Aspis: A Robust Detection System for Distributed Learning
- URL: http://arxiv.org/abs/2108.02416v1
- Date: Thu, 5 Aug 2021 07:24:38 GMT
- Title: Aspis: A Robust Detection System for Distributed Learning
- Authors: Konstantinos Konstantinidis, Aditya Ramamoorthy
- Abstract summary: Machine learning systems can be compromised when some of the computing devices exhibit abnormal (Byzantine) behavior.
Our proposed method Aspis assigns gradient computations to worker nodes using a subset-based assignment.
We prove the Byzantine resilience and detection guarantees of Aspis under weak and strong attacks and extensively evaluate the system on various large-scale training scenarios.
- Score: 13.90938823562779
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: State of the art machine learning models are routinely trained on large scale
distributed clusters. Crucially, such systems can be compromised when some of
the computing devices exhibit abnormal (Byzantine) behavior and return
arbitrary results to the parameter server (PS). This behavior may be attributed
to a plethora of reasons including system failures and orchestrated attacks.
Existing work suggests robust aggregation and/or computational redundancy to
alleviate the effect of distorted gradients. However, most of these schemes are
ineffective when an adversary knows the task assignment and can judiciously
choose the attacked workers to induce maximal damage. Our proposed method Aspis
assigns gradient computations to worker nodes using a subset-based assignment
which allows for multiple consistency checks on the behavior of a worker node.
Examination of the calculated gradients and post-processing (clique-finding in
an appropriately constructed graph) by the central node allows for efficient
detection and subsequent exclusion of adversaries from the training process. We
prove the Byzantine resilience and detection guarantees of Aspis under weak and
strong attacks and extensively evaluate the system on various large-scale
training scenarios. The main metric for our experiments is the test accuracy
for which we demonstrate significant improvement of about 30% compared to many
state-of-the-art approaches on the CIFAR-10 dataset. The corresponding
reduction of the fraction of corrupted gradients ranges from 16% to 98%.
Related papers
- Indiscriminate Disruption of Conditional Inference on Multivariate Gaussians [60.22542847840578]
Despite advances in adversarial machine learning, inference for Gaussian models in the presence of an adversary is notably understudied.
We consider a self-interested attacker who wishes to disrupt a decisionmaker's conditional inference and subsequent actions by corrupting a set of evidentiary variables.
To avoid detection, the attacker also desires the attack to appear plausible wherein plausibility is determined by the density of the corrupted evidence.
arXiv Detail & Related papers (2024-11-21T17:46:55Z) - Corpus Poisoning via Approximate Greedy Gradient Descent [48.5847914481222]
We propose Approximate Greedy Gradient Descent, a new attack on dense retrieval systems based on the widely used HotFlip method for generating adversarial passages.
We show that our method achieves a high attack success rate on several datasets and using several retrievers, and can generalize to unseen queries and new domains.
arXiv Detail & Related papers (2024-06-07T17:02:35Z) - Noisy Correspondence Learning with Self-Reinforcing Errors Mitigation [63.180725016463974]
Cross-modal retrieval relies on well-matched large-scale datasets that are laborious in practice.
We introduce a novel noisy correspondence learning framework, namely textbfSelf-textbfReinforcing textbfErrors textbfMitigation (SREM)
arXiv Detail & Related papers (2023-12-27T09:03:43Z) - Quantile-based Maximum Likelihood Training for Outlier Detection [5.902139925693801]
We introduce a quantile-based maximum likelihood objective for learning the inlier distribution to improve the outlier separation during inference.
Our approach fits a normalizing flow to pre-trained discriminative features and detects the outliers according to the evaluated log-likelihood.
arXiv Detail & Related papers (2023-08-20T22:27:54Z) - Detection and Mitigation of Byzantine Attacks in Distributed