Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Sentinel: An Aggregation Function to Secure Decentralized Federated Learning

Chao Feng, Alberto Huertas Celdrán, Janosch Baltensperger, Enrique Tomás Martínez Beltrán, Pedro Miguel Sánchez Sánchez, Gérôme Bovet, Burkhard Stiller

TL;DR

This paper tackles poisoning attacks in Decentralized Federated Learning (DFL) by introducing Sentinel, a three-phase aggregation strategy that leverages local data: similarity filtering based on layer-wise cosine similarity, bootstrap-validation loss weighted aggregation, and layer normalization to mitigate stealth attacks. Evaluated within the Fedstellar framework across diverse datasets and data distributions, Sentinel demonstrates superior robustness to model poisoning, untargeted and targeted label flipping, and backdoor attacks under IID settings, outperforming several baselines. However, in non-IID scenarios, Sentinel’s performance declines similarly to other robust aggregations, highlighting limitations in heterogeneous data environments and motivating adaptive mechanisms. The work provides a practical defense approach for DFL with clear pathways for enhancement and benchmarking, contributing to more trustworthy decentralized collaborative learning in real-world deployments.

Abstract

Decentralized Federated Learning (DFL) emerges as an innovative paradigm to train collaborative models, addressing the single point of failure limitation. However, the security and trustworthiness of FL and DFL are compromised by poisoning attacks, negatively impacting its performance. Existing defense mechanisms have been designed for centralized FL and they do not adequately exploit the particularities of DFL. Thus, this work introduces Sentinel, a defense strategy to counteract poisoning attacks in DFL. Sentinel leverages the accessibility of local data and defines a three-step aggregation protocol consisting of similarity filtering, bootstrap validation, and normalization to safeguard against malicious model updates. Sentinel has been evaluated with diverse datasets and data distributions. Besides, various poisoning attack types and threat levels have been verified. The results improve the state-of-the-art performance against both untargeted and targeted poisoning attacks when data follows an IID (Independent and Identically Distributed) configuration. Besides, under non-IID configuration, it is analyzed how performance degrades both for Sentinel and other state-of-the-art robust aggregation methods.

Sentinel: An Aggregation Function to Secure Decentralized Federated Learning

TL;DR

This paper tackles poisoning attacks in Decentralized Federated Learning (DFL) by introducing Sentinel, a three-phase aggregation strategy that leverages local data: similarity filtering based on layer-wise cosine similarity, bootstrap-validation loss weighted aggregation, and layer normalization to mitigate stealth attacks. Evaluated within the Fedstellar framework across diverse datasets and data distributions, Sentinel demonstrates superior robustness to model poisoning, untargeted and targeted label flipping, and backdoor attacks under IID settings, outperforming several baselines. However, in non-IID scenarios, Sentinel’s performance declines similarly to other robust aggregations, highlighting limitations in heterogeneous data environments and motivating adaptive mechanisms. The work provides a practical defense approach for DFL with clear pathways for enhancement and benchmarking, contributing to more trustworthy decentralized collaborative learning in real-world deployments.

Abstract

Decentralized Federated Learning (DFL) emerges as an innovative paradigm to train collaborative models, addressing the single point of failure limitation. However, the security and trustworthiness of FL and DFL are compromised by poisoning attacks, negatively impacting its performance. Existing defense mechanisms have been designed for centralized FL and they do not adequately exploit the particularities of DFL. Thus, this work introduces Sentinel, a defense strategy to counteract poisoning attacks in DFL. Sentinel leverages the accessibility of local data and defines a three-step aggregation protocol consisting of similarity filtering, bootstrap validation, and normalization to safeguard against malicious model updates. Sentinel has been evaluated with diverse datasets and data distributions. Besides, various poisoning attack types and threat levels have been verified. The results improve the state-of-the-art performance against both untargeted and targeted poisoning attacks when data follows an IID (Independent and Identically Distributed) configuration. Besides, under non-IID configuration, it is analyzed how performance degrades both for Sentinel and other state-of-the-art robust aggregation methods.
Paper Structure (7 sections, 2 equations, 5 figures, 2 tables, 5 algorithms)

This paper contains 7 sections, 2 equations, 5 figures, 2 tables, 5 algorithms.

Table of Contents

  1. Related Work
  2. Sentinel
  3. Deployment and Experiments
  4. Deployment Configuration
  5. Experiments
  6. Discussion
  7. Conclusion and Future Work

Figures (5)

  • Figure 1: Overview of the Sentinel Aggregation Process.
  • Figure 2: F1-Scores Under Model Poisoning Attacks
  • Figure 3: F1-Scores Under Untargeted Label Flipping Attack
  • Figure 4: ASR-LF (Attack Success Rate - Label Flipping) Under Targeted Label Flipping Attack
  • Figure 5: BA (Backdoor Accuracy) Under Backdoor Attacks on Different Distributions