Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Certifiably Byzantine-Robust Federated Conformal Prediction

Mintong Kang, Zhen Lin, Jimeng Sun, Cao Xiao, Bo Li

TL;DR

This paper tackles the challenge of uncertainty quantification in federated learning when some clients may behave maliciously. It introduces Rob-FCP, a certifiably Byzantine-robust federated conformal prediction framework that detects and excludes malicious clients via a conformity-score-vector representation and a maliciousness score, while providing provable coverage guarantees. The authors also develop a malicious-client-number estimator based on EM to handle unknown numbers of attackers and prove precision bounds for the estimator. Empirically, Rob-FCP achieves coverage close to the nominal level across five datasets under diverse Byzantine attacks, outperforming standard FCP and validating the theoretical guarantees. The work enables safe, distributed uncertainty quantification in privacy-preserving settings, with implications for healthcare and other safety-critical domains.

Abstract

Conformal prediction has shown impressive capacity in constructing statistically rigorous prediction sets for machine learning models with exchangeable data samples. The siloed datasets, coupled with the escalating privacy concerns related to local data sharing, have inspired recent innovations extending conformal prediction into federated environments with distributed data samples. However, this framework for distributed uncertainty quantification is susceptible to Byzantine failures. A minor subset of malicious clients can significantly compromise the practicality of coverage guarantees. To address this vulnerability, we introduce a novel framework Rob-FCP, which executes robust federated conformal prediction, effectively countering malicious clients capable of reporting arbitrary statistics with the conformal calibration process. We theoretically provide the conformal coverage bound of Rob-FCP in the Byzantine setting and show that the coverage of Rob-FCP is asymptotically close to the desired coverage level. We also propose a malicious client number estimator to tackle a more challenging setting where the number of malicious clients is unknown to the defender and theoretically shows its effectiveness. We empirically demonstrate the robustness of Rob-FCP against diverse proportions of malicious clients under a variety of Byzantine attacks on five standard benchmark and real-world healthcare datasets.

Certifiably Byzantine-Robust Federated Conformal Prediction

TL;DR

This paper tackles the challenge of uncertainty quantification in federated learning when some clients may behave maliciously. It introduces Rob-FCP, a certifiably Byzantine-robust federated conformal prediction framework that detects and excludes malicious clients via a conformity-score-vector representation and a maliciousness score, while providing provable coverage guarantees. The authors also develop a malicious-client-number estimator based on EM to handle unknown numbers of attackers and prove precision bounds for the estimator. Empirically, Rob-FCP achieves coverage close to the nominal level across five datasets under diverse Byzantine attacks, outperforming standard FCP and validating the theoretical guarantees. The work enables safe, distributed uncertainty quantification in privacy-preserving settings, with implications for healthcare and other safety-critical domains.

Abstract

Conformal prediction has shown impressive capacity in constructing statistically rigorous prediction sets for machine learning models with exchangeable data samples. The siloed datasets, coupled with the escalating privacy concerns related to local data sharing, have inspired recent innovations extending conformal prediction into federated environments with distributed data samples. However, this framework for distributed uncertainty quantification is susceptible to Byzantine failures. A minor subset of malicious clients can significantly compromise the practicality of coverage guarantees. To address this vulnerability, we introduce a novel framework Rob-FCP, which executes robust federated conformal prediction, effectively countering malicious clients capable of reporting arbitrary statistics with the conformal calibration process. We theoretically provide the conformal coverage bound of Rob-FCP in the Byzantine setting and show that the coverage of Rob-FCP is asymptotically close to the desired coverage level. We also propose a malicious client number estimator to tackle a more challenging setting where the number of malicious clients is unknown to the defender and theoretically shows its effectiveness. We empirically demonstrate the robustness of Rob-FCP against diverse proportions of malicious clients under a variety of Byzantine attacks on five standard benchmark and real-world healthcare datasets.
Paper Structure (54 sections, 8 theorems, 73 equations, 13 figures, 10 tables, 1 algorithm)

This paper contains 54 sections, 8 theorems, 73 equations, 13 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Conformal prediction
  4. Federated conformal prediction
  5. Rob-FCP and coverage guarantees
  6. Threat model
  7. Rob-FCP algorithm
  8. Characterization of conformity scores
  9. Maliciousness score computation
  10. Effectiveness of Rob-FCP against mimick attacks
  11. Coverage guarantee of Rob-FCP
  12. Rob-FCP with unknown numbers of malicious clients
  13. Malicious client number estimator
  14. Precision of malicious client number estimator
  15. Experiments
  16. ...and 39 more sections

Key Result

Theorem 1

Consider FCP setting with $K_b$ benign clients and $K_m$ malicious clients. The $k$-th client reports the characterization vector ${\mathbf{v}}^{(k)}$ and local sample size $n_k$ to the server ($k \in [K_b+K_m]$). Assume that the benign characterization vector ${\mathbf{v}}^{(k)}$ follows multinomia where $\tau = K_m / K_b$ is the ratio between the number of malicious clients and the number of ben

Figures (13)

  • Figure 1: Coverage rate with different ratios of malicious clients on SHHS dataset. The desired coverage is $0.9$.
  • Figure 2: Overview of Rob-FCP.
  • Figure 3: Results of malicious client number estimation and conformal prediction performance in the setting with unknown numbers of malicious clients. The green horizontal line denotes the benign conformal performance. Rob-FCP estimates the number of malicious clients faithfully, and provides an empirical coverage rate matching the target (benign level).
  • Figure 4: Upper and lower bounds of prediction coverage of Rob-FCP by \ref{['thm1:improve']} on Tiny-ImageNet.
  • Figure 5: Marginal coverage / average set size under coverage attack with 40% malicious clients on Tiny-ImageNet. The green horizontal line denotes the benign marginal coverage and average set size without any malicious clients.
  • ...and 8 more figures

Theorems & Definitions (16)

  • Theorem 1: Coverage guarantees of Rob-FCP in Byzantine setting
  • Remark
  • Theorem 2: Precision of malicious client number estimator
  • Remark
  • Lemma 3.1
  • proof
  • Theorem 3: Restatement of \ref{['thm1:improve']}
  • proof
  • Theorem 4: Restatement of \ref{['thm2']}
  • proof
  • ...and 6 more