Federated Learning (FL) has been gaining popularity as a collaborative learning framework to train deep learning-based object detection models over a distributed population of clients. Despite its advantages, FL is vulnerable to model hijacking. The attacker can control how the object detection system should misbehave by implanting Trojaned gradients using only a small number of compromised clients in the collaborative learning process. This paper introduces STDLens, a principled approach to safeguarding FL against such attacks. We first investigate existing mitigation mechanisms and analyze their failures caused by the inherent errors in spatial clustering analysis on gradients. Based on the insights, we introduce a three-tier forensic framework to identify and expel Trojaned gradients and reclaim the performance over the course of FL. We consider three types of adaptive attacks and demonstrate the robustness of STDLens against advanced adversaries. Extensive experiments show that STDLens can protect FL against different model hijacking attacks and outperform existing methods in identifying and removing Trojaned gradients with significantly higher precision and much lower false-positive rates.
翻译:联邦学习 (FL) 因其在分布式客户端群体上训练深度学习对象检测模型的协作学习框架而越来越受欢迎。尽管它有很多优势,但FL容易受到模型劫持的攻击。 攻击者可以通过使用少量被感染的客户端在协作学习过程中植入木马梯度来控制对象检测系统的不良行为。 本文介绍了STDLens,这是一种保护FL免受此类攻击的方法。 我们首先调查现有的缓解机制,并分析由空间聚类分析中固有误差引起的其失败。基于这些见解,我们引入了一个三层司法框架,以识别和驱逐木马梯度,并在FL的过程中恢复性能。我们考虑了三种类型的自适应攻击,并展示了STDLens对于高级敌人的稳健性。 大量的实验表明,STDLens可以保护FL免受不同的模型劫持攻击,并且在明显更高的精度和更低的假阳性率下识别和删除木马梯度方面优于现有方法。