Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Byzantines can also Learn from History: Fall of Centered Clipping in Federated Learning

Kerem Ozfatura, Emre Ozfatura, Alptekin Kupcu, Deniz Gunduz

TL;DR

This paper investigates Byzantine robustness in federated learning and analyzes Centered Clipping (CC), which uses a momentum-based reference $\tilde{\mathbf{m}}_{t-1}$ and a radius $\tau$ to bound updates. It identifies CC vulnerabilities—target-reference mismatch, angular invariance, and temporal correlation—and introduces Relocated Orthogonal Perturbation (ROP), a time-coupled attack that defeats CC and other defenses. To restore robustness, it proposes Sequential Centered Clipping (S-CC), which randomizes reference points via bucketing with per-bucket CC steps. Extensive experiments on IID and non-IID data across MNIST, FMNIST, CIFAR-10/100 show ROP degrades performance under CC, while S-CC recovers baseline accuracy and improves resilience with equivalent complexity, highlighting practical weaknesses in CC-based defenses and offering a viable defense approach for FL systems.

Abstract

The increasing popularity of the federated learning (FL) framework due to its success in a wide range of collaborative learning tasks also induces certain security concerns. Among many vulnerabilities, the risk of Byzantine attacks is of particular concern, which refers to the possibility of malicious clients participating in the learning process. Hence, a crucial objective in FL is to neutralize the potential impact of Byzantine attacks and to ensure that the final model is trustable. It has been observed that the higher the variance among the clients' models/updates, the more space there is for Byzantine attacks to be hidden. As a consequence, by utilizing momentum, and thus, reducing the variance, it is possible to weaken the strength of known Byzantine attacks. The centered clipping (CC) framework has further shown that the momentum term from the previous iteration, besides reducing the variance, can be used as a reference point to neutralize Byzantine attacks better. In this work, we first expose vulnerabilities of the CC framework, and introduce a novel attack strategy that can circumvent the defences of CC and other robust aggregators and reduce their test accuracy up to %33 on best-case scenarios in image classification tasks. Then, we propose a new robust and fast defence mechanism that is effective against the proposed and other existing Byzantine attacks.

Byzantines can also Learn from History: Fall of Centered Clipping in Federated Learning

TL;DR

This paper investigates Byzantine robustness in federated learning and analyzes Centered Clipping (CC), which uses a momentum-based reference and a radius to bound updates. It identifies CC vulnerabilities—target-reference mismatch, angular invariance, and temporal correlation—and introduces Relocated Orthogonal Perturbation (ROP), a time-coupled attack that defeats CC and other defenses. To restore robustness, it proposes Sequential Centered Clipping (S-CC), which randomizes reference points via bucketing with per-bucket CC steps. Extensive experiments on IID and non-IID data across MNIST, FMNIST, CIFAR-10/100 show ROP degrades performance under CC, while S-CC recovers baseline accuracy and improves resilience with equivalent complexity, highlighting practical weaknesses in CC-based defenses and offering a viable defense approach for FL systems.

Abstract

The increasing popularity of the federated learning (FL) framework due to its success in a wide range of collaborative learning tasks also induces certain security concerns. Among many vulnerabilities, the risk of Byzantine attacks is of particular concern, which refers to the possibility of malicious clients participating in the learning process. Hence, a crucial objective in FL is to neutralize the potential impact of Byzantine attacks and to ensure that the final model is trustable. It has been observed that the higher the variance among the clients' models/updates, the more space there is for Byzantine attacks to be hidden. As a consequence, by utilizing momentum, and thus, reducing the variance, it is possible to weaken the strength of known Byzantine attacks. The centered clipping (CC) framework has further shown that the momentum term from the previous iteration, besides reducing the variance, can be used as a reference point to neutralize Byzantine attacks better. In this work, we first expose vulnerabilities of the CC framework, and introduce a novel attack strategy that can circumvent the defences of CC and other robust aggregators and reduce their test accuracy up to %33 on best-case scenarios in image classification tasks. Then, we propose a new robust and fast defence mechanism that is effective against the proposed and other existing Byzantine attacks.
Paper Structure (27 sections, 19 equations, 20 figures, 7 tables, 4 algorithms)

This paper contains 27 sections, 19 equations, 20 figures, 7 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Preliminaries
  4. Notation
  5. Federated Learning (FL)
  6. SotA model poisonings attacks
  7. ALIE
  8. IPM
  9. Robust Aggregators
  10. Vulnerabilities of CC and designing strong but imperceptible attack
  11. Relocation of the attack
  12. Angular Invariance
  13. Importance of temporal correlation
  14. Structuring the attack
  15. Relocated Orthogonal Perturbation (ROP) Attack
  16. ...and 12 more sections

Figures (20)

  • Figure 1: ALIE attack on TM aggregation, ALIE (blue) refers to the standard ALIE, while ALIE $+/-$ (orange) is the version of ALIE where the sign of the perturbation alternates at each iteration.
  • Figure 2: Visualization of (a) IID and (b) non-IID distribution of 50.000 training samples, 5000 samples per each class, among 25 clients. Each color represents a different class.
  • Figure 3: FMNIST IID test accuracy on various aggregation methods.
  • Figure 4: Cifar10 IID test accuracy on various aggregation methods.
  • Figure 5: CIFAR100 IID test accuracy on various aggregation methods.
  • ...and 15 more figures