Mechanism to Mitigate Model Poisoning Attacks in Federated Learning
Abstract
Federated Learning (FL) is a distributed technique for training machine learning models, where data is processed locally and only local parameters are shared with an aggregation server. The fact that client data is kept locally makes validating their parameters an extremely difficult task, opening doors to potential attacks from malicious clients. These attackers deliberately influence training, invalidating the resulting model, injecting data, and even manipulating model parameters. Therefore, this work presents the RAGNAR, which utilizes metrics calculated during training to mitigate real-time attacks in the FL environment. Additionally, RAGNAR employs a parameter aggregation strategy from clients that dynamically adapts to handle the current situation. Experimental evaluations demonstrate that RAGNAR significantly reduces client training accuracy loss (31%) while maintaining high levels of accuracy (98%).References
Abdulrahman, S., Tout, H., Ould-Slimane, H., Mourad, A., Talhi, C., and Guizani, M. (2021). A survey on federated learning: The journey from centralized to distributed on-site learning and beyond. IEEE Internet of Things Journal, 8(7):5476–5497.
Beutel, D. J., Topal, T., Mathur, A., Qiu, X., Fernandez-Marques, J., Gao, Y., Sani, L., Kwing, H. L., Parcollet, T., Gusmão, P. P. d., and Lane, N. D. (2020). Flower: A friendly federated learning research framework. arXiv preprint arXiv:2007.14390.
Blanchard, P., El Mhamdi, E. M., Guerraoui, R., and Stainer, J. (2017a). Machine learning with adversaries: Byzantine tolerant gradient descent. In Guyon, I., Luxburg, U. V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S., and Garnett, R., editors, Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc.
Blanchard, P., Mhamdi, E. M. E., Guerraoui, R., and Stainer, J. (2017b). Byzantine-tolerant machine learning. CoRR, abs/1703.02757.
Briggs, C., Fan, Z., and Andras, P. (2020). Federated learning with hierarchical clustering of local updates to improve training on non-iid data. In 2020 International Joint Conference on Neural Networks (IJCNN), pages 1–9.
Cho, Y. J., Wang, J., and Joshi, G. (2020). Client selection in federated learning: Convergence analysis and power-of-choice selection strategies. CoRR, abs/2010.01243.
de Souza, A. M., Bittencourt, L. F., Cerqueira, E., Loureiro, A. A., and Villas, L. A. (2023). Dispositivos, eu escolho vocês: Seleção de clientes adaptativa para comunicação eficiente em aprendizado federado. In Anais do XLI Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 1–14. SBC.
de Souza, A. M., Maciel, F., da Costa, J. B. D., Bittencourt, L. F., Cerqueira, E., Loureiro, A. A., and Villas, L. A. (2024). Adaptive client selection with personalization for communication efficient federated learning. Ad Hoc Networks, page 103462.
Deng, L. (2012). The mnist database of handwritten digit images for machine learning research [best of the web]. IEEE Signal Processing Magazine, 29(6):141–142.
Fang, M., Cao, X., Jia, J., and Gong, N. (2020). Local model poisoning attacks to Byzantine-Robust federated learning. In 29th USENIX Security Symposium (USENIX Security 20), pages 1605–1622. USENIX Association.
Han, S., Buyukates, B., Hu, Z., Jin, H., Jin, W., Sun, L., Wang, X., Wu, W., Xie, C., Yao, Y., Zhang, K., Zhang, Q., Zhang, Y., Avestimehr, S., and He, C. (2023). Fedmlsecurity: A benchmark for attacks and defenses in federated learning and federated llms.
Jagielski, M., Oprea, A., Biggio, B., Liu, C., Nita-Rotaru, C., and Li, B. (2018). Manipulating machine learning: Poisoning attacks and countermeasures for regression learning. In 2018 IEEE Symposium on Security and Privacy (SP), pages 19–35.
Jian, X., Parthasarathy, R., and Huang, B. W. (2023). An exploratory study on the design of emergency first aid privacy protection computing system based on blockchain. In 2023 8th International Conference on Business and Industrial Research (ICBIR), pages 447–451.
