Table of Contents
Fetching ...

Securing Federated Sensitive Topic Classification against Poisoning Attacks

Tianyue Chu, Alvaro Garcia-Recuero, Costas Iordanou, Georgios Smaragdakis, Nikolaos Laoutaris

TL;DR

This work tackles privacy-preserving classification of GDPR-sensitive web content by introducing a federated learning framework that remains robust to poisoning attacks. It combines a residual-based attack detector with a subjective-logic reputation model to weight client updates, and proves convergence under standard FL assumptions. Empirical results on the SURL dataset and CIFAR-10 show faster convergence (roughly 1.6–2.4×) and lower attack success rates compared to state-of-the-art baselines, while a real-user prototype (EITR) demonstrates practical learning of new topics like COVID-19 health content with around 0.80 accuracy and 0.79 AUC. Collectively, the approach enables privacy-preserving, rapidly adaptable sensitive-content classifiers suitable for browser-based deployment and real-world use.

Abstract

We present a Federated Learning (FL) based solution for building a distributed classifier capable of detecting URLs containing GDPR-sensitive content related to categories such as health, sexual preference, political beliefs, etc. Although such a classifier addresses the limitations of previous offline/centralised classifiers,it is still vulnerable to poisoning attacks from malicious users that may attempt to reduce the accuracy for benign users by disseminating faulty model updates. To guard against this, we develop a robust aggregation scheme based on subjective logic and residual-based attack detection. Employing a combination of theoretical analysis, trace-driven simulation, as well as experimental validation with a prototype and real users, we show that our classifier can detect sensitive content with high accuracy, learn new labels fast, and remain robust in view of poisoning attacks from malicious users, as well as imperfect input from non-malicious ones.

Securing Federated Sensitive Topic Classification against Poisoning Attacks

TL;DR

This work tackles privacy-preserving classification of GDPR-sensitive web content by introducing a federated learning framework that remains robust to poisoning attacks. It combines a residual-based attack detector with a subjective-logic reputation model to weight client updates, and proves convergence under standard FL assumptions. Empirical results on the SURL dataset and CIFAR-10 show faster convergence (roughly 1.6–2.4×) and lower attack success rates compared to state-of-the-art baselines, while a real-user prototype (EITR) demonstrates practical learning of new topics like COVID-19 health content with around 0.80 accuracy and 0.79 AUC. Collectively, the approach enables privacy-preserving, rapidly adaptable sensitive-content classifiers suitable for browser-based deployment and real-world use.

Abstract

We present a Federated Learning (FL) based solution for building a distributed classifier capable of detecting URLs containing GDPR-sensitive content related to categories such as health, sexual preference, political beliefs, etc. Although such a classifier addresses the limitations of previous offline/centralised classifiers,it is still vulnerable to poisoning attacks from malicious users that may attempt to reduce the accuracy for benign users by disseminating faulty model updates. To guard against this, we develop a robust aggregation scheme based on subjective logic and residual-based attack detection. Employing a combination of theoretical analysis, trace-driven simulation, as well as experimental validation with a prototype and real users, we show that our classifier can detect sensitive content with high accuracy, learn new labels fast, and remain robust in view of poisoning attacks from malicious users, as well as imperfect input from non-malicious ones.
Paper Structure (39 sections, 4 theorems, 67 equations, 17 figures, 2 tables, 2 algorithms)

This paper contains 39 sections, 4 theorems, 67 equations, 17 figures, 2 tables, 2 algorithms.

Key Result

Theorem 1

Under Assumptions as:assumption1, as:assumption2, as:assumption3 and as:assumption4, $\exists \epsilon > 0$ that: After $t$ rounds, Algorithm al:aggregtaion converges with probability at least $1-\xi \in \left [1-\frac{4d}{\left ( 1+\hat{Q}ML\upsilon \right)^{d}},1\right )$ as where with $\Phi \left ( \cdot \right )$ being the cumulative distribution function of Wald distribution.

Figures (17)

  • Figure 1: Accuracy of FL classifiers and centralised classifiers in Health, Religion and all category.
  • Figure 2: Overview of reputation-based aggregation algorithm.
  • Figure 3: The decay of reputation score in Client ($X$) with $X$ model parameters when they (a) attack once at 3rd iteration and (b) attack continuously at and after the 3rd iteration.
  • Figure 4: The decay of reputation score in Client $X$ with same model parameters when they (a) attack once at $X$ iteration and (b) attack continuously after starting to attack at $X$ iteration.
  • Figure 5: The decay of reputation score in (left) Client with $X$ model parameters when they attack at 10, 50 and 90 iteration; (right) Client $X$ with 1 million parameters when they attack at 10 and $10+X$ iteration.
  • ...and 12 more figures

Theorems & Definitions (6)

  • Theorem 1
  • Corollary 1
  • Remark 1
  • Remark 2
  • Lemma 1
  • Lemma 2