Robust Federated Inference

TL;DR

The paper tackles robustness in federated inference when up to $f < \tfrac{n}{2}$ client outputs may be corrupted, formalizing the robust federated inference problem and analyzing averaging-based aggregators. It derives a robustness certificate for $(f,\kappa)$-robust averaging and reveals that non-linear aggregators can be attacked via an adversarial loss on probit vectors. To overcome this, it introduces DeepSet-TM, a permutation-invariant, neural-aggregator trained with adversarial risk minimization (RERM) and enhanced at test time with a robust averaging step, yielding state-of-the-art performance across benchmarks. Empirical results on CIFAR-10, CIFAR-100, and AG-News show 4.7–22.2 percentage point improvements in worst-case accuracy over baselines across six attacks, demonstrating practical robustness for federated ensemble inference.

Abstract

Federated inference, in the form of one-shot federated learning, edge ensembles, or federated ensembles, has emerged as an attractive solution to combine predictions from multiple models. This paradigm enables each model to remain local and proprietary while a central server queries them and aggregates predictions. Yet, the robustness of federated inference has been largely neglected, leaving them vulnerable to even simple attacks. To address this critical gap, we formalize the problem of robust federated inference and provide the first robustness analysis of this class of methods. Our analysis of averaging-based aggregators shows that the error of the aggregator is small either when the dissimilarity between honest responses is small or the margin between the two most probable classes is large. Moving beyond linear averaging, we show that problem of robust federated inference with non-linear aggregators can be cast as an adversarial machine learning problem. We then introduce an advanced technique using the DeepSet aggregation model, proposing a novel composition of adversarial training and test-time robust aggregation to robustify non-linear aggregators. Our composition yields significant improvements, surpassing existing robust aggregation methods by 4.7 - 22.2% in accuracy points across diverse benchmarks.

Figures (4)

• Figure 1: Federated Inference
• Figure 2: DeepSet-TM vs. baselines under $\alpha = 0.5$ and $n = 17$ clients. In column 1, we have $f=1$ adversary; other columns use amplification factor $2$. See \ref{['fig:appendix_copur_vs_deepset_cifar']} (App. \ref{['subsec:appendix_results_sota']}) for results with $\alpha=0.3$.
• Figure 3: Validating \ref{['thm:main_avg']} in practice. As the ratio of $\textsc{margin} ( \overline{h}(x))/\sigma_x$ increases, we observe a notable decrease in the test error, aligning with \ref{['thm:main_avg']}. Adversaries use SIA white-box and LMA (see \ref{['tab:attacks']}).
• Figure 4: DeepSet-TM against baselines under heterogeneity $\alpha = 0.3$ and $n = 17$ clients. In the first column, we have $f=1$ adversary. In all remaining columns, we use an amplification factor of $2$ for the attacks. Clean accuracy ($f = 0$) is reported in \ref{['tab:clean_acc_baselines']}.

Theorems & Definitions (12)

• Lemma 1
• Definition 1: Robust averaging
• Theorem 1
• Lemma 1
• proof
• Lemma 2
• proof
• Definition 2: $(f, \kappa)$-robustness
• Lemma 3: allouah2023fixing
• Theorem 1