1,056 research outputs found
A Survey on Federated Learning Poisoning Attacks and Defenses
As one kind of distributed machine learning technique, federated learning
enables multiple clients to build a model across decentralized data
collaboratively without explicitly aggregating the data. Due to its ability to
break data silos, federated learning has received increasing attention in many
fields, including finance, healthcare, and education. However, the invisibility
of clients' training data and the local training process result in some
security issues. Recently, many works have been proposed to research the
security attacks and defenses in federated learning, but there has been no
special survey on poisoning attacks on federated learning and the corresponding
defenses. In this paper, we investigate the most advanced schemes of federated
learning poisoning attacks and defenses and point out the future directions in
these areas
Revisiting Personalized Federated Learning: Robustness Against Backdoor Attacks
In this work, besides improving prediction accuracy, we study whether
personalization could bring robustness benefits to backdoor attacks. We conduct
the first study of backdoor attacks in the pFL framework, testing 4 widely used
backdoor attacks against 6 pFL methods on benchmark datasets FEMNIST and
CIFAR-10, a total of 600 experiments. The study shows that pFL methods with
partial model-sharing can significantly boost robustness against backdoor
attacks. In contrast, pFL methods with full model-sharing do not show
robustness. To analyze the reasons for varying robustness performances, we
provide comprehensive ablation studies on different pFL methods. Based on our
findings, we further propose a lightweight defense method, Simple-Tuning, which
empirically improves defense performance against backdoor attacks. We believe
that our work could provide both guidance for pFL application in terms of its
robustness and offer valuable insights to design more robust FL methods in the
future. We open-source our code to establish the first benchmark for black-box
backdoor attacks in pFL:
https://github.com/alibaba/FederatedScope/tree/backdoor-bench.Comment: KDD 202
You Can Backdoor Personalized Federated Learning
Existing research primarily focuses on backdoor attacks and defenses within
the generic federated learning scenario, where all clients collaborate to train
a single global model. A recent study conducted by Qin et al. (2023) marks the
initial exploration of backdoor attacks within the personalized federated
learning (pFL) scenario, where each client constructs a personalized model
based on its local data. Notably, the study demonstrates that pFL methods with
\textit{parameter decoupling} can significantly enhance robustness against
backdoor attacks. However, in this paper, we whistleblow that pFL methods with
parameter decoupling are still vulnerable to backdoor attacks. The resistance
of pFL methods with parameter decoupling is attributed to the heterogeneous
classifiers between malicious clients and benign counterparts. We analyze two
direct causes of the heterogeneous classifiers: (1) data heterogeneity
inherently exists among clients and (2) poisoning by malicious clients further
exacerbates the data heterogeneity. To address these issues, we propose a
two-pronged attack method, BapFL, which comprises two simple yet effective
strategies: (1) poisoning only the feature encoder while keeping the classifier
fixed and (2) diversifying the classifier through noise introduction to
simulate that of the benign clients. Extensive experiments on three benchmark
datasets under varying conditions demonstrate the effectiveness of our proposed
attack. Additionally, we evaluate the effectiveness of six widely used defense
methods and find that BapFL still poses a significant threat even in the
presence of the best defense, Multi-Krum. We hope to inspire further research
on attack and defense strategies in pFL scenarios. The code is available at:
https://github.com/BapFL/code.Comment: Submitted to TKD
Federated Unlearning: How to Efficiently Erase a Client in FL?
With privacy legislation empowering the users with the right to be forgotten,
it has become essential to make a model amenable for forgetting some of its
training data. However, existing unlearning methods in the machine learning
context can not be directly applied in the context of distributed settings like
federated learning due to the differences in learning protocol and the presence
of multiple actors. In this paper, we tackle the problem of federated
unlearning for the case of erasing a client by removing the influence of their
entire local data from the trained global model. To erase a client, we propose
to first perform local unlearning at the client to be erased, and then use the
locally unlearned model as the initialization to run very few rounds of
federated learning between the server and the remaining clients to obtain the
unlearned global model. We empirically evaluate our unlearning method by
employing multiple performance measures on three datasets, and demonstrate that
our unlearning method achieves comparable performance as the gold standard
unlearning method of federated retraining from scratch, while being
significantly efficient. Unlike prior works, our unlearning method neither
requires global access to the data used for training nor the history of the
parameter updates to be stored by the server or any of the clients
- …