Korkmaz, A., Alhonainy, A., and Rao, P. (2022). An evaluation of federated learning techniques for secure and privacy-preserving machine learning on medical datasets. In 2022 IEEE Applied Imagery Pattern Recognition Workshop (AIPR), pages 1–7.
Krizhevsky, A., Hinton, G., et al. (2009). Learning multiple layers of features from tiny images. Toronto, ON, Canada.
Liu, Z., Liu, Z., and Yang, X. (2023). Poisoning attack based on data feature selection in federated learning. In 2023 13th International Conference on Cloud Computing, Data Science and Engineering (Confluence), pages 106–110.
Martin, D. and Chai, S. S. (2022). A study on performance comparisons between knn, random forest and xgboost in prediction of landslide susceptibility in kota kinabalu, malaysia. In 2022 IEEE 13th Control and System Graduate Research Colloquium (ICSGRC), pages 159–164.
McMahan, B., Moore, E., Ramage, D., Hampson, S., and y Arcas, B. A. (2017). Communication-efficient learning of deep networks from decentralized data. In Artificial intelligence and statistics, pages 1273–1282. PMLR.
Mehmuda, D., Bhagat, C., Patel, D., Captain, K., and Parmar, A. (2023). Defense against byzantine attack in cognitive radio using isolation forest. In 2023 15th International Conference on COMmunication Systems & NETworkS (COMSNETS), pages 314–318. IEEE.
Mhamdi, E. M. E., Guerraoui, R., and Rouault, S. (2018). The hidden vulnerability of distributed learning in byzantium.
Parmar, A., Shah, K., Captain, K. M., López-Benítez, M., and Patel, J. R. (2024). Gaussian mixture model-based anomaly detection for defense against byzantine attack in cooperative spectrum sensing. IEEE Transactions on Cognitive Communications and Networking, 10(2):499–509.
Sattler, F., Müller, K.-R., Wiegand, T., and Samek, W. (2020). On the byzantine robustness of clustered federated learning. In ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 8861–8865.
Varma, K., Zhou, Y., Baracaldo, N., and Anwar, A. (2021). Legato: A layerwise gradient aggregation algorithm for mitigating byzantine attacks in federated learning. In 2021 IEEE 14th International Conference on Cloud Computing (CLOUD), pages 272–277.
Yin, D., Chen, Y., Ramchandran, K., and Bartlett, P. (2021). Byzantine-robust distributed learning: Towards optimal statistical rates.
Beutel, D. J., Topal, T., Mathur, A., Qiu, X., Fernandez-Marques, J., Gao, Y., Sani, L., Kwing, H. L., Parcollet, T., Gusmão, P. P. d., and Lane, N. D. (2020). Flower: A friendly federated learning research framework. arXiv preprint arXiv:2007.14390.
Blanchard, P., El Mhamdi, E. M., Guerraoui, R., and Stainer, J. (2017a). Machine learning with adversaries: Byzantine tolerant gradient descent. In Guyon, I., Luxburg, U. V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S., and Garnett, R., editors, Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc.
Blanchard, P., Mhamdi, E. M. E., Guerraoui, R., and Stainer, J. (2017b). Byzantine-tolerant machine learning. CoRR, abs/1703.02757.
Briggs, C., Fan, Z., and Andras, P. (2020). Federated learning with hierarchical clustering of local updates to improve training on non-iid data. In 2020 International Joint Conference on Neural Networks (IJCNN), pages 1–9.
Cho, Y. J., Wang, J., and Joshi, G. (2020). Client selection in federated learning: Convergence analysis and power-of-choice selection strategies. CoRR, abs/2010.01243.
de Souza, A. M., Bittencourt, L. F., Cerqueira, E., Loureiro, A. A., and Villas, L. A. (2023). Dispositivos, eu escolho vocês: Seleção de clientes adaptativa para comunicação eficiente em aprendizado federado. In Anais do XLI Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 1–14. SBC.
de Souza, A. M., Maciel, F., da Costa, J. B. D., Bittencourt, L. F., Cerqueira, E., Loureiro, A. A., and Villas, L. A. (2024). Adaptive client selection with personalization for communication efficient federated learning. Ad Hoc Networks, page 103462.
