SaFL: Sybil-aware Federated Learning with Application to Face Recognition

TL;DR

Federated Learning enables collaborative training without sharing raw data, but is vulnerable to Sybil-based targeted poisoning under non-IID conditions. The authors propose SaFL, a Sybil-aware, time-variant aggregation that groups updates by cosine similarity and replaces each group with a median representative, reducing the influence of malicious updates. Through experiments on face recognition with non-IID data, SaFL is compared against Multi-Krum and FoolsGold, showing strong protection with minimal degradation in learning performance; a decaying similarity threshold further enhances robustness. This work offers a practical defense for secure FL deployments, particularly in privacy-sensitive, large-scale face recognition settings.

Abstract

Federated Learning (FL) is a machine learning paradigm to conduct collaborative learning among clients on a joint model. The primary goal is to share clients' local training parameters with an integrating server while preserving their privacy. This method permits to exploit the potential of massive mobile users' data for the benefit of machine learning models' performance while keeping sensitive data on local devices. On the downside, FL raises security and privacy concerns that have just started to be studied. To address some of the key threats in FL, researchers have proposed to use secure aggregation methods (e.g. homomorphic encryption, secure multiparty computation, etc.). These solutions improve some security and privacy metrics, but at the same time bring about other serious threats such as poisoning attacks, backdoor attacks, and free running attacks. This paper proposes a new defense method against poisoning attacks in FL called SaFL (Sybil-aware Federated Learning) that minimizes the effect of sybils with a novel time-variant aggregation scheme.

Figures (6)

• Figure 1: Visual concept of a targeted poisoning attack with multiple targets in Federated Learning (FL). The big oval represents the true objective of the aggregation. Black arrows show the first learning steps in the $\mathbb{R}^{d}$ space of learning parameters. The red arrows are sybils with different targets. Green arrows are updates from benign clients.
• Figure 2: Federated Learning paradigm for face recognition using non-IID data with and without Sybil-based poisonous attack. The label-flipping attack is demonstrated in (b) where two Sybils poison the model by training locally on their arbitrary data but labeled with the victim (target).
• Figure 3: Solid arrows represent accumulated updates of participants (red arrows show Sybils, green shows benign update). Black dashed line shows the median of all accumulated updates within $\nu$ at iteration $t$. Dashed arrows around solid lines are the gradients of previous iterations until the iteration $t$. Our SaFL method mitigates sybil attack in scenario (A) where the attacker uses two sybils with very similar updates to overpower the targeted class and in (B) where the attacker tries to fool the mitigation method so as to cause the deletion of benign update(s) from aggregation.
• Figure 4: Label-flipping attack rate for a varying number of poisoners (Sybils) with a single target, left figure, and multiple targets (one Sybil per target), right figure using FL baseline, FoolsGold (FG), Multi-Krum, and SaFL at different thresholds.
• Figure 5: Training loss comparison over 300 iterations of federated learning considering the varying number of poisoners (Sybils) increasing from top to down with a single target.