Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Learning-Based Attack Framework to Break SOTA Poisoning Defenses in Federated Learning

Yuxin Yang, Qiang Li, Chenfei Nie, Yuan Hong, Meng Pang, Binghui Wang

TL;DR

The paper addresses poisoning threats in Federated Learning and shows that state-of-the-art robust aggregators (agr) that rely on clipping or filtering can still be bypassed. It introduces an optimization-based attack framework that crafts malicious gradients through a scalable gamma-parameterized transformation to evade AGR mechanisms, yielding targeted backdoors and degraded main-task performance. The authors instantiate tailored attacks for FLAME, MDAM, FLDetector, CC, and CC-B, provide binary-search and analytic solutions for gamma, and validate the attacks across IID and non-IID datasets, reporting significant BA/MA gains over baselines. The work highlights a pressing need for novel, possibly provable defenses in FL poisoning, and releases code to enable replication and further research.

Abstract

Federated Learning (FL) is a novel client-server distributed learning framework that can protect data privacy. However, recent works show that FL is vulnerable to poisoning attacks. Many defenses with robust aggregators (AGRs) are proposed to mitigate the issue, but they are all broken by advanced attacks. Very recently, some renewed robust AGRs are designed, typically with novel clipping or/and filtering strate-gies, and they show promising defense performance against the advanced poisoning attacks. In this paper, we show that these novel robust AGRs are also vulnerable to carefully designed poisoning attacks. Specifically, we observe that breaking these robust AGRs reduces to bypassing the clipping or/and filtering of malicious clients, and propose an optimization-based attack framework to leverage this observation. Under the framework, we then design the customized attack against each robust AGR. Extensive experiments on multiple datasets and threat models verify our proposed optimization-based attack can break the SOTA AGRs. We hence call for novel defenses against poisoning attacks to FL. Code is available at: https://github.com/Yuxin104/ BreakSTOAPoisoningDefenses.

A Learning-Based Attack Framework to Break SOTA Poisoning Defenses in Federated Learning

TL;DR

The paper addresses poisoning threats in Federated Learning and shows that state-of-the-art robust aggregators (agr) that rely on clipping or filtering can still be bypassed. It introduces an optimization-based attack framework that crafts malicious gradients through a scalable gamma-parameterized transformation to evade AGR mechanisms, yielding targeted backdoors and degraded main-task performance. The authors instantiate tailored attacks for FLAME, MDAM, FLDetector, CC, and CC-B, provide binary-search and analytic solutions for gamma, and validate the attacks across IID and non-IID datasets, reporting significant BA/MA gains over baselines. The work highlights a pressing need for novel, possibly provable defenses in FL poisoning, and releases code to enable replication and further research.

Abstract

Federated Learning (FL) is a novel client-server distributed learning framework that can protect data privacy. However, recent works show that FL is vulnerable to poisoning attacks. Many defenses with robust aggregators (AGRs) are proposed to mitigate the issue, but they are all broken by advanced attacks. Very recently, some renewed robust AGRs are designed, typically with novel clipping or/and filtering strate-gies, and they show promising defense performance against the advanced poisoning attacks. In this paper, we show that these novel robust AGRs are also vulnerable to carefully designed poisoning attacks. Specifically, we observe that breaking these robust AGRs reduces to bypassing the clipping or/and filtering of malicious clients, and propose an optimization-based attack framework to leverage this observation. Under the framework, we then design the customized attack against each robust AGR. Extensive experiments on multiple datasets and threat models verify our proposed optimization-based attack can break the SOTA AGRs. We hence call for novel defenses against poisoning attacks to FL. Code is available at: https://github.com/Yuxin104/ BreakSTOAPoisoningDefenses.
Paper Structure (22 sections, 6 equations, 6 figures, 15 tables, 10 algorithms)

This paper contains 22 sections, 6 equations, 6 figures, 15 tables, 10 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Federated Learning (FL)
  4. SOTA Robust Aggregators for FL
  5. Threat Model
  6. Optimization-Based Poisoning Attacks to SOTA Robust AGRs in FL
  7. Overview
  8. Targeted Poisoning Attack to FLAME, MDAM, FLDetector
  9. Untargeted Poisoning Attack to CC and CC with Bucketing
  10. Solving for The Scaling Hyperparameter $\gamma$
  11. Binary Search Algorithm
  12. Analytic Solution
  13. Experiments
  14. Experimental Setup
  15. Our Attack Results on FLAME, MDAM, and FLDetector
  16. ...and 7 more sections

Figures (6)

  • Figure 1: Illustration of the SOTA robust aggregation algorithms (a)-(c) in FL, our AGR-tailored attacks (d)-(f) and AGR-agnostic attacks (g)-(h) on them. (a) FLAME: it defends against the malicious gradients via clipping and filtering gradients that with high length and angular deviations, respectively. (b) MDAM: it chooses a subset of $n-f$ momentums with the smallest diameter for aggregation, i.e., filter out a bounded number of $f$ malicious gradients. (c) CC: it corrects malicious gradients via a centered clipping with a parameter $\tau$. (d) Our attack to FLAME: we project the length-deviating malicious gradients and rotate the angle-deviating malicious gradients to evade FLAME. (e) Our attack to MDAM: we optimize the original malicious momentums to new ones such that MDAM selects (part of) the new malicious ones into the subset for aggregation. (f) Our attack to CC: we construct malicious gradients from any benign one to avoid the center clipping. (g) Our AGR-agnostic targeted poisoning attack (on FLAME, MDAM, and FLDetector): we adjust malicious gradients to approach benign gradients, based on the Euclidean distance metric, to evade SOTA defenses. (h) Our AGR-agnostic untargeted poisoning attack (to CC): we generate malicious gradients of length ATK-$\tau$ by leveraging any of benign gradients to evade clipping for agnostic parameters.
  • Figure 2: Suspicious scores per client and per FL round computed by FLDetector under our AGR-agnostic and gradient-unknown attack. Here, clients $0-4$ are malicious and the remaining ones are benign, and $t$ is the FL training round. We observe the suspicious scores are similar in all clients and FL rounds, hence making k-means clustering hard to detect the malicious scores.
  • Figure 3: The impact of different numbers of training rounds on our attacks.
  • Figure 4: Certified accuracy of CRFL on our AGR-agnostic targeted poisoning attacks.
  • Figure 5: Certified accuracy of CRFL vs. the total number of clients $n$ on our AGR-agnostic targeted poisoning attacks.
  • ...and 1 more figures