Personalized federated learning allows for clients in a distributed system to
train a neural network tailored to their unique local data while leveraging
information at other clients. However, clients' models are vulnerable to
attacks during both the training and testing phases. In this paper we address
the issue of adversarial clients crafting evasion attacks at test time to
deceive other clients. For example, adversaries may aim to deceive spam filters
and recommendation systems trained with personalized federated learning for
monetary gain. The adversarial clients have varying degrees of personalization
based on the method of distributed learning, leading to a "grey-box" situation.
We are the first to characterize the transferability of such internal evasion
attacks for different learning methods and analyze the trade-off between model
accuracy and robustness depending on the degree of personalization and
similarities in client data. We introduce a defense mechanism, pFedDef, that
performs personalized federated adversarial training while respecting resource
limitations at clients that inhibit adversarial training. Overall, pFedDef
increases relative grey-box adversarial robustness by 62% compared to federated
adversarial training and performs well even under limited system resources.Comment: 16 pages, 5 figures (11 images if counting sub-figures separately),
longer version of paper submitted to CrossFL 2022 poster workshop, code
available at (https://github.com/tj-kim/pFedDef_v1