SureFED: Robust Federated Learning via Uncertainty-Aware Inward and Outward Inspection

TL;DR

SureFED addresses byzantine robustness in federated learning by leveraging local benign data as ground truth and incorporating uncertainty quantification into model evaluation and aggregation. It maintains separate local and social models, using bounded confidence trust weights to robustly combine updates without requiring a majority of benign clients. The framework provides theoretical guarantees in a decentralized linear regression setting and demonstrates strong empirical resilience against multiple data and model poisoning attacks across three benchmark image datasets. By integrating uncertainty-aware evaluation and introspection, SureFED achieves robustness without large sacrifices in non-IID, peer-to-peer environments, making it practical for scalable, privacy-preserving FL deployments.

Abstract

In this work, we introduce SureFED, a novel framework for byzantine robust federated learning. Unlike many existing defense methods that rely on statistically robust quantities, making them vulnerable to stealthy and colluding attacks, SureFED establishes trust using the local information of benign clients. SureFED utilizes an uncertainty aware model evaluation and introspection to safeguard against poisoning attacks. In particular, each client independently trains a clean local model exclusively using its local dataset, acting as the reference point for evaluating model updates. SureFED leverages Bayesian models that provide model uncertainties and play a crucial role in the model evaluation process. Our framework exhibits robustness even when the majority of clients are compromised, remains agnostic to the number of malicious clients, and is well-suited for non-IID settings. We theoretically prove the robustness of our algorithm against data and model poisoning attacks in a decentralized linear regression setting. Proof-of Concept evaluations on benchmark image classification data demonstrate the superiority of SureFED over the state of the art defense methods under various colluding and non-colluding data and model poisoning attacks.

Figures (8)

• Figure 1: Final model accuracy of SureFED and the other baselines under different data and model poisoning attacks evaluated on CIFAR10, FEMNIST, and MNIST datasets. The dashed line shows the final accuracy in a benign setting. WORST plots correspond to the worst model accuracy of the methods across the three dataset. SureFED is the only framework that shows consistent robustness against all of the attacks and with all of the three datasets.
• Figure 2: Accuracy plot of SureFED compared with BayP2PFL, Zeno, Trimmed Mean, Clipping, and FLTrust defense methods under different data and model poisoning attacks evaluated on FEMNIST dataset.
• Figure 3: The worst final model accuracy of SureFED and other baselines across different poisoning attacks and datasets of CIFAR10, FEMNIST and MNIST. SureFED is the only method that shows consistent robustness against all of the attacks and and with all of the three datasets.
• Figure 4: Main Task Accuracy (MA) and Backdoor Accuracy (BA) of SureFED and the other baselines under Trojan attack. High MA indicates the success of the Trojan attack in maintaining its stealthiness (MA of all baselines should be high). Low BA indicates success in defending against the Trojan attack. SureFED is the only method with low BA, indicating its robustness against Trojan attacks.
• Figure 5: Final Model Accuracy of SureFED and the other baselines for MNIST dataset under Label-Flipping attack and varying number of compromised clients percentages.

Theorems & Definitions (15)

• Definition 4.1: Bounded Confidence Trust Weights
• Definition 5.1: Relaxed Connectivity Constraint
• Theorem 5.2: Learning by SureFED
• Theorem 5.6: Robustness of SureFED, Label-Flipping Attack
• Theorem 5.7: Robustness of SureFED, General Random Attack
• proof : Proof of Theorem \ref{['thm:learn_bcp2pfl']}
• Lemma 7.1
• proof
• Lemma 7.2
• proof