Not All Edges are Equally Robust: Evaluating the Robustness of Ranking-Based Federated Learning

TL;DR

This paper evaluates the robustness of Federated Ranking Learning (FRL), revealing that despite discrete rankings and majority voting, FRL vulnerabilities exist at specific edges. It introduces Vulnerable Edge Manipulation (VEM), a three-stage attack that identifies vulnerable edges, optimizes updates with a Gumbel-Sinkhorn surrogate, and generates malicious ranking updates, achieving a global attack impact of 53.23% and outperforming state-of-the-art attacks by up to 3.7×. The work provides theoretical bounds on vulnerable edges, demonstrates effectiveness across multiple datasets and aggregation rules, and shows that existing or simple defenses (e.g., intersection-based screening) are inadequate. These findings highlight the need for new robust FRL designs and contribute methods for optimization in discrete spaces within federated settings, with practical implications for secure deployment of ranking-based FL systems.

Abstract

Federated Ranking Learning (FRL) is a state-of-the-art FL framework that stands out for its communication efficiency and resilience to poisoning attacks. It diverges from the traditional FL framework in two ways: 1) it leverages discrete rankings instead of gradient updates, significantly reducing communication costs and limiting the potential space for malicious updates, and 2) it uses majority voting on the server side to establish the global ranking, ensuring that individual updates have minimal influence since each client contributes only a single vote. These features enhance the system's scalability and position FRL as a promising paradigm for FL training. However, our analysis reveals that FRL is not inherently robust, as certain edges are particularly vulnerable to poisoning attacks. Through a theoretical investigation, we prove the existence of these vulnerable edges and establish a lower bound and an upper bound for identifying them in each layer. Based on this finding, we introduce a novel local model poisoning attack against FRL, namely the Vulnerable Edge Manipulation (VEM) attack. The VEM attack focuses on identifying and perturbing the most vulnerable edges in each layer and leveraging an optimization-based approach to maximize the attack's impact. Through extensive experiments on benchmark datasets, we demonstrate that our attack achieves an overall 53.23% attack impact and is 3.7x more impactful than existing methods. Our findings highlight significant vulnerabilities in ranking-based FL systems and underline the urgency for the development of new robust FL frameworks.

Figures (16)

• Figure 1: Example of Lottery Tickets Hypothesis (LTH).
• Figure 2: Motivating example of poisoning FRL. a. the 'data poisoning attack' where the adversary submits relative random ranking; b. the 'reverse-rank' attack where the adversary submits reverse ranking of benign update; c. our attack, which targets and manipulates specific edges. Only our attack leads to changes in the global subnetwork.
• Figure 3: Reputation difference between each edge and the selection boundary.
• Figure 4: Overview of our VEM attack. The attack unfolds in three stages: a. the adversary identifies vulnerable edges and generates vulnerable matrices for optimization; b. the adversary targets vulnerable edges and finds the optimal doubly stochastic matrices that maximize the reputation difference before and after the attack; c. the adversary uses optimized doubly stochastic matrices to produce malicious updates.
• Figure 5: Formalization of FRL.