Towards Understanding Adversarial Transferability in Federated Learning

Download PDF

Yijiang Li, Ying Gao, Haohan Wang

Published: 21 Nov 2024, Last Modified: 21 Nov 2024Accepted by TMLREveryoneRevisionsBibTeXCC BY 4.0
Abstract: We investigate a specific security risk in FL: a group of malicious clients has impacted the model during training by disguising their identities and acting as benign clients but later switching to an adversarial role. They use their data, which is part of the training set, to train a substitute model and conduct transferable adversarial attacks against the federated model. This type of attack is subtle and hard to detect because these clients initially appear to be benign. The key question we address is: How robust is the FL system to such covert attacks, especially compared to traditional centralized learning systems? We empirically show that the proposed attack imposes a high-security risk to current FL systems. By using only 3\% of the client's data, we achieve the highest attack rate of over 80\%. To further offer a full understanding of the challenges the FL system faces in transferable attacks, we provide a comprehensive analysis of the transfer robustness of FL across a spectrum of configurations. Surprisingly, FL systems show a higher level of robustness than their centralized counterparts, especially when both systems are equally good at handling regular, non-malicious data. We attribute this increased robustness to two main factors: 1) Decentralized Data Training: Each client trains the model on its own data, reducing the overall impact of any single malicious client. 2) Model Update Averaging: The updates from each client are averaged together, further diluting any malicious alterations. Both practical experiments and theoretical analyses support our conclusions. This research not only sheds light on the resilience of FL systems against hidden attacks but also raises important considerations for their future application and development。
Submission Length: Long submission (more than 12 pages of main content)
Changes Since Last Submission: We have uploaded the camera-ready version of the paper. According to the Action Editor and the helpful suggestions from the reviewers, we have revised our paper and incorporated all the experiments and changes made during the rebuttal into the final version of the paper. Specifically, - Table from QA 3 of reviewer 1 is added to Appendix G. - Figure from QA 6 of reviewer 1 originates from Figure 1 of the main paper. - Figure from QA 7 of reviewer 1 is added to Appendix F. - Additional experiments required by reviewer 2 on ImageNet200 are added to Table 1, 2 and Figure 5 of the final version. - Figure from QA 5 of reviewer 3 originates from Figure 1 of the main paper. - All typos are fixed. - We revise the paper to be more comprehensive and easy to understand.
Assigned Action Editor: ~Pin-Yu_Chen1
Submission Number: 3240