Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards Efficient and Certified Recovery from Poisoning Attacks in Federated Learning

Yu Jiang, Jiyuan Shen, Ziyao Liu, Chee Wei Tan, Kwok-Yan Lam

TL;DR

This paper tackles the problem of recovering an accurate global model after poisoning in federated learning, addressing the delay in detection and the high cost of existing recovery methods. It introduces Crab, a recovery method that uses selective storage of impactful historical information and adaptive rollback to a historical model not heavily corrupted by attackers, achieving faster recovery with lower memory usage. The authors prove a theoretical bound on the discrepancy between Crab’s recovered model and a train-from-scratch baseline, and demonstrate empirically that Crab outperforms baselines on multiple datasets and attack types in terms of accuracy, speed, and memory efficiency. The approach has practical significance for secure, scalable FL deployments where timely remediation is critical and resource constraints are tight.

Abstract

Federated learning (FL) is vulnerable to poisoning attacks, where malicious clients manipulate their updates to affect the global model. Although various methods exist for detecting those clients in FL, identifying malicious clients requires sufficient model updates, and hence by the time malicious clients are detected, FL models have been already poisoned. Thus, a method is needed to recover an accurate global model after malicious clients are identified. Current recovery methods rely on (i) all historical information from participating FL clients and (ii) the initial model unaffected by the malicious clients, leading to a high demand for storage and computational resources. In this paper, we show that highly effective recovery can still be achieved based on (i) selective historical information rather than all historical information and (ii) a historical model that has not been significantly affected by malicious clients rather than the initial model. In this scenario, while maintaining comparable recovery performance, we can accelerate the recovery speed and decrease memory consumption. Following this concept, we introduce Crab, an efficient and certified recovery method, which relies on selective information storage and adaptive model rollback. Theoretically, we demonstrate that the difference between the global model recovered by Crab and the one recovered by train-from-scratch can be bounded under certain assumptions. Our empirical evaluation, conducted across three datasets over multiple machine learning models, and a variety of untargeted and targeted poisoning attacks reveals that Crab is both accurate and efficient, and consistently outperforms previous approaches in terms of both recovery speed and memory consumption.

Towards Efficient and Certified Recovery from Poisoning Attacks in Federated Learning

TL;DR

This paper tackles the problem of recovering an accurate global model after poisoning in federated learning, addressing the delay in detection and the high cost of existing recovery methods. It introduces Crab, a recovery method that uses selective storage of impactful historical information and adaptive rollback to a historical model not heavily corrupted by attackers, achieving faster recovery with lower memory usage. The authors prove a theoretical bound on the discrepancy between Crab’s recovered model and a train-from-scratch baseline, and demonstrate empirically that Crab outperforms baselines on multiple datasets and attack types in terms of accuracy, speed, and memory efficiency. The approach has practical significance for secure, scalable FL deployments where timely remediation is critical and resource constraints are tight.

Abstract

Federated learning (FL) is vulnerable to poisoning attacks, where malicious clients manipulate their updates to affect the global model. Although various methods exist for detecting those clients in FL, identifying malicious clients requires sufficient model updates, and hence by the time malicious clients are detected, FL models have been already poisoned. Thus, a method is needed to recover an accurate global model after malicious clients are identified. Current recovery methods rely on (i) all historical information from participating FL clients and (ii) the initial model unaffected by the malicious clients, leading to a high demand for storage and computational resources. In this paper, we show that highly effective recovery can still be achieved based on (i) selective historical information rather than all historical information and (ii) a historical model that has not been significantly affected by malicious clients rather than the initial model. In this scenario, while maintaining comparable recovery performance, we can accelerate the recovery speed and decrease memory consumption. Following this concept, we introduce Crab, an efficient and certified recovery method, which relies on selective information storage and adaptive model rollback. Theoretically, we demonstrate that the difference between the global model recovered by Crab and the one recovered by train-from-scratch can be bounded under certain assumptions. Our empirical evaluation, conducted across three datasets over multiple machine learning models, and a variety of untargeted and targeted poisoning attacks reveals that Crab is both accurate and efficient, and consistently outperforms previous approaches in terms of both recovery speed and memory consumption.
Paper Structure (27 sections, 1 theorem, 28 equations, 9 figures, 3 tables)

This paper contains 27 sections, 1 theorem, 28 equations, 9 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Preliminaries and Notations
  3. Federated Learning
  4. Poisoning Attacks
  5. Notations
  6. Problem Definition
  7. Threat Model
  8. Design Goals
  9. Design of Crab
  10. Overview
  11. Design Details
  12. Selective Information Storage
  13. Adaptive Model rollback
  14. Model Recovery
  15. Theoretical Analysis
  16. ...and 12 more sections

Key Result

Theorem 1

The difference between the global model recovered by Crab in round $t$ and that recovered by train-from-scratch in round $\tau$ can be bounded as follows: where $\tilde{M}_r$ and $M_{\tau}$ are the global models recovered by Crab in round $r$ and train-from-scratch in round $\tau$ respectively, $\tau = \lceil r \cdot \frac{T}{(T^\prime-j^\star)} \rceil$, $\tilde{M}_0$ is the initial model used in

Figures (9)

  • Figure 1: An illustration of Crab scheme.
  • Figure 2: An illustration of the recovery process.
  • Figure 3: The loss descent curve of the recovery process on MNIST, Fashion-MNIST and CIFAR-10 when the percentage of target clients is 10%, 25%, 50% respectively.
  • Figure 4: The test accuracy on MNIST dataset after recovering from backdoor attack when attack intensity is at 10%, 25% and 50% respectively.
  • Figure 5: The test accuracy on Fashion-MNIST and CIFAR-10 after recovering from backdoor attack when attack intensity is at 50%.
  • ...and 4 more figures

Theorems & Definitions (1)

  • Theorem 1: Model difference between Crab and train-from-scratch