Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FedMID: A Data-Free Method for Using Intermediate Outputs as a Defense Mechanism Against Poisoning Attacks in Federated Learning

Sungwon Han, Hyeonho Song, Sungwon Park, Meeyoung Cha

TL;DR

This work tackles poisoning attacks in federated learning by challenging the reliance on model parameters for defense. It introduces FedMID, a data-free method that evaluates and compares the models’ functional mappings through their intermediate outputs obtained from synthetic data, guarded by normalization and distance-based analysis across layers. FedMID demonstrates superior robustness across non-IID settings, multiple model architectures, and adaptive attack scenarios, outperforming traditional parameter-based defenses in accuracy and security metrics. The approach preserves privacy by avoiding real data usage and provides a practical, scalable defense mechanism for safe cross-client collaboration in FL.

Abstract

Federated learning combines local updates from clients to produce a global model, which is susceptible to poisoning attacks. Most previous defense strategies relied on vectors derived from projections of local updates on a Euclidean space; however, these methods fail to accurately represent the functionality and structure of local models, resulting in inconsistent performance. Here, we present a new paradigm to defend against poisoning attacks in federated learning using functional mappings of local models based on intermediate outputs. Experiments show that our mechanism is robust under a broad range of computing conditions and advanced attack scenarios, enabling safer collaboration among data-sensitive participants via federated learning.

FedMID: A Data-Free Method for Using Intermediate Outputs as a Defense Mechanism Against Poisoning Attacks in Federated Learning

TL;DR

This work tackles poisoning attacks in federated learning by challenging the reliance on model parameters for defense. It introduces FedMID, a data-free method that evaluates and compares the models’ functional mappings through their intermediate outputs obtained from synthetic data, guarded by normalization and distance-based analysis across layers. FedMID demonstrates superior robustness across non-IID settings, multiple model architectures, and adaptive attack scenarios, outperforming traditional parameter-based defenses in accuracy and security metrics. The approach preserves privacy by avoiding real data usage and provides a practical, scalable defense mechanism for safe cross-client collaboration in FL.

Abstract

Federated learning combines local updates from clients to produce a global model, which is susceptible to poisoning attacks. Most previous defense strategies relied on vectors derived from projections of local updates on a Euclidean space; however, these methods fail to accurately represent the functionality and structure of local models, resulting in inconsistent performance. Here, we present a new paradigm to defend against poisoning attacks in federated learning using functional mappings of local models based on intermediate outputs. Experiments show that our mechanism is robust under a broad range of computing conditions and advanced attack scenarios, enabling safer collaboration among data-sensitive participants via federated learning.
Paper Structure (37 sections, 8 equations, 4 figures, 26 tables, 1 algorithm)

This paper contains 37 sections, 8 equations, 4 figures, 26 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Problem Formulation
  3. Federated optimization
  4. Threat model
  5. Attack-tolerant aggregation
  6. Limitations of Parameter-based Approaches
  7. Functional inconsistency
  8. Structural inconsistency
  9. Main Approach: FedMID
  10. Overview
  11. (Step 1) Obtain intermediate outputs from synthetic data
  12. (Step 2) Measure deviance in functional mapping
  13. (Step 3) Assess the normality score
  14. (Step 4) Attack-tolerant aggregation
  15. Experiments
  16. ...and 22 more sections

Figures (4)

  • Figure 1: Illustration of the proposed approach. (a) Parameter-based approach measures the difference in knowledge between two models by comparing their local update vectors; (b) Our approach compares intermediate outputs of two models for the same input to measure the difference in knowledge.
  • Figure 2: Empirical evidence demonstrating the limitations of the parameter-based approach: (a) While parameter-based distance shows divergence as training progresses, intermediate outputs-based distance exhibits minimal changes or reductions. (b) Parameter-based distance reveals a higher ratio of the intra-distance among benign clients to the inter-distance between malicious and benign clients (i.e., $\text{dist}_{b} / \text{dist}_{b-m}$). (c) The variance differs by the location of layers, with the former layers exhibiting greater variance (L1: initial intermediate blocks, L4: the final intermediate blocks).
  • Figure 3: Robustness analysis under targeted attack scenarios with varying simulation parameters: (a,d): Effect of non-iidness, (b,e): Effect of number of local epochs, and (c,f): Effect of backbones. ACC and ASR among defense methods is shown.
  • Figure 4: Grad-CAM visualization of global model's prediction from different defense strategies under targeted attacks over TinyImageNet.