Deng, L. (2012). The mnist database of handwritten digit images for machine learning research [best of the web]. IEEE Signal Processing Magazine, 29(6):141–142.
Fang, M., Cao, X., Jia, J., and Gong, N. (2020). Local model poisoning attacks to Byzantine-Robust federated learning. In 29th USENIX Security Symposium (USENIX Security 20), pages 1605–1622. USENIX Association.
Han, S., Buyukates, B., Hu, Z., Jin, H., Jin, W., Sun, L., Wang, X., Wu, W., Xie, C., Yao, Y., Zhang, K., Zhang, Q., Zhang, Y., Avestimehr, S., and He, C. (2023). Fedmlsecurity: A benchmark for attacks and defenses in federated learning and federated llms.
Jagielski, M., Oprea, A., Biggio, B., Liu, C., Nita-Rotaru, C., and Li, B. (2018). Manipulating machine learning: Poisoning attacks and countermeasures for regression learning. In 2018 IEEE Symposium on Security and Privacy (SP), pages 19–35.
Jian, X., Parthasarathy, R., and Huang, B. W. (2023). An exploratory study on the design of emergency first aid privacy protection computing system based on blockchain. In 2023 8th International Conference on Business and Industrial Research (ICBIR), pages 447–451.
Korkmaz, A., Alhonainy, A., and Rao, P. (2022). An evaluation of federated learning techniques for secure and privacy-preserving machine learning on medical datasets. In 2022 IEEE Applied Imagery Pattern Recognition Workshop (AIPR), pages 1–7.
Krizhevsky, A., Hinton, G., et al. (2009). Learning multiple layers of features from tiny images. Toronto, ON, Canada.
Liu, Z., Liu, Z., and Yang, X. (2023). Poisoning attack based on data feature selection in federated learning. In 2023 13th International Conference on Cloud Computing, Data Science and Engineering (Confluence), pages 106–110.
Martin, D. and Chai, S. S. (2022). A study on performance comparisons between knn, random forest and xgboost in prediction of landslide susceptibility in kota kinabalu, malaysia. In 2022 IEEE 13th Control and System Graduate Research Colloquium (ICSGRC), pages 159–164.
McMahan, B., Moore, E., Ramage, D., Hampson, S., and y Arcas, B. A. (2017). Communication-efficient learning of deep networks from decentralized data. In Artificial intelligence and statistics, pages 1273–1282. PMLR.
Mehmuda, D., Bhagat, C., Patel, D., Captain, K., and Parmar, A. (2023). Defense against byzantine attack in cognitive radio using isolation forest. In 2023 15th International Conference on COMmunication Systems & NETworkS (COMSNETS), pages 314–318. IEEE.
Mhamdi, E. M. E., Guerraoui, R., and Rouault, S. (2018). The hidden vulnerability of distributed learning in byzantium.
Parmar, A., Shah, K., Captain, K. M., López-Benítez, M., and Patel, J. R. (2024). Gaussian mixture model-based anomaly detection for defense against byzantine attack in cooperative spectrum sensing. IEEE Transactions on Cognitive Communications and Networking, 10(2):499–509.
Sattler, F., Müller, K.-R., Wiegand, T., and Samek, W. (2020). On the byzantine robustness of clustered federated learning. In ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 8861–8865.
Varma, K., Zhou, Y., Baracaldo, N., and Anwar, A. (2021). Legato: A layerwise gradient aggregation algorithm for mitigating byzantine attacks in federated learning. In 2021 IEEE 14th International Conference on Cloud Computing (CLOUD), pages 272–277.
Yin, D., Chen, Y., Ramchandran, K., and Bartlett, P. (2021). Byzantine-robust distributed learning: Towards optimal statistical rates.
Published
2024-05-20
How to Cite
MORAIS, Marcos G. O.; COSTA, Joahannes B. D. da; GONZALEZ, Luis F. G.; SOUZA, Allan M. de; VILLAS, Leandro A..
Mechanism to Mitigate Model Poisoning Attacks in Federated Learning. In: URBAN COMPUTING WORKSHOP (COURB), 8. , 2024, Niterói/RJ.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 224-237.
ISSN 2595-2706.
DOI: https://doi.org/10.5753/courb.2024.3398.
