A Study of Black-Box Attacks Against Robust Federated Learning

Yang Li; Adams Wai-Kin Kong

A Study of Black-Box Attacks Against Robust Federated Learning

Yang Li, Adams Wai-Kin Kong

18 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX

Keywords: Federated Learning, Adversarial Attacks

Abstract: The original Federated Learning (FL) algorithm, FedAvg, is vulnerable to adversarial attacks from its clients. To enhance the security of FL, researchers introduced various defensive aggregation rules. Some of the aggregation rules are based on robust statistics, such as geometry median, and Krum, and some are designed against Sybil attackers, namely FoolsGold, and CONTRA. The previous works evaluate their robustness in a white-box setting, where attackers know which aggregation rule is used by the federated server, the parameters of the FL system, and sometimes the data of honest clients. In this paper, we propose an untargeted attack algorithm based on reinforcement learning (UA-RL) to study the robustness of the aggregation rules in a black-box setting. UA-RL uses the sum of gradients of unmodified datasets to maximize the loss function. It applies reinforcement learning to search for the best parameter controlling the attack magnitude to bypass the aggregation rules. Our experiments on non-i.i.d. datasets indicate that defensive aggregation rules, including Krum, geometry median, FoolsGold, and CONTRA are vulnerable to UA-RL attacks. On i.i.d. datasets, FoolsGold, and CONTRA are fragile, but geometry median and Krum are relatively robust. We further perform a theoretical analysis to explain these experiment results.

Primary Area: unsupervised, self-supervised, semi-supervised, and supervised representation learning

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 1200

Loading