Resilience in Online Federated Learning: Mitigating Model-Poisoning Attacks via Partial Sharing

TL;DR

This work studies resilience of partial-sharing online federated learning (PSO-Fed) to model-poisoning attacks by Byzantine clients. It shows that sharing only a fraction of model parameters, with probability $p_e = M/D$, not only reduces communication but also enhances robustness under random client scheduling. The authors derive mean and mean-square convergence conditions, a closed-form steady-state MSE that accounts for attack probability $p_a$ and the number of malicious clients, and reveal a non-trivial optimal stepsize $\mu^*$ that improves robustness. Simulations demonstrate PSO-Fed's superior performance over several baselines without extra client burden, validating both the theoretical predictions and the practical viability of partial sharing for robust online FL.

Abstract

Federated learning (FL) allows training machine learning models on distributed data without compromising privacy. However, FL is vulnerable to model-poisoning attacks where malicious clients tamper with their local models to manipulate the global model. In this work, we investigate the resilience of the partial-sharing online FL (PSO-Fed) algorithm against such attacks. PSO-Fed reduces communication overhead by allowing clients to share only a fraction of their model updates with the server. We demonstrate that this partial sharing mechanism has the added advantage of enhancing PSO-Fed's robustness to model-poisoning attacks. Through theoretical analysis, we show that PSO-Fed maintains convergence even under Byzantine attacks, where malicious clients inject noise into their updates. Furthermore, we derive a formula for PSO-Fed's mean square error, considering factors like stepsize, attack probability, and the number of malicious clients. Interestingly, we find a non-trivial optimal stepsize that maximizes PSO-Fed's resistance to these attacks. Extensive numerical experiments confirm our theoretical findings and showcase PSO-Fed's superior performance against model-poisoning attacks compared to other leading FL algorithms.

Figures (9)

• Figure 1: Steady-state test MSE for different algorithms with different numbers of Byzantine clients $|\mathcal{S}_B|$, attack strength $\sigma_{B}^2 = 0.25$ and attack probability $p_a = 1$.
• Figure 2: Steady-state test MSE of PSO-Fed for different numbers of shared elements $M$ with different numbers of Byzantine clients $|\mathcal{S}_B|$, attack strength $\sigma_{B}^2 = 0.5$ and attack probability $p_a = 0.2$.
• Figure 3: Network-wide average MSE of PSO-Fed for different values of attack strengths $\sigma_{B}^2$ and Byzantine clients $|\mathcal{S}_B|$, number of shared elements $M = 1$ and attack probability $p_a = 0.2$.
• Figure 4: Effect of attack probability $p_a$ on steady-state test MSE of PSO-Fed for different numbers of Byzantine clients $|\mathcal{S}_B|$, number of shared elements $M = 1$ and attack strength $\sigma_{B}^2 = 0.25$.
• Figure 5: Effect of attack probability $p_a$ on steady-state test MSE of PSO-Fed for different numbers of shared elements $M \in \{1,5\}$, number of Byzantine clients $|\mathcal{S}_B| = 5$ and attack strength $\sigma_{B}^2 = 0.25$.