法获取当地数据,攻击者很容易毒害当地客户的培训数据,以便在代理商中建造后门,而无需事先通知。 部署这种代理商会增加潜在伤害人类的风险,因为攻击者可以通过后门轻易导航和控制该代理商。 在本文中,我们研究当地数据,以便服务器在使用视觉和语言导航(VLN)任务时无法使用当地数据,因为要求该代理商遵守自然语言指示,以在内部环境中航行。首先,我们采用简单而有效的攻击战略,即“Wishorth”(NAW),恶意客户操纵当地轨道数据,将后门输入全球模型。 两个VLNLN数据集(R2R和RxR)的结果显示,NAWA可以很容易地导航已部署的VLN代理商,而不管语言指示如何操作,而不影响正常的RR-N比值标准,然后,我们提议在SBAR的常规测试机中用新的方法来保护这个系统,然后的RBA-BA-BA-BA-BA-BA-BA系统在大规模攻击中提供新的方法。