Abstract
Recently, federated learning has shown its significant advantages in protecting training data privacy by maintaining a joint model across multiple clients. However, its model security issues have not only been recently explored but shown that federated learning exhibits inherent vulnerabilities on the active attacks launched by malicious participants. Poisoning is one of the most powerful active attacks where an inside attacker can upload the crafted local model updates to further impact the global model performance. In this paper, we first illustrate how the poisoning attack works in the context of federated learning. Then, we correspondingly propose a defense method that mainly relies upon a well-researched adversarial training technique: pivotal training, which improves the robustness of the global model with poisoned local updates. The main contribution of this work is that the countermeasure method is simple and scalable since it does not require complex accuracy validations, while only changing the optimization objectives and loss functions. We finally demonstrate the effectiveness of our proposed mitigation mechanisms through extensive experiments.
Supported in part by the National Key Research and Development Program of China, under Grant 2019YFB2102000, in part by the National Natural Science Foundation of China, under Grant 61672283, and in part by the Postgraduate Research & Practice Innovation Program of Jiangsu Province under Grant KYCX18_0308.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ribeiro, M., Grolinger, K., Capretz, M.A.: MLaaS: machine learning as a service. In: Proceedings of ICMLA, pp. 896–902 (2015)
Lim, W.Y.B.: Federated learning in mobile edge networks: a comprehensive survey. IEEE Commun. Surv. Tutorials (2020)
McMahan, H.B., Moore, E., Ramage, D., Hampson, S., y Arcas, B.A.: Communication-efficient learning of deep networks from decentralized data. In: Proceedings of AISTATS, pp. 1–10 (2017)
Yang, Q., Liu, Y., Chen, T., Tong, Y.: Federated machine learning: concept and applications. ACM Trans. Intell. Syst. Technol. 10(2), 1–19 (2019)
Jagielski, M., Oprea, A., Biggio, B., Liu, C., Nita-Rotaru, C., Li, B.: Manipulating machine learning: Poisoning attacks and countermeasures for regression learning. In: Proceedings of IEEE S&P, pp. 19–35 (2018)
Melis, L., Song, C., De Cristofaro, E., Shmatikov, V.: Exploiting unintended feature leakage in collaborative learning. In: Proceedings of IEEE S&P, pp. 691–706 (2019)
Nasr, M., Shokri, R., Houmansadr, A.: Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning. In: Proceedings of IEEE S&P, pp. 793–753 (2019)
Mozaffari-Kermani, M., Sur-Kolay, S., Raghunathan, A., Jha, N.K.: Systematic Poisoning attacks on and defenses for machine learning in healthcare. IEEE J. Biomed. Health Inform. 19(6), 1893–1905 (2015)
Shen, S., Tople, S., Saxena, P.: Auror: defending against poisoning attacks in collaborative deep learning systems. In: Proceedings of ACSAC, pp. 508–519 (2016)
Baracaldo, N., Chen, B., Ludwig, H., Safavi, J.A.: Mitigating poisoning attacks on machine learning models: a data provenance based approach. In: Proceedings of ACM AISec, pp. 103–110 (2017)
Han, B., Tsang, I.W., Chen, L.: On the convergence of a family of robust losses for stochastic gradient descent. In: Frasconi, P., Landwehr, N., Manco, G., Vreeken, J. (eds.) ECML PKDD, pp. 665–680. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-319-46128-1_42
Steinhardt, J., Koh, P.W., Liang, P.S.: Certified defenses for data poisoning attacks. In: Proceedings of NIPS, pp. 3517–3529 (2017)
Wang, B., et al.: Neural cleanse: identifying and mitigating backdoor attacks in neural networks. In: Proceedings of IEEE S & P, pp. 707–723 (2019)
Zhao, Y., Chen, J., Zhang, J., Wu, D., Teng, J., Yu, S.: PDGAN: a novel poisoning defense method in federated learning using generative adversarial network. In: Wen, S., Zomaya, A., Yang, L.T. (eds.) ICA3PP 2019. LNCS, vol. 11944, pp. 595–609. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38991-8_39
Hayes, J., Ohrimenko, O.: Contamination attacks and mitigation in multi-party machine learning. In: Proceedings of NIPS, pp. 6604–6616 (2018)
Louppe, G., Kagan, M. and Cranmer, K.: Learning to pivot with adversarial networks. In: Proceedings of NIPS, pp. 981–990 (2017)
Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I., Tygar, J.D.: Adversarial machine learning. In: Proceedings of ACM AISec, pp. 43–58 (2011)
Zhang, J., Chen, J., Wu, D., Chen, B., Yu, S.: Poisoning attack in federated learning using generative adversarial nets. In: Proceedings of IEEE Trustcom, pp. 374–380 (2019)
Acknowledgment
This work was supported in part by the National Key Research and Development Program of China under Grant 2019YFB2102000, in part by the National Natural Science Foundation of China under Grant 61672283, and in part by the Postgraduate Research & Practice Innovation Program of Jiangsu Province under Grant KYCX18_0308.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zhang, J., Wu, D., Liu, C., Chen, B. (2020). Defending Poisoning Attacks in Federated Learning via Adversarial Training Method. In: Xu, G., Liang, K., Su, C. (eds) Frontiers in Cyber Security. FCS 2020. Communications in Computer and Information Science, vol 1286. Springer, Singapore. https://doi.org/10.1007/978-981-15-9739-8_7
Download citation
DOI: https://doi.org/10.1007/978-981-15-9739-8_7
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-9738-1
Online ISBN: 978-981-15-9739-8
eBook Packages: Computer ScienceComputer Science (R0)