Federated learning (FL) allows a set of agents to collaboratively train a model without sharing their potentially sensitive data. This makes FL suitable for privacy-preserving applications. At the same time, FL is susceptible to adversarial attacks due to decentralized and unvetted data. One important line of attacks against FL is the backdoor attacks. In a backdoor attack, an adversary tries to embed a backdoor functionality to the model during training that can later be activated to cause a desired misclassification. To prevent backdoor attacks, we propose a lightweight defense that requires minimal change to the FL protocol. At a high level, our defense is based on carefully adjusting the aggregation server's learning rate, per dimension and per round, based on the sign information of agents' updates. We first conjecture the necessary steps to carry a successful backdoor attack in FL setting, and then, explicitly formulate the defense based on our conjecture. Through experiments, we provide empirical evidence that supports our conjecture, and we test our defense against backdoor attacks under different settings. We observe that either backdoor is completely eliminated, or its accuracy is significantly reduced. Overall, our experiments suggest that our defense significantly outperforms some of the recently proposed defenses in the literature. We achieve this by having minimal influence over the accuracy of the trained models. In addition, we also provide convergence rate analysis for our proposed scheme.
翻译:联邦学习( FL) 允许一组代理人在不分享潜在敏感数据的情况下合作训练模型。 这让 FL 适合隐私保护应用程序。 同时, FL 容易因分散和未经审查的数据而遭到对抗性攻击。 对FL 攻击的一个重要线是后门攻击。 在后门攻击中, 对手试图在培训过程中将后门功能嵌入该模型, 以便随后启动该模型, 从而造成预期的分类错误。 为了防止后门攻击, 我们提议了一种轻量的防御, 需要对 FL 协议做最低限度的修改。 在高层次上, 我们的防御以仔细调整汇总服务器的学习率、 每一维度和每轮的学习率为基础, 是因为分散和未经审查的数据。 我们首先推测对FL 发动后门攻击的必要步骤是成功的后门攻击, 然后根据我们的推测, 明确地设计防御。 我们通过实验提供经验证据支持我们的推测, 我们测试我们在不同环境下的后门攻击的防御。 我们观察到一些后门被完全消除, 或者它的准确性, 并且根据代理人更新后门的精确度, 我们最近提出的防御计划, 我们的精确性也意味着我们的防御计划。