Poisoning with A Pill: Circumventing Detection in Federated Learning

TL;DR

Federated learning offers data privacy but is susceptible to poisoning attacks. The authors propose a universal pill-based augmentation that concentrates malicious updates into a tiny subnetwork (a pill) and uses a three-stage process—pill construction, pill poisoning, and pill injection—to make attacks attack-agnostic and harder to detect. By dynamically selecting the pill and reusing existing attacks on it with a two-step adjustment during injection, the method achieves substantial degradation, bypassing nine defenses with average error-rate increases exceeding 2x and reaching up to 7x in some settings, across IID/non-IID and cross-silo/cross-device FL. The results reveal critical vulnerabilities in current defenses and argue for fine-grained, parameter-level security analyses that do not rely solely on global update statistics. Overall, the work demonstrates a scalable, attack-agnostic strategy that challenges existing FL defenses and motivates the development of more nuanced protection mechanisms.

Abstract

Without direct access to the client's data, federated learning (FL) is well-known for its unique strength in data privacy protection among existing distributed machine learning techniques. However, its distributive and iterative nature makes FL inherently vulnerable to various poisoning attacks. To counteract these threats, extensive defenses have been proposed to filter out malicious clients, using various detection metrics. Based on our analysis of existing attacks and defenses, we find that there is a lack of attention to model redundancy. In neural networks, various model parameters contribute differently to the model's performance. However, existing attacks in FL manipulate all the model update parameters with the same strategy, making them easily detectable by common defenses. Meanwhile, the defenses also tend to analyze the overall statistical features of the entire model updates, leaving room for sophisticated attacks. Based on these observations, this paper proposes a generic and attack-agnostic augmentation approach designed to enhance the effectiveness and stealthiness of existing FL poisoning attacks against detection in FL, pointing out the inherent flaws of existing defenses and exposing the necessity of fine-grained FL security. Specifically, we employ a three-stage methodology that strategically constructs, generates, and injects poison (generated by existing attacks) into a pill (a tiny subnet with a novel structure) during the FL training, named as pill construction, pill poisoning, and pill injection accordingly. Extensive experimental results show that FL poisoning attacks enhanced by our method can bypass all the popular defenses, and can gain an up to 7x error rate increase, as well as on average a more than 2x error rate increase on both IID and non-IID data, in both cross-silo and cross-device FL systems.

Figures (8)

• Figure 1: Overview of our augmentation method. The red parts indicate our augmentation method's contribution, and the cyan parts represent the standard federated learning architecture.
• Figure 2: An example of the "approximate max pill search" algorithm in our augmentation method.
• Figure 3: Cosine similarities between FLTrust server's model update and malicious model update when malicious clients use different extra training rounds.
• Figure 4: Intuition behind distance-based adjustment in our augmentation method.
• Figure 5: Comparison of Multi-Krum distance score between benign updates and malicious updates when using original poisoning attacks with and without our method.