Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MANDERA: Malicious Node Detection in Federated Learning via Ranking

Wanchuang Zhu, Benjamin Zi Hao Zhao, Simon Luo, Tongliang Liu, Ke Deng

Abstract

Byzantine attacks hinder the deployment of federated learning algorithms. Although we know that the benign gradients and Byzantine attacked gradients are distributed differently, to detect the malicious gradients is challenging due to (1) the gradient is high-dimensional and each dimension has its unique distribution and (2) the benign gradients and the attacked gradients are always mixed (two-sample test methods cannot apply directly). To address the above, for the first time, we propose MANDERA which is theoretically guaranteed to efficiently detect all malicious gradients under Byzantine attacks with no prior knowledge or history about the number of attacked nodes. More specifically, we transfer the original updating gradient space into a ranking matrix. By such an operation, the scales of different dimensions of the gradients in the ranking space become identical. The high-dimensional benign gradients and the malicious gradients can be easily separated. The effectiveness of MANDERA is further confirmed by experimentation on four Byzantine attack implementations (Gaussian, Zero Gradient, Sign Flipping, Shifted Mean), comparing with state-of-the-art defenses. The experiments cover both IID and Non-IID datasets.

MANDERA: Malicious Node Detection in Federated Learning via Ranking

Abstract

Byzantine attacks hinder the deployment of federated learning algorithms. Although we know that the benign gradients and Byzantine attacked gradients are distributed differently, to detect the malicious gradients is challenging due to (1) the gradient is high-dimensional and each dimension has its unique distribution and (2) the benign gradients and the attacked gradients are always mixed (two-sample test methods cannot apply directly). To address the above, for the first time, we propose MANDERA which is theoretically guaranteed to efficiently detect all malicious gradients under Byzantine attacks with no prior knowledge or history about the number of attacked nodes. More specifically, we transfer the original updating gradient space into a ranking matrix. By such an operation, the scales of different dimensions of the gradients in the ranking space become identical. The high-dimensional benign gradients and the malicious gradients can be easily separated. The effectiveness of MANDERA is further confirmed by experimentation on four Byzantine attack implementations (Gaussian, Zero Gradient, Sign Flipping, Shifted Mean), comparing with state-of-the-art defenses. The experiments cover both IID and Non-IID datasets.

Paper Structure

This paper contains 15 sections, 6 theorems, 29 equations, 10 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Mathematical formulation of federated learning with Byzantine attacks
  3. Malicious node detection via statistical analysis of a ranking matrix of messages
  4. Properties of the message matrix ${\bm{M}}$
  5. From message matrix ${\bm{M}}$ to rank matrix ${\bm{R}}$
  6. Limiting behavior of $(e_i,v_i)$ for benign and malicious nodes
  7. More detailed results for specific Byzantine attacks
  8. Malicious node detection via node clustering based on $(e_i,s_i)$
  9. Real data applications
  10. Federated learning of three real-world datasets under Byzantine attacks
  11. Defense performance in the IID scenario
  12. Defense performance in non-IID scenario
  13. Computational speed
  14. Robustness to hyperparameter specification and data partition
  15. Conclusions and Discussions

Key Result

Lemma 3.1

Assume that local data sets in all the benign nodes are IID samples from a data distribution $\mathbb{D}$. For any $i\in{\mathcal{I}}_b$ and $j\in\{1,\cdots,p\}$, denote With $N^* \rightarrow \infty$, we have ${\bm{M}}_{i,j} \rightarrow\mu_j$ almost surely (a.s.), $\sqrt{N^*}{\bm{M}}_{i,j} \rightarrow^{\space d}\ \mathcal{N}\left(\mu_j,\sigma_j^2\right)$, and thus ${\bm{M}}_{:,j}\sim{\mathcal{N}}

Figures (10)

  • Figure 1: The general framework of federated learning with a central node equipped with a global model and a collection of local nodes holding distributed datasets. The orange lines demonstrate the actions to send the global model to the local nodes. The black lines represent the actions to send back the proposed updates of the global model obtained from local training in local nodes to the central node. The green line represents the action of aggregating the proposed updates from local nodes to a global update, and then sending it to the central node for global model updating.
  • Figure 2: Histogram of $p$ -values of Pearson correlation tests for 100,000 pairs of columns randomly chosen from a message matrix ${\bm{M}}$ generated from FASHION-MNIST data.
  • Figure 3: The scatter plots of $(e_i,s_i)$ for the 100 nodes under four types of attack as illustrative examples demonstrating ranking mean and standard deviation from the 1st epoch of training for the FASHION-MNIST dataset. Four attacks are Gaussian Attack (GA), Zero Gradient attack (ZG), Sign Flipping attack (SF) and Mean shift attack (MS).
  • Figure 4: An overview of MANDERA.
  • Figure 5: Typical images from MNIST, FASHION-MNIST and CIFAR-10 datasets. The MNIST dataset is composed of 70,000 pictures of 10 classes of handwritten digits as showed in the top 2 rows. The FASHION-MNIST dataset is composed of 70,000 pictures of 10 classes of apparels as showed in the middle 2 rows. The CIFAR-10 dataset is composed of 60,000 images of 10 classes of small objects as showed in the bottom 2 rows.
  • ...and 5 more figures

Theorems & Definitions (9)

  • Definition 2.1: Gaussian attack
  • Definition 2.2: Sign flipping attack with Zero gradient attack as a special case
  • Definition 2.3: Mean shift attack
  • Lemma 3.1
  • Theorem 3.2: Behavior under a general Byzantine attack
  • Theorem 3.3: Behavior under Gaussian attacks
  • Theorem 3.4: Behavior under sign flipping attacks
  • Theorem 3.5: Behavior under mean shift attacks
  • Theorem 3.6: Robustness guarantee