Sybil-based Virtual Data Poisoning Attacks in Federated Learning
Changxun Zhu, Qilong Wu, Lingjuan Lyu, Shibei Xue
TL;DR
This work tackles the vulnerability of federated learning to poisoning by introducing a sybil-based virtual data poisoning attack that leverages gradient matching to reduce computation. It formulates a bilevel poisoning objective and provides three target-model acquisition schemes (online local, online global, offline) to tailor attacks to deployment scenarios. The authors demonstrate, across MNIST, FMNIST, and CIFAR-10 under both IID and non-IID data, that their approach achieves strong Target Task Accuracy with manageable impact on Main Task Accuracy, outperforming baselines in many settings. The findings highlight a significant security risk in privacy-preserving FL and underscore the need for robust defenses against sybil-based poisoning and gradient-based data manipulation.
Abstract
Federated learning is vulnerable to poisoning attacks by malicious adversaries. Existing methods often involve high costs to achieve effective attacks. To address this challenge, we propose a sybil-based virtual data poisoning attack, where a malicious client generates sybil nodes to amplify the poisoning model's impact. To reduce neural network computational complexity, we develop a virtual data generation method based on gradient matching. We also design three schemes for target model acquisition, applicable to online local, online global, and offline scenarios. In simulation, our method outperforms other attack algorithms since our method can obtain a global target model under non-independent uniformly distributed data.
