Federated Learning: Understanding Malicious Clients

Federated learning faces threats from malicious clients, with different adversary models impacting the global model accuracy.

The content discusses the impact of malicious clients in federated learning, focusing on poisoning attacks and defensive aggregation rules. It introduces a hybrid adversary model and explores the spectrum of adversaries. The study evaluates the performance of Median and Norm-Bounding aggregation rules under various adversary models, highlighting the impact of fake and compromised clients. Experimental setups, data extraction, and attack scenarios are detailed. I. Introduction Federated learning enables training models on decentralized data. Malicious clients can introduce poisoning attacks, impacting global model accuracy. Different adversary models and defensive aggregation rules are explored. II. Background Federated learning involves N clients collaborating to train a global model. Robust aggregation rules aim to mitigate the impact of malicious clients' updates. III. Types of Byzantine-Robust Aggregation Rules Non-robust AGRs like FedAvg aggregate updates without considering malicious clients. Robust AGRs agnostic to poisoning attacks include Median and Norm-Bounding. Robust AGRs that adapt to poisoning attacks use information about malicious updates. IV. Distinguishing Fake and Compromised Adversary Models Fake clients inject arbitrary updates, while compromised clients manipulate model updates. Hybrid adversary model combines fake and compromised clients for more effective attacks. V. Experimental Setup Experiments conducted on CIFAR10 and FEMNIST datasets. Evaluation metrics include attack impact and cost efficiency trade-offs. Synthetic data generated using DDPM for hybrid attacks.

"On CIFAR10 with Median as the AGR, an attack by 10% (20%) malicious clients reduces the model’s accuracy to 33.10% (10.61%)." "Norm-Bounding with threshold τ = 0.5 results in 78.86% accuracy on CIFAR10 with no malicious clients." "Compromising 1 client and injecting 110 fake clients in a hybrid attack on CIFAR10 reduces accuracy to 49.46%."

"The most potent adversary, who has compromised real clients, exerts the most significant influence on the global model." "Fake clients, who do not have any knowledge about the benign clients’ data distribution, have the least impact on the global model."