Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Denial-of-Service or Fine-Grained Control: Towards Flexible Model Poisoning Attacks on Federated Learning

Hangtao Zhang, Zeming Yao, Leo Yu Zhang, Shengshan Hu, Chao Chen, Alan Liew, Zhetao Li

TL;DR

This work proposes a flexible model poisoning attack (FMPA) that can achieve versatile attack goals and can be naturally extended to launch a fine-grained controllable attack, making it possible to precisely reduce the global accuracy.

Abstract

Federated learning (FL) is vulnerable to poisoning attacks, where adversaries corrupt the global aggregation results and cause denial-of-service (DoS). Unlike recent model poisoning attacks that optimize the amplitude of malicious perturbations along certain prescribed directions to cause DoS, we propose a Flexible Model Poisoning Attack (FMPA) that can achieve versatile attack goals. We consider a practical threat scenario where no extra knowledge about the FL system (e.g., aggregation rules or updates on benign devices) is available to adversaries. FMPA exploits the global historical information to construct an estimator that predicts the next round of the global model as a benign reference. It then fine-tunes the reference model to obtain the desired poisoned model with low accuracy and small perturbations. Besides the goal of causing DoS, FMPA can be naturally extended to launch a fine-grained controllable attack, making it possible to precisely reduce the global accuracy. Armed with precise control, malicious FL service providers can gain advantages over their competitors without getting noticed, hence opening a new attack surface in FL other than DoS. Even for the purpose of DoS, experiments show that FMPA significantly decreases the global accuracy, outperforming six state-of-the-art attacks.

Denial-of-Service or Fine-Grained Control: Towards Flexible Model Poisoning Attacks on Federated Learning

TL;DR

This work proposes a flexible model poisoning attack (FMPA) that can achieve versatile attack goals and can be naturally extended to launch a fine-grained controllable attack, making it possible to precisely reduce the global accuracy.

Abstract

Federated learning (FL) is vulnerable to poisoning attacks, where adversaries corrupt the global aggregation results and cause denial-of-service (DoS). Unlike recent model poisoning attacks that optimize the amplitude of malicious perturbations along certain prescribed directions to cause DoS, we propose a Flexible Model Poisoning Attack (FMPA) that can achieve versatile attack goals. We consider a practical threat scenario where no extra knowledge about the FL system (e.g., aggregation rules or updates on benign devices) is available to adversaries. FMPA exploits the global historical information to construct an estimator that predicts the next round of the global model as a benign reference. It then fine-tunes the reference model to obtain the desired poisoned model with low accuracy and small perturbations. Besides the goal of causing DoS, FMPA can be naturally extended to launch a fine-grained controllable attack, making it possible to precisely reduce the global accuracy. Armed with precise control, malicious FL service providers can gain advantages over their competitors without getting noticed, hence opening a new attack surface in FL other than DoS. Even for the purpose of DoS, experiments show that FMPA significantly decreases the global accuracy, outperforming six state-of-the-art attacks.
Paper Structure (29 sections, 2 theorems, 3 equations, 4 figures, 2 tables, 1 algorithm)

This paper contains 29 sections, 2 theorems, 3 equations, 4 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Federated Learning
  4. Poisoning Attacks on FL
  5. Model Poisoning Attack (MPA)
  6. Existing Byzantine-Robust AGRs
  7. Flexible Model Poisoning Attack (FMPA)
  8. Adversary’s Capabilities.
  9. Adversary’s Knowledge.
  10. Adversary’s Goals.
  11. Model Poisoning Problem Formulation
  12. Optimization-Based Malicious Model Update
  13. Different Reference Models.
  14. Indiscriminate Untargeted Attack (I-FMPA)
  15. Fine-Grained Control Attack (F-FMPA)
  16. ...and 14 more sections

Key Result

Lemma 1

For a union and it associated certified radius $\zeta\models\mathcal{R}$, we assume that $\zeta^\star\in \mathcal{S}(\varrho)$ is a $\varrho$-corrupted version of $\zeta$ obtained by Algorithm alg:algorithm1. Algorithm alg:algorithm1 guarantees that, for any $\zeta^\star$, $\zeta^\star$$\models$$\ma

Figures (4)

  • Figure 1: A schematic of our attack:$G_t$ and $G_{t+1}$ represent the global model for for rounds $t$ and $t+1$, respectively. The gray circle indicates the detection scope of a specific defense, thus red arrows (malicious local updates) outside the scope will be discarded (e.g., $\nabla_1^p$). The red arrows (e.g., $\nabla_2^p$ and $\nabla_3^p$) represent current wisdom used for designing malicious updates, where our FMPA ($\nabla_4^p$) can achieve the maximum loss (best attack effect) with the same amount of perturbation.
  • Figure 2: The global model accuracy against increasing percentage of malicious clients under different AGRs.
  • Figure 3: Impacts of three different reference models on attack effect when malicious clients are armed with I-FMPA ($\alpha=0.7$).
  • Figure 4: Testing the effect of various MPAs as we vary the clients sampling rate and total number of clients.

Theorems & Definitions (6)

  • Definition 1: $\varrho$-Corrupted Poisoning Attack
  • Definition 2: Certified Radius
  • Lemma 1
  • proof
  • Theorem 1
  • Example 1