Exploit Gradient Skew to Circumvent Byzantine Defenses for Federated Learning
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Keywords: Federated Learning; Byzantine Robustness
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Abstract: Federated Learning (FL) is notorious for its vulnerability to Byzantine attacks. Most current Byzantine defenses share a common inductive bias: among all the gradients, the majorities are more likely to be honest. However, such bias is a poison to Byzantine robustness due to a newly discovered phenomenon -- gradient skew. We discover that the majority of honest gradients skew away from the optimal gradient (the average of honest gradients) as a result of heterogeneous data. This gradient skew phenomenon allows Byzantine gradients to hide within the skewed majority of honest gradients and thus be recognized as the majority. As a result, Byzantine defenses are deceived into perceiving Byzantine gradients as honest. Motivated by this observation, we propose a novel skew-aware attack called STRIKE: first, we search for the skewed majority of honest gradients; then, we construct Byzantine gradients within the skewed majority. Experiments on three benchmark datasets validate the effectiveness of our attack.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
Supplementary Material: zip
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 6901
Loading