Abstract
Federated Learning (FL) is vulnerable to model poisoning attacks that hurt the joint training global model by sending malicious updates. Existing defenses rely heavily on restrictions on clients’ model updates to defend against attacks. However, the global model can be attacked by elaborate malicious perturbation under defensive restriction due to the sensitivity of the model to perturbations, which leads the model to be vulnerable. Therefore, in this work, we investigate the defense against attacks from a novel perspective of the model stability towards perturbation on parameters. We propose a new method named Federated Learning with Model Jacobian Regularization (FLMJR) to enhance the robustness of FL. Considering prediction volatility of the model is determined by the model-output Jacobian, we reduce the Jacobian regularization to improve model stability towards model perturbations while maintaining the model’s accuracy. We conduct extensive experiments under both IID and NonIID settings to evaluate the defense against state-of-the-art model poisoning attacks, which demonstrates that our method not only has superior fidelity and robustness, but can also be easily integrated to further improve the robustness of existing server-based robust aggregation approaches (e.g., Fedavg, Trimean, Median, Bulyan, and FLTrust).
Q. Guo and D. Wu—Equal contribution.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., Shmatikov, V.: How to backdoor federated learning. In: International Conference on Artificial Intelligence and Statistics, pp. 2938–2948. PMLR (2020)
Baruch, G., Baruch, M., Goldberg, Y.: A little is enough: circumventing defenses for distributed learning. In: Advances in Neural Information Processing Systems, vol. 32, pp. 8635–8645 (2019)
Bhagoji, A.N., Chakraborty, S., Mittal, P., Calo, S.: Analyzing federated learning through an adversarial lens. In: International Conference on Machine Learning, pp. 634–643. PMLR (2019)
Blanchard, P., El Mhamdi, E.M., Guerraoui, R., Stainer, J.: Machine learning with adversaries: Byzantine tolerant gradient descent. In: Proceedings of the 31st International Conference on Neural Information Processing Systems, pp. 118–128 (2017)
Cao, X., Fang, M., Liu, J., Gong, N.Z.: Fltrust: byzantine-robust federated learning via trust bootstrapping. In: 28th Annual Network and Distributed System Security Symposium, NDSS 2021, virtually, February 21–25, 2021. The Internet Society (2021). http://www.ndss-symposium.org/ndss-paper/fltrust-byzantine-robust-federated-learning-via-trust-bootstrapping/
Fang, M., Cao, X., Jia, J., Gong, N.: Local model poisoning attacks to byzantine-robust federated learning. In: 29th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 20), pp. 1605–1622 (2020)
Guerraoui, R., Rouault, S., et al.: The hidden vulnerability of distributed learning in Byzantium. In: International Conference on Machine Learning, pp. 3521–3530. PMLR (2018)
Hoffman, J., Roberts, D.A., Yaida, S.: Robust learning with Jacobian regularization. arXiv preprint arXiv:1908.02729 (2019)
Jagielski, M., Oprea, A., Biggio, B., Liu, C., Nita-Rotaru, C., Li, B.: Manipulating machine learning: poisoning attacks and countermeasures for regression learning. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 19–35. IEEE (2018)
Karimireddy, S.P., He, L., Jaggi, M.: Byzantine-robust learning on heterogeneous datasets via bucketing. arXiv preprint arXiv:2006.09365 (2020)
Karimireddy, S.P., Kale, S., Mohri, M., Reddi, S., Stich, S., Suresh, A.T.: Scaffold: stochastic controlled averaging for federated learning. In: International Conference on Machine Learning, pp. 5132–5143. PMLR (2020)
Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images (2009)
Krizhevsky, A., Sutskever, I., Hinton, G.E.: Imagenet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, vol. 25, pp. 1097–1105 (2012)
LeCun, Y., Bottou, L., Bengio, Y., Haffner, P.: Gradient-based learning applied to document recognition. Proc. IEEE 86(11), 2278–2324 (1998)
Li, T., Sahu, A.K., Zaheer, M., Sanjabi, M., Talwalkar, A., Smith, V.: Federated optimization in heterogeneous networks. In: Proceedings of Machine Learning and Systems, vol. 2, pp. 429–450 (2020)
McMahan, B., Moore, E., Ramage, D., Hampson, S., Arcas, B.A.: Communication-efficient learning of deep networks from decentralized data. In: Artificial Intelligence and Statistics, pp. 1273–1282. PMLR (2017)
Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011)
Shafahi, A., et al.: Poison frogs! targeted clean-label poisoning attacks on neural networks. In: Proceedings of the 32nd International Conference on Neural Information Processing Systems, pp. 6106–6116 (2018)
Shejwalkar, V., Houmansadr, A.: Manipulating the byzantine: optimizing model poisoning attacks and defenses for federated learning. In: 28th Annual Network and Distributed System Security Symposium, NDSS 2021, virtually, 21–25 February 2021. The Internet Society (2021)
Shejwalkar, V., Houmansadr, A.: Manipulating the byzantine: Optimizing model poisoning attacks and defenses for federated learning. Internet Society, p. 18 (2021)
