Table of Contents
Fetching ...

Sybil-based Virtual Data Poisoning Attacks in Federated Learning

Changxun Zhu, Qilong Wu, Lingjuan Lyu, Shibei Xue

TL;DR

This work tackles the vulnerability of federated learning to poisoning by introducing a sybil-based virtual data poisoning attack that leverages gradient matching to reduce computation. It formulates a bilevel poisoning objective and provides three target-model acquisition schemes (online local, online global, offline) to tailor attacks to deployment scenarios. The authors demonstrate, across MNIST, FMNIST, and CIFAR-10 under both IID and non-IID data, that their approach achieves strong Target Task Accuracy with manageable impact on Main Task Accuracy, outperforming baselines in many settings. The findings highlight a significant security risk in privacy-preserving FL and underscore the need for robust defenses against sybil-based poisoning and gradient-based data manipulation.

Abstract

Federated learning is vulnerable to poisoning attacks by malicious adversaries. Existing methods often involve high costs to achieve effective attacks. To address this challenge, we propose a sybil-based virtual data poisoning attack, where a malicious client generates sybil nodes to amplify the poisoning model's impact. To reduce neural network computational complexity, we develop a virtual data generation method based on gradient matching. We also design three schemes for target model acquisition, applicable to online local, online global, and offline scenarios. In simulation, our method outperforms other attack algorithms since our method can obtain a global target model under non-independent uniformly distributed data.

Sybil-based Virtual Data Poisoning Attacks in Federated Learning

TL;DR

This work tackles the vulnerability of federated learning to poisoning by introducing a sybil-based virtual data poisoning attack that leverages gradient matching to reduce computation. It formulates a bilevel poisoning objective and provides three target-model acquisition schemes (online local, online global, offline) to tailor attacks to deployment scenarios. The authors demonstrate, across MNIST, FMNIST, and CIFAR-10 under both IID and non-IID data, that their approach achieves strong Target Task Accuracy with manageable impact on Main Task Accuracy, outperforming baselines in many settings. The findings highlight a significant security risk in privacy-preserving FL and underscore the need for robust defenses against sybil-based poisoning and gradient-based data manipulation.

Abstract

Federated learning is vulnerable to poisoning attacks by malicious adversaries. Existing methods often involve high costs to achieve effective attacks. To address this challenge, we propose a sybil-based virtual data poisoning attack, where a malicious client generates sybil nodes to amplify the poisoning model's impact. To reduce neural network computational complexity, we develop a virtual data generation method based on gradient matching. We also design three schemes for target model acquisition, applicable to online local, online global, and offline scenarios. In simulation, our method outperforms other attack algorithms since our method can obtain a global target model under non-independent uniformly distributed data.
Paper Structure (12 sections, 16 equations, 6 figures, 2 tables, 1 algorithm)

This paper contains 12 sections, 16 equations, 6 figures, 2 tables, 1 algorithm.

Figures (6)

  • Figure 1: Threat model for sybil-based attacks on FL.
  • Figure 2: The test accuracy changes with the proportion of malicious clients while fix the number of virtual nodes generated by each client $v$ = 5.
  • Figure 3: The test accuracy changes with the number of virtual nodes generated by each malicious clients while fix the proportion of malicious clients to 0.4.
  • Figure 4: Attack performance when three datasets are IID.
  • Figure 5: Attack performance when the Dirichlet distribution has parameter $\alpha$ = 0.5.
  • ...and 1 more figures