Federated learning (FL) enables multiple clients to collaboratively train models without sharing their local data, and becomes an important privacy-preserving machine learning framework. However, classical FL faces serious security and robustness problem, e.g., malicious clients can poison model updates and at the same time claim large quantities to amplify the impact of their model updates in the model aggregation. Existing defense methods for FL, while all handling malicious model updates, either treat all quantities benign or simply ignore/truncate the quantities of all clients. The former is vulnerable to quantity-enhanced attack, while the latter leads to sub-optimal performance since the local data on different clients is usually in significantly different sizes. In this paper, we propose a robust quantity-aware aggregation algorithm for federated learning, called FedRA, to perform the aggregation with awareness of local data quantities while being able to defend against quantity-enhanced attacks. More specifically, we propose a method to filter malicious clients by jointly considering the uploaded model updates and data quantities from different clients, and performing quantity-aware weighted averaging on model updates from remaining clients. Moreover, as the number of malicious clients participating in the federated learning may dynamically change in different rounds, we also propose a malicious client number estimator to predict how many suspicious clients should be filtered in each round. Experiments on four public datasets demonstrate the effectiveness of our FedRA method in defending FL against quantity-enhanced attacks.
翻译:联邦学习(FL)使多个客户能够合作培训模型,而不分享其当地数据,并成为重要的隐私保护机器学习框架。然而,古典FL面临严重的安全和稳健问题,例如恶意客户可以毒害模型更新,同时要求大量数量来扩大模型更新在模型汇总中的影响。FL的现有防御方法,所有处理恶意模型更新的方法,要么处理所有数量无害的,要么干脆忽略/处理所有客户的数量。前者容易受到数量增强的攻击,而后者则导致亚最佳性性能,因为关于不同客户的当地数据通常大小大不相同。此外,我们提议为FTRA的封存学习采用一个强大的量认知汇总算法,以综合当地数据数量,同时能够防范数量增强的攻击。更具体地说,我们建议一种过滤恶意客户的方法,即共同考虑上传的模型更新和不同客户的数据数量增加,以及从剩余客户对模型更新进行量的加权比对等。此外,我们提议在FRA的每轮中,恶意客户对可疑数量进行一次的预测,在FIL中,我们还可以用一个动态周期中,对许多恶意客户进行模拟的预测。