Meta Stackelberg Game: Robust Federated Learning against Adaptive and Mixed Poisoning Attacks

TL;DR

This work formulates adversarial federated learning under a mixture of various attacks as a Bayesian Stackelberg Markov game, based on which it proposes the meta-Stackelberg defense composed of pre-training and online adaptation.

Abstract

Federated learning (FL) is susceptible to a range of security threats. Although various defense mechanisms have been proposed, they are typically non-adaptive and tailored to specific types of attacks, leaving them insufficient in the face of multiple uncertain, unknown, and adaptive attacks employing diverse strategies. This work formulates adversarial federated learning under a mixture of various attacks as a Bayesian Stackelberg Markov game, based on which we propose the meta-Stackelberg defense composed of pre-training and online adaptation. {The gist is to simulate strong attack behavior using reinforcement learning (RL-based attacks) in pre-training and then design meta-RL-based defense to combat diverse and adaptive attacks.} We develop an efficient meta-learning approach to solve the game, leading to a robust and adaptive FL defense. Theoretically, our meta-learning algorithm, meta-Stackelberg learning, provably converges to the first-order $\varepsilon$-meta-equilibrium point in $O(\varepsilon^{-2})$ gradient iterations with $O(\varepsilon^{-4})$ samples per iteration. Experiments show that our meta-Stackelberg framework performs superbly against strong model poisoning and backdoor attacks of uncertain and unknown types.

Figures (11)

• Figure 1: A graphical abstract of meta-Stackelberg defense. In the pertaining stage, a simulated environment is constructed using generated data and the attack domain. The defender utilizes meta-Stackelberg learning (\ref{['algo:meta-sl']}) to obtain the meta policy to be online adapted in the real FL.
• Figure 2: Comparisons of defenses against untargeted model poisoning attacks (i.e., LMP and RL) on MNIST and CIFAR-10. All parameters are set as default and random seeds are fixed.
• Figure 3: Comparisons of baseline defenses, i.e., NeuroClip, Prun, ClipMed, FLTrust+NeuroClip (from left to right) and whitebox/blackbox meta-SG under RL-based backdoor attack (BRL) on CIFAR-10. The BRLs are trained before FL round 0 against the associate defenses (i.e., NeuroClip, Prun, ClipMed, FLTrust+NC and meta-policy of meta-SG). Other parameters are set as default and all random seeds are fixed.
• Figure 4: Ablation studies. (a)-(b): uncertain backdoor target and unknown backdoor triggers, where the meta-policies are trained by worst-case triggers generated from GAN-based models doan2021lira or targeting multiple labels on CIFAR-10 during pre-training and utilizing inverting gradient geiping2020inverting and reverse engineering wang2019neural during online adaptation. (c)-(d): meta-RL tested by the number of malicious clients in $[20\%, 30\%, 40\%]$ and non-$i.i.d.$ level in $q=[0.5, 0.6, 0.7]$ on MNIST compared with Krum and ClipMed under LMP attack. Other parameters are set as default.
• Figure 5: Self-generated MNIST images using conditional GAN mirza2014conditional (second row) and CIFAR-10 images using a diffusion model sohl2015deep (fourth row).

Theorems & Definitions (19)

• Remark 1
• Definition 1: Bayesian Stackelberg equilibrium
• Definition 2: Meta-Stackelberg Equilibrium
• Remark 2
• Definition 3: First-order Equilibrium
• Theorem 3
• Theorem 4
• Proposition 1
• proof
• Lemma 1: Implicit Function Theorem (IFT) for Meta-SG adapted from still2018lectures