Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Competitive Advantage Attacks to Decentralized Federated Learning

Yuqi Jia, Minghong Fang, Neil Zhenqiang Gong

TL;DR

This work identifies a covert insider threat in decentralized federated learning where colluding selfish clients craft updates sent to non-selfish peers to gain a competitive edge. It formalizes SelfishAttack as a two-term optimization balancing utility preservation and competitive degradation, then derives closed-form optimal shared-model constructions for FedAvg, Median, and Trimmed-mean, with transferable strategies to other aggregation rules. The authors establish theoretical optimality for the targeted rules and validate the approach empirically across CIFAR-10, FEMNIST, and Sent140, showing meaningful accuracy gaps in favor of selfish clients and outperformance of existing poisoning baselines. The findings highlight a significant vulnerability in DFL and motivate development of defenses that ensure robust, verifiable updates across distributed participants, with practical implications for security in multi-institutional collaborative learning.

Abstract

Decentralized federated learning (DFL) enables clients (e.g., hospitals and banks) to jointly train machine learning models without a central orchestration server. In each global training round, each client trains a local model on its own training data and then they exchange local models for aggregation. In this work, we propose SelfishAttack, a new family of attacks to DFL. In SelfishAttack, a set of selfish clients aim to achieve competitive advantages over the remaining non-selfish ones, i.e., the final learnt local models of the selfish clients are more accurate than those of the non-selfish ones. Towards this goal, the selfish clients send carefully crafted local models to each remaining non-selfish one in each global training round. We formulate finding such local models as an optimization problem and propose methods to solve it when DFL uses different aggregation rules. Theoretically, we show that our methods find the optimal solutions to the optimization problem. Empirically, we show that SelfishAttack successfully increases the accuracy gap (i.e., competitive advantage) between the final learnt local models of selfish clients and those of non-selfish ones. Moreover, SelfishAttack achieves larger accuracy gaps than poisoning attacks when extended to increase competitive advantages.

Competitive Advantage Attacks to Decentralized Federated Learning

TL;DR

This work identifies a covert insider threat in decentralized federated learning where colluding selfish clients craft updates sent to non-selfish peers to gain a competitive edge. It formalizes SelfishAttack as a two-term optimization balancing utility preservation and competitive degradation, then derives closed-form optimal shared-model constructions for FedAvg, Median, and Trimmed-mean, with transferable strategies to other aggregation rules. The authors establish theoretical optimality for the targeted rules and validate the approach empirically across CIFAR-10, FEMNIST, and Sent140, showing meaningful accuracy gaps in favor of selfish clients and outperformance of existing poisoning baselines. The findings highlight a significant vulnerability in DFL and motivate development of defenses that ensure robust, verifiable updates across distributed participants, with practical implications for security in multi-institutional collaborative learning.

Abstract

Decentralized federated learning (DFL) enables clients (e.g., hospitals and banks) to jointly train machine learning models without a central orchestration server. In each global training round, each client trains a local model on its own training data and then they exchange local models for aggregation. In this work, we propose SelfishAttack, a new family of attacks to DFL. In SelfishAttack, a set of selfish clients aim to achieve competitive advantages over the remaining non-selfish ones, i.e., the final learnt local models of the selfish clients are more accurate than those of the non-selfish ones. Towards this goal, the selfish clients send carefully crafted local models to each remaining non-selfish one in each global training round. We formulate finding such local models as an optimization problem and propose methods to solve it when DFL uses different aggregation rules. Theoretically, we show that our methods find the optimal solutions to the optimization problem. Empirically, we show that SelfishAttack successfully increases the accuracy gap (i.e., competitive advantage) between the final learnt local models of selfish clients and those of non-selfish ones. Moreover, SelfishAttack achieves larger accuracy gaps than poisoning attacks when extended to increase competitive advantages.
Paper Structure (36 sections, 4 theorems, 39 equations, 6 figures, 11 tables, 2 algorithms)

This paper contains 36 sections, 4 theorems, 39 equations, 6 figures, 11 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries and Related Work
  3. Decentralized Federated Learning
  4. Poisoning Attacks in FL
  5. Robust Aggregation Rules
  6. Threat Model
  7. Our SelfishAttack
  8. Overview
  9. Formulating an Optimization Problem
  10. Solving the Optimization Problem
  11. Attacking FedAvg
  12. Attacking Median
  13. Attacking Trimmed-mean
  14. Attacking Other Aggregation Rules
  15. When to Start Attack
  16. ...and 21 more sections

Key Result

Theorem 1

The optimal solution ${\bm{w}}_i^{*}[k]$ of Equation equation:lambdaless1 is as follows:

Figures (6)

  • Figure 1: An illustration of SelfishAttack. Non-selfish clients share their pre-aggregation models with all; selfish clients send tailored models to non-selfish clients to manipulate their updates.
  • Figure 2: Example of selfish clients crafting shared models to attack Trimmed-mean. Values increase from left to right. Arrows indicate the shared model parameters of selfish clients. Parameters within the two grey regions will be filtered out by a non-selfish client.
  • Figure 3: Impact of $\lambda$ on Gap of SelfishAttack when DFL uses different aggregation rules.
  • Figure 4: Impact of the degree of Non-IID on Gap when DFL uses different aggregation rules.
  • Figure 5: Impact of the fraction of selfish clients on Gap when DFL uses different aggregation rules.
  • ...and 1 more figures

Theorems & Definitions (8)

  • Theorem 1
  • proof
  • Theorem 2
  • proof
  • Theorem 3
  • proof
  • Theorem 4
  • proof