Mitigating Sybils in Federated Learning Poisoning

TL;DR

This paper tackles sybil-based poisoning in federated learning by introducing FoolsGold, a defense that adaptively scales each client’s learning rate based on the similarity of their gradient updates on indicative features. By maintaining update history and applying pardoning and a logit-based adjustment, FoolsGold penalizes colluding sybils while preserving honest contributions, without requiring prior knowledge of the number of attackers. Empirical evaluations across MNIST, VGGFace2, KDDCup, and Amazon datasets show FoolsGold outperforms state-of-the-art defenses like Multi-Krum under non-IID data and various poisoning strategies, with only minor overhead. The work demonstrates a practical, model-agnostic approach to mitigating sybil poisoning in distributed learning, with potential for integration alongside other defenses and future improvements via randomized or graph-based similarity measures.

Abstract

Machine learning (ML) over distributed multi-party data is required for a variety of domains. Existing approaches, such as federated learning, collect the outputs computed by a group of devices at a central aggregator and run iterative algorithms to train a globally shared model. Unfortunately, such approaches are susceptible to a variety of attacks, including model poisoning, which is made substantially worse in the presence of sybils. In this paper we first evaluate the vulnerability of federated learning to sybil-based poisoning attacks. We then describe \emph{FoolsGold}, a novel defense to this problem that identifies poisoning sybils based on the diversity of client updates in the distributed learning process. Unlike prior work, our system does not bound the expected number of attackers, requires no auxiliary information outside of the learning process, and makes fewer assumptions about clients and their data. In our evaluation we show that FoolsGold exceeds the capabilities of existing state of the art approaches to countering sybil-based label-flipping and backdoor poisoning attacks. Our results hold for different distributions of client data, varying poisoning targets, and various sybil strategies. Code can be found at: https://github.com/DistributedML/FoolsGold

Figures (17)

• Figure 1: Federated learning with and without colluding sybils mounting a sybil-based poisoning attack. In the attack (b) two sybils poison the model by computing over images of 1s with the (incorrect) class label 7.
• Figure 2: Targeted poisoning attack in SGD. The dotted red vectors are sybil contributions that drive the model towards a poisoner objective. The solid green vectors are contributed by honest clients that drive towards the true objective.
• Figure 3: Dashed lines are gradient updates from three clients (2 sybils, 1 honest). Solid lines are aggregated update vectors. The angle between the aggregated update vectors of sybil clients ($\theta$) is smaller than between those of the honest client and a sybil ($\gamma$). Cosine similarity would reflect this similarity.
• Figure 4: Training accuracy (blue bars) and attack rate (red ticks) for canonical attacks against the relevant canonical datasets.
• Figure 5: Attack rate for varying number of sybils, for federated learning (Baseline), Multi-Krum, and FoolsGold.