Table of Contents
Fetching ...

Sparsification Under Siege: Dual-Level Defense Against Poisoning in Communication-Efficient Federated Learning

Zhiyong Jin, Runhua Xu, Chao Li, Yizhong Liu, Jianxin Li, James Joshi

TL;DR

SafeSparse is proposed, a consensus restoration framework that decouples defense into topological and semantic dimensions and recovers up to 25.7% global accuracy under coordinated poisoning, effectively closing the vulnerability gap in communication-efficient FL.

Abstract

Gradient sparsification, while mitigating communication bottlenecks in Federated Learning (FL), fundamentally alters the geometric landscape of model updates. We reveal that the resultant high-dimensional orthogonality renders traditional Euclidean-based robust aggregation metrics mathematically ambiguous, creating a 'sparsity-robustness trade-off' that adversaries exploit to bypass detection. To resolve this structural dissonance, we propose SafeSparse, a consensus restoration framework that decouples defense into topological and semantic dimensions. Unlike prior arts that treat sparsification and security orthogonally, SafeSparse introduces: (1) a Structure-Aware Calibration mechanism utilizing Jaccard similarity to filter topological outliers induced by index poisoning; and (2) a Directional Semantic Alignment module employing density-based clustering on update signs to neutralize magnitude-invariant attacks. Theoretically, we establish convergence guarantees for SafeSparse. Extensive experiments across multiple datasets and attack scenarios demonstrate that SafeSparse recovers up to 25.7% global accuracy under coordinated poisoning, effectively closing the vulnerability gap in communication-efficient FL.

Sparsification Under Siege: Dual-Level Defense Against Poisoning in Communication-Efficient Federated Learning

TL;DR

SafeSparse is proposed, a consensus restoration framework that decouples defense into topological and semantic dimensions and recovers up to 25.7% global accuracy under coordinated poisoning, effectively closing the vulnerability gap in communication-efficient FL.

Abstract

Gradient sparsification, while mitigating communication bottlenecks in Federated Learning (FL), fundamentally alters the geometric landscape of model updates. We reveal that the resultant high-dimensional orthogonality renders traditional Euclidean-based robust aggregation metrics mathematically ambiguous, creating a 'sparsity-robustness trade-off' that adversaries exploit to bypass detection. To resolve this structural dissonance, we propose SafeSparse, a consensus restoration framework that decouples defense into topological and semantic dimensions. Unlike prior arts that treat sparsification and security orthogonally, SafeSparse introduces: (1) a Structure-Aware Calibration mechanism utilizing Jaccard similarity to filter topological outliers induced by index poisoning; and (2) a Directional Semantic Alignment module employing density-based clustering on update signs to neutralize magnitude-invariant attacks. Theoretically, we establish convergence guarantees for SafeSparse. Extensive experiments across multiple datasets and attack scenarios demonstrate that SafeSparse recovers up to 25.7% global accuracy under coordinated poisoning, effectively closing the vulnerability gap in communication-efficient FL.
Paper Structure (41 sections, 2 theorems, 17 equations, 8 figures, 4 tables, 2 algorithms)

This paper contains 41 sections, 2 theorems, 17 equations, 8 figures, 4 tables, 2 algorithms.

Key Result

Theorem 1

Assume the malicious perturbation per parameter pack is bounded by $\mathbb{E}[\|W_a(p) - W'_G(p)\|_2] \le \epsilon$. The attack effectiveness $\rho$ is upper-bounded by: where $f_p = N_p^A / N_p$ is the malicious contributor ratio for parameter pack $p$.

Figures (8)

  • Figure 1: Empirical validation of poisoning vulnerability. The violin plots illustrate the accuracy distribution across 12 diverse scenarios (3 datasets $\times$ 4 attacks) as detailed in Section \ref{['baselines']}.
  • Figure 2: An illustration of the SafeSparse training process, incorporating client-side top-$k$ sparsification and server-side robust and sparsified aggregation. It also highlights the two key components of SafeSparse: Sparse Index Mask Inspection and Model Update Sign Similarity Analysis. The red sections indicate attackers, who may carry out data poisoning attacks (such as label flipping attack) or model poisoning attacks (including IPM, Gaussian, and scaling attacks) to degrade the performance of the global model.
  • Figure 3: The heatmap of the Jaccard similarity between the sparse index masks of different clients on the CIFAR-10 dataset under the non-IID setting.
  • Figure 4: The heatmap of sign cosine similarity among clients on the CIFAR-10 dataset under the non-IID setting. The first 8 clients are adversaries, while the remaining 12 are benign clients.
  • Figure 5: Comparison of defense effectiveness across various approaches, evaluated on FashionMNIST, CIFAR-10, and CIFAR-100 under Label Flip Attack (LFA), Gaussian Noise Attack (GNA), Inner Product Manipulation (IPM), and Scaling Attack in a NON-IID SETTING. The attacker ratio is fixed at 0.4, and the top-$k$ sparsification rate is set to 0.5. Top-1 accuracy is used as the evaluation metric for FashionMNIST and CIFAR-10, while top-5 accuracy is adopted for CIFAR-100.
  • ...and 3 more figures

Theorems & Definitions (2)

  • Theorem 1: Vulnerability under Sparsified Aggregation
  • Theorem 2: Convergence of SafeSparse