FedGT: Identification of Malicious Clients in Federated Learning with Secure Aggregation

TL;DR

FedGT addresses poisoning threats in cross-silo federated learning by leveraging overlapping groups of clients and group-testing principles to identify malicious participants while preserving privacy via secure aggregation. The server observes group aggregates, tests for malicious presence, and decodes a defective vector $\bm{d}$ using an assignment matrix $\bm{A}$ designed as a parity-check matrix of an error-correcting code, enabling a tunable privacy-security trade-off controlled by the minimum row-span distance $r$ of $\bm{A}$. Two decoding strategies are proposed: FedGT-$\Delta$ uses a Neyman–Pearson LLR-based rule with an estimated prevalence $\hat{\delta}=\hat{n}_{\text{m}}/n$, and FedGT-$\hat{n}_{\mathsf{m}}$ flags the $\hat{n}_{\text{m}}$ smallest a posteriori LLRs; decoding relies on a trellis/BCJR framework to compute $L_i^{\mathsf{APP}}$ under a simple $Q(t|s)$ model. Empirical results on MNIST, CIFAR-10, and ISIC2019 show that FedGT substantially reduces attack accuracy under targeted and untargeted data-poisoning, often approaching or matching Oracle performance and outperforming private robust aggregation baselines like RFA, while offering scalable privacy guarantees. The framework thus provides a practical, hyperparameter-light approach to enhance FL security without fully sacrificing privacy, and it lays groundwork for broader deployment in cross-silo settings with moderate client counts.

Abstract

We propose FedGT, a novel framework for identifying malicious clients in federated learning with secure aggregation. Inspired by group testing, the framework leverages overlapping groups of clients to identify the presence of malicious clients in the groups via a decoding operation. The clients identified as malicious are then removed from the model training, which is performed over the remaining clients. By choosing the size, number, and overlap between groups, FedGT strikes a balance between privacy and security. Specifically, the server learns the aggregated model of the clients in each group - vanilla federated learning and secure aggregation correspond to the extreme cases of FedGT with group size equal to one and the total number of clients, respectively. The effectiveness of FedGT is demonstrated through extensive experiments on the MNIST, CIFAR-10, and ISIC2019 datasets in a cross-silo setting under different data-poisoning attacks. These experiments showcase FedGT's ability to identify malicious clients, resulting in high model utility. We further show that FedGT significantly outperforms the private robust aggregation approach based on the geometric median recently proposed by Pillutla et al. in multiple settings.

Figures (7)

• Figure 1: Attack accuracy on a cross-silo setting with $n=15$ clients on the CIFAR10 dataset for varying number of malicious clients, $n_{\mathsf{m}}$, conducting a label-flip targeted attack.
• Figure 2: The bipartite graph of the matrix $\bm{A}$ in Example \ref{['ex:ExampleBipartiteGraep']}. The circles represent variable nodes and the squares represent check nodes.
• Figure 3: Trellis representation of matrix $\bm{A}$ in Example \ref{['ex:ExampleBipartiteGraep']}. The dashed edges correspond to the symbol "0", while the solid edges correspond to the symbol "1".
• Figure 4: Average attack accuracy on the MNIST (row 1), CIFAR10 (row 2) and ISIC2019 (row 3) datasets for varying number of malicious clients. These results are obtained from FL experiments where $n_{\mathsf{m}}$ clients out of $n =15$ total clients act as malicious by deploying a label-flip attack.
• Figure 5: Average top-1 accuracy on the MNIST (row 1), CIFAR10 (row 2) and ISIC2019 (row 3) datasets for varying $n_{\mathsf{m}}$.

Theorems & Definitions (5)

• Definition 1: Assignment matrix
• Example 1
• Proposition 1
• proof
• Example 2