Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Backdoor Attacks in Peer-to-Peer Federated Learning

Georgios Syros, Gokberk Yar, Simona Boboila, Cristina Nita-Rotaru, Alina Oprea

TL;DR

This article proposes new backdoor attacks for P2PFL that leverage structural graph properties to select the malicious nodes, and achieve high attack success, while remaining stealthy, and designs a new defense that successfully mitigates the backdoor attacks, without an impact on model accuracy.

Abstract

Most machine learning applications rely on centralized learning processes, opening up the risk of exposure of their training datasets. While federated learning (FL) mitigates to some extent these privacy risks, it relies on a trusted aggregation server for training a shared global model. Recently, new distributed learning architectures based on Peer-to-Peer Federated Learning (P2PFL) offer advantages in terms of both privacy and reliability. Still, their resilience to poisoning attacks during training has not been investigated. In this paper, we propose new backdoor attacks for P2PFL that leverage structural graph properties to select the malicious nodes, and achieve high attack success, while remaining stealthy. We evaluate our attacks under various realistic conditions, including multiple graph topologies, limited adversarial visibility of the network, and clients with non-IID data. Finally, we show the limitations of existing defenses adapted from FL and design a new defense that successfully mitigates the backdoor attacks, without an impact on model accuracy.

Backdoor Attacks in Peer-to-Peer Federated Learning

TL;DR

This article proposes new backdoor attacks for P2PFL that leverage structural graph properties to select the malicious nodes, and achieve high attack success, while remaining stealthy, and designs a new defense that successfully mitigates the backdoor attacks, without an impact on model accuracy.

Abstract

Most machine learning applications rely on centralized learning processes, opening up the risk of exposure of their training datasets. While federated learning (FL) mitigates to some extent these privacy risks, it relies on a trusted aggregation server for training a shared global model. Recently, new distributed learning architectures based on Peer-to-Peer Federated Learning (P2PFL) offer advantages in terms of both privacy and reliability. Still, their resilience to poisoning attacks during training has not been investigated. In this paper, we propose new backdoor attacks for P2PFL that leverage structural graph properties to select the malicious nodes, and achieve high attack success, while remaining stealthy. We evaluate our attacks under various realistic conditions, including multiple graph topologies, limited adversarial visibility of the network, and clients with non-IID data. Finally, we show the limitations of existing defenses adapted from FL and design a new defense that successfully mitigates the backdoor attacks, without an impact on model accuracy.
Paper Structure (24 sections, 3 equations, 14 figures, 1 table, 2 algorithms)

This paper contains 24 sections, 3 equations, 14 figures, 1 table, 2 algorithms.

Table of Contents

  1. Introduction
  2. Threat Model
  3. P2P Federated Architecture
  4. P2PFL Architecture Design
  5. P2P Gradient Averaging Algorithm
  6. Backdoor Attacks on P2P Federated Learning
  7. Backdoor Attack on P2PFL
  8. Stronger Structural Graph Attacks
  9. Quantifying Attack Success
  10. Backdoor Attack Evaluation
  11. Experimental Setup
  12. Adversary's Node Selection Strategy
  13. Network Topology
  14. Scaling Up the Attack
  15. Fault Tolerance
  16. ...and 9 more sections

Figures (14)

  • Figure 1: P2PFL Architecture Overview: A peer has 3 roles: 1) Forwarding network packages (Communication Layer); 2) Sending and receiving ML updates to data peers (Learning Layer); 3) Running ML training on local dataset, aggregating updates received by the Learning Layer, and sharing back with the Learning Layer for the next round (ML Module).
  • Figure 2: Communication topology is shown by the gray plane, learning topology uses the underlying communication topology to exchange updates.
  • Figure 3: Adversary's node selection strategy: (a) accuracy of the backdoored model on clean test data. (b) attack success (y-axis) of various strategies after the backdoored model has reached high accuracy (x-axis).
  • Figure 4: Impact of network topology on attack performance: (a) accuracy evolution; (b) attack success (y-axis) on various topologies after the backdoored model has reached high accuracy (x-axis). Within 200 rounds of training, the Barabasi topology has not exceeded 0.95 test accuracy (hence, the figure omits Barabasi at 0.97 accuracy).
  • Figure 5: (a) Increasing the number of compromised nodes within a 60-node network. (b) Increasing the number of failed connections to neighbors (i.e., missed updates), with 3 compromised nodes.
  • ...and 9 more figures