Attacks against Federated Learning Defense Systems and their Mitigation
Cody Lewis, Vijay Varadharajan, Nasimul Noman; 24(30):1−50, 2023.
Abstract
Federated learning (FL) defense systems have been developed to protect against attacks from untrustworthy endpoints. These defense systems improve the federated optimization algorithm by incorporating anomaly detection and scaling updates based on the anomalous behavior of endpoints. However, the defense systems themselves can be vulnerable to more sophisticated attacks from endpoints. This paper introduces three categories of attacks and demonstrates their ability to deceive existing FL defense systems. The first two categories, known as on-off attacks, involve adversaries switching between honest behavior and engaging in attacks. Two specific on-off attacks, label flipping and free riding, are analyzed to determine their impact on current FL defense systems. The third category proposes attacks based on “good mouthing” and “bad mouthing” to manipulate the influence of victim endpoints on the global model. Additionally, a new federated optimization algorithm called Viceroy is proposed to effectively mitigate all the proposed attacks. The effectiveness of the attacks and the mitigation strategy is demonstrated through various experiments, and the proposed algorithm is made available as open source. The appendices provide an induction proof for the on-off model poisoning attack, as well as the proof of convergence and adversarial tolerance for the new federated optimization algorithm.
[abs]