Federated learning allows for clients in a distributed system to jointly train a machine learning model. However, clients' models are vulnerable to attacks during the training and testing phases. In this paper, we address the issue of adversarial clients performing "internal evasion attacks": crafting evasion attacks at test time to deceive other clients. For example, adversaries may aim to deceive spam filters and recommendation systems trained with federated learning for monetary gain. The adversarial clients have extensive information about the victim model in a federated learning setting, as weight information is shared amongst clients. We are the first to characterize the transferability of such internal evasion attacks for different learning methods and analyze the trade-off between model accuracy and robustness depending on the degree of similarities in client data. We show that adversarial training defenses in the federated learning setting only display limited improvements against internal attacks. However, combining adversarial training with personalized federated learning frameworks increases relative internal attack robustness by 60% compared to federated adversarial training and performs well under limited system resources.
翻译:联邦学习允许客户在一个分布式系统中联合培训一个机器学习模式。 但是,客户的模式在培训和测试阶段很容易受到攻击。 在本文中,我们处理敌对客户实施“内部规避攻击”的问题:在测试时策划规避攻击以欺骗其他客户。例如,对手可能试图欺骗通过联合学习获得金钱收益的垃圾过滤器和建议系统。敌对客户在联合学习环境中拥有关于受害者模式的广泛信息,因为重量信息在客户之间是共享的。我们首先确定这种内部规避攻击的可转移性,以便采用不同的学习方法,并根据客户数据的相似程度分析模型准确性和稳健性之间的权衡。我们表明,在联邦学习环境中的对抗性训练防御只显示有限的改进。然而,将对抗性训练与个人联合学习框架结合起来,使内部攻击的强度比联合对抗训练增加60%,并在有限的系统资源下进行良好的表现。</s>