Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DMPA: Model Poisoning Attacks on Decentralized Federated Learning for Model Differences

Chao Feng, Yunlong Li, Yuanzhe Gao, Alberto Huertas Celdrán, Jan von der Assen, Gérôme Bovet, Burkhard Stiller

TL;DR

The paper tackles model poisoning in Decentralized Federated Learning (DFL) by introducing DMPA, an eigenvalue-based attack that computes an angular deviation from a correlation matrix of model updates. Operated before parameter exchange, DMPA identifies a poisoning direction using the maximum eigenvalue, projects this angular deviation onto the malicious updates, and then averages adjusted updates to preserve attack potency after aggregation. Across CIFAR-10, MNIST, and Fashion-MNIST on Fully connected, Star, and Ring overlay topologies, DMPA yields lower average F1 scores for benign clients than state-of-the-art attacks, demonstrating stronger disruption of the global DFL model. The findings underscore the need for robust defenses in DFL against eigenvalue-based poisoning strategies and point to future work on non-IID data scenarios and defensive mechanisms.

Abstract

Federated learning (FL) has garnered significant attention as a prominent privacy-preserving Machine Learning (ML) paradigm. Decentralized FL (DFL) eschews traditional FL's centralized server architecture, enhancing the system's robustness and scalability. However, these advantages of DFL also create new vulnerabilities for malicious participants to execute adversarial attacks, especially model poisoning attacks. In model poisoning attacks, malicious participants aim to diminish the performance of benign models by creating and disseminating the compromised model. Existing research on model poisoning attacks has predominantly concentrated on undermining global models within the Centralized FL (CFL) paradigm, while there needs to be more research in DFL. To fill the research gap, this paper proposes an innovative model poisoning attack called DMPA. This attack calculates the differential characteristics of multiple malicious client models and obtains the most effective poisoning strategy, thereby orchestrating a collusive attack by multiple participants. The effectiveness of this attack is validated across multiple datasets, with results indicating that the DMPA approach consistently surpasses existing state-of-the-art FL model poisoning attack strategies.

DMPA: Model Poisoning Attacks on Decentralized Federated Learning for Model Differences

TL;DR

The paper tackles model poisoning in Decentralized Federated Learning (DFL) by introducing DMPA, an eigenvalue-based attack that computes an angular deviation from a correlation matrix of model updates. Operated before parameter exchange, DMPA identifies a poisoning direction using the maximum eigenvalue, projects this angular deviation onto the malicious updates, and then averages adjusted updates to preserve attack potency after aggregation. Across CIFAR-10, MNIST, and Fashion-MNIST on Fully connected, Star, and Ring overlay topologies, DMPA yields lower average F1 scores for benign clients than state-of-the-art attacks, demonstrating stronger disruption of the global DFL model. The findings underscore the need for robust defenses in DFL against eigenvalue-based poisoning strategies and point to future work on non-IID data scenarios and defensive mechanisms.

Abstract

Federated learning (FL) has garnered significant attention as a prominent privacy-preserving Machine Learning (ML) paradigm. Decentralized FL (DFL) eschews traditional FL's centralized server architecture, enhancing the system's robustness and scalability. However, these advantages of DFL also create new vulnerabilities for malicious participants to execute adversarial attacks, especially model poisoning attacks. In model poisoning attacks, malicious participants aim to diminish the performance of benign models by creating and disseminating the compromised model. Existing research on model poisoning attacks has predominantly concentrated on undermining global models within the Centralized FL (CFL) paradigm, while there needs to be more research in DFL. To fill the research gap, this paper proposes an innovative model poisoning attack called DMPA. This attack calculates the differential characteristics of multiple malicious client models and obtains the most effective poisoning strategy, thereby orchestrating a collusive attack by multiple participants. The effectiveness of this attack is validated across multiple datasets, with results indicating that the DMPA approach consistently surpasses existing state-of-the-art FL model poisoning attack strategies.

Paper Structure

This paper contains 14 sections, 7 equations, 3 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Security Problem in DFL
  4. Model Poisoning Attack
  5. Problem Setup
  6. DFL Training Process
  7. Threat Model
  8. DMPA Approach
  9. Method Overview
  10. Attack Strategy
  11. Evaluation
  12. Experimental Setup
  13. Experimental Results
  14. Conclusion and Future Work

Figures (3)

  • Figure 1: DFL Process with Malicious Participants
  • Figure 2: Overview of DMPA Attack Process
  • Figure 3: Attack Performance in CIFAR-10, MNIST, and Fashion-MNIST with Different Malicious Clients Rate