Go to OpenReview Archive homepageManipulating the byzantine: Optimizing model poisoning attacks and defenses for federated learning
Abstract: Federated learning (FL) enables many data owners (e.g., mobile devices) to train a joint ML model (e.g., a next-word prediction classifier) without the need of sharing their private training data. However, FL is known to be susceptible to model poisoning attacks by malicious participants (e.g., adversary owned mobile devices), who aim at hampering the accuracy of the jointly trained model through sending malicious inputs during the federated training process. In this paper, we present a general framework for model poisoning attacks on FL. We show that our framework leads to poisoning attacks that substantially outperform the state-of-the-art model poisoning attacks by large
margins. For instance, our attacks result in 1.5× to 60× more reductions in the accuracy of FL compared to the strongest of existing poisoning attacks.
Our work demonstrates that existing Byzantine-robust FL algorithms are significantly more susceptible to model poisoning than previously thought. Motivated by this, we design a defense against poisoning of FL, called divide-and-conquer (DnC). We demonstrate that DnC outperforms all existing Byzantine-robust FL algorithms in defeating model poisoning attacks, specifically, it is 2.5× to 12× more resilient in our experiments with different datasets and models.
0 Replies
Loading