Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Aggressive or Imperceptible, or Both: Network Pruning Assisted Hybrid Byzantines in Federated Learning

Emre Ozfatura, Kerem Ozfatura, Alptekin Kupcu, Deniz Gunduz

TL;DR

This paper addresses the Byzantine robustness problem in federated learning by showing that exploiting NN topology can yield stronger, more stealthy attacks. It introduces a two-part hybrid sparse Byzantine attack that splits perturbations into an imperceptible, index-wise component and a stronger, Euclidean-distance–oriented component, guided by a sparsity mask derived from network pruning. The authors demonstrate, through extensive simulations across multiple datasets, models, and defensive aggregators, that their attack can substantially degrade or even derail learning, often outperforming existing attacks especially under non-IID data. The work highlights the need to consider topology-informed vulnerabilities in designing robust aggregators and paves the way for topology-aware defenses in federated settings.

Abstract

Federated learning (FL) has been introduced to enable a large number of clients, possibly mobile devices, to collaborate on generating a generalized machine learning model thanks to utilizing a larger number of local samples without sharing to offer certain privacy to collaborating clients. However, due to the participation of a large number of clients, it is often difficult to profile and verify each client, which leads to a security threat that malicious participants may hamper the accuracy of the trained model by conveying poisoned models during the training. Hence, the aggregation framework at the parameter server also needs to minimize the detrimental effects of these malicious clients. A plethora of attack and defence strategies have been analyzed in the literature. However, often the Byzantine problem is analyzed solely from the outlier detection perspective, being oblivious to the topology of neural networks (NNs). In the scope of this work, we argue that by extracting certain side information specific to the NN topology, one can design stronger attacks. Hence, inspired by the sparse neural networks, we introduce a hybrid sparse Byzantine attack that is composed of two parts: one exhibiting a sparse nature and attacking only certain NN locations with higher sensitivity, and the other being more silent but accumulating over time, where each ideally targets a different type of defence mechanism, and together they form a strong but imperceptible attack. Finally, we show through extensive simulations that the proposed hybrid Byzantine attack is effective against 8 different defence methods.

Aggressive or Imperceptible, or Both: Network Pruning Assisted Hybrid Byzantines in Federated Learning

TL;DR

This paper addresses the Byzantine robustness problem in federated learning by showing that exploiting NN topology can yield stronger, more stealthy attacks. It introduces a two-part hybrid sparse Byzantine attack that splits perturbations into an imperceptible, index-wise component and a stronger, Euclidean-distance–oriented component, guided by a sparsity mask derived from network pruning. The authors demonstrate, through extensive simulations across multiple datasets, models, and defensive aggregators, that their attack can substantially degrade or even derail learning, often outperforming existing attacks especially under non-IID data. The work highlights the need to consider topology-informed vulnerabilities in designing robust aggregators and paves the way for topology-aware defenses in federated settings.

Abstract

Federated learning (FL) has been introduced to enable a large number of clients, possibly mobile devices, to collaborate on generating a generalized machine learning model thanks to utilizing a larger number of local samples without sharing to offer certain privacy to collaborating clients. However, due to the participation of a large number of clients, it is often difficult to profile and verify each client, which leads to a security threat that malicious participants may hamper the accuracy of the trained model by conveying poisoned models during the training. Hence, the aggregation framework at the parameter server also needs to minimize the detrimental effects of these malicious clients. A plethora of attack and defence strategies have been analyzed in the literature. However, often the Byzantine problem is analyzed solely from the outlier detection perspective, being oblivious to the topology of neural networks (NNs). In the scope of this work, we argue that by extracting certain side information specific to the NN topology, one can design stronger attacks. Hence, inspired by the sparse neural networks, we introduce a hybrid sparse Byzantine attack that is composed of two parts: one exhibiting a sparse nature and attacking only certain NN locations with higher sensitivity, and the other being more silent but accumulating over time, where each ideally targets a different type of defence mechanism, and together they form a strong but imperceptible attack. Finally, we show through extensive simulations that the proposed hybrid Byzantine attack is effective against 8 different defence methods.
Paper Structure (24 sections, 28 equations, 4 figures, 7 tables, 4 algorithms)

This paper contains 24 sections, 28 equations, 4 figures, 7 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Federated Learning (FL) with Byzantines
  3. Preliminaries and Related Work
  4. Analyzing Existing Defence Methods
  5. Geometric distance
  6. Index-wise statistics
  7. Analyzing Existing Attack Methods
  8. Sparse Byzantine Attacks
  9. Revisiting ALIE attack from the defence perspective
  10. Our Hybrid Sparse Attack Design
  11. Generating Sparse Mask
  12. Sparsity with Network Pruning
  13. Numerical Results
  14. Simulation Setup
  15. Datasets and Networks
  16. ...and 9 more sections

Figures (4)

  • Figure 1: Distribution of the non-sparse locations (remaining weights) in ResNet-20 architecture after pruning with ERK, Vanilla Force and Force with sparsity constraint on FC layer, $\delta^{max}_{FC}=0.25$, for $\delta=0.005$. The x-axis denotes the NN layers, where Cw$i$ denotes the weights of the $i$th convolutional layer, and Fc1 denotes the weights of the fully connected layer at the end.
  • Figure 2: Test accuracy results of training ResNet-20 architecture with Cifar-10 dataset distributed IID and non-IID over $k=25$ client $k_{m}=5$ of them being malicious. The training and testing are performed over 100 epochs and repeated for 9 different aggregation mechanisms and under 8 different Byzantine attack strategies. The reported results are obtained by averaging 3 number of independent trials.
  • Figure 3: Test accuracy results of training 2-Layer CNN architecture with FMNIST dataset distributed IID and non-IID over $k=25$ client $k_{m}=5$ of them being malicious. The training and testing are performed over 100 epochs and repeated for 9 different aggregation mechanisms and under 8 different Byzantine attack strategies. The reported results are obtained by averaging 3 number of independent trials.
  • Figure 4: Test accuracy results of training 2-Layer MLP architecture with MNIST dataset distributed IID and non-IID over $k=25$ client $k_{m}=5$ of them being malicious. The training and testing are performed over 100 epochs and repeated for 9 different aggregation mechanisms and under 8 different Byzantine attack strategies. The reported results are obtained by averaging 3 number of independent trials.