Suciu, O., Marginean, R., Kaya, Y., Daume III, H., Dumitras, T.: When does machine learning \(\{\)FAIL\(\}\)? generalized transferability for evasion and poisoning attacks. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 1299–1316 (2018)
Sun, Z., Kairouz, P., Suresh, A.T., McMahan, H.B.: Can you really backdoor federated learning? arXiv preprint arXiv:1911.07963 (2019)
Varga, D., Csiszárik, A., Zombori, Z.: Gradient regularization improves accuracy of discriminative models (2018)
Wang, H., et al.: Attack of the tails: Yes, you really can backdoor federated learning. In: Advances in Neural Information Processing Systems (2020)
Xiao, H., Rasul, K., Vollgraf, R.: Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017)
Xie, C., Huang, K., Chen, P.Y., Li, B.: Dba: Distributed backdoor attacks against federated learning. In: International Conference on Learning Representations (2019)
Yin, D., Chen, Y., Kannan, R., Bartlett, P.: Byzantine-robust distributed learning: towards optimal statistical rates. In: International Conference on Machine Learning, pp. 5650–5659. PMLR (2018)
Acknowledgements
We would like to thank the anonymous reviewers for their valuable comments and suggestions which improve the content and presentation of this work a lot. This research was supported by National Natural Science Foundation of China (62172328), Blockchain Core Technology Strategic Research Program (2020KJ010801), and National Key Research and Development Program of China (2020AAA0107702).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Impact of Hyperparameter \(\lambda \)
Impact of \(\lambda \) on CIFAR10 with the IID setting and MNIST with the NonIID setting
To explore the impact of hyperparameter \(\lambda \), we evaluate the defense performance of Trimean with and without FLMJR under LIE attacks with different \(\lambda \). The experiment results are presented in Fig. 6. Accordingly, the selection of \(\lambda \) determines the effects of FLMJR. On CIFAR10 with the IID setting, when \(\lambda \) is set to \(10^{-5}\), the impact of Model Jacobian Regularization is weak, which can not help the FL system to defend against attacks. Therefore, the global model only achieves the highest accuracy of \(60.27\%\). While \(\lambda \) is set to \(10^{-4}\), the integration of FLMJR helps the model achieve the trade-off between robustness and availability. The accuracy of the global model has achieved \(65.95\%\) and the impact of LIE attack is almost eliminated. With \(\lambda \) growing to \(10^{-3}\), the fraction of the Model Jacobian Regularization is large, which makes the Jacobian regularization dominant the training objective. As a result, the global model only has the highest accuracy of \(55.50\%\) and can not achieve a satisfying performance as a general model.
Similarly, on the MNIST with the NonIID setting, while \(\lambda \) is set to a large value, the global model can not achieve a general performance. On the contrary, while \(\lambda \) is set to a small value, the global model is still affected by the attacks. As a result, the choice of \(\lambda \) determines the balance between robustness and the general performance of the model. Therefore, for a specific situation, we need to carefully tune \(\lambda \) to achieve a trade-off between the accuracy and the robustness. Note that, the accuracy start to decrease after reaching a certain peak value. This is because the impact of attack continues to increase after attacks are successful until the model loses availability (i.e., the accuracy reaches about 10%). Meanwhile, we can also find that a larger \(\lambda =10^{-3}\) can still mitigate the attack impact under such extreme conditions to improve model availability (i.e., the accuracy reaches about 20%).
B Empirical Validation of the Generalization Ability of FLMJR
Empirical validation of the generalization ability of FLMJR
To further validate the generalization ability of FLMJR in the IID scenario with no attacks applied, we additionally conduct empirical evaluations on CIFAR10 dataset. Specifically, we estimate the generalization improvement of FLMJR on FL system with different aggregations. Besides the robust aggregations we used in main paper, we also evaluate the performance of FLMJR on generic aggregations including Fedavg [16], FedProx [15] and Scaffold [11]. As shown in Fig. 7, the integration of FLMJR enhance the performance of all the aggregations in the IID scenario. With Bulyan and Scafflod aggregations, the integration of FLMJR can slightly improve the generalization ability of the global model. Where as on Trimean, Fedavg, Median and FedProx, FLMJR can obviously enhance the performance of these aggregations.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Guo, Q., Wu, D., Qi, Y., Qi, S., Li, Q. (2022). FLMJR: Improving Robustness of Federated Learning via Model Stability. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-17143-7_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17142-0
Online ISBN: 978-3-031-17143-7
eBook Packages: Computer ScienceComputer Science (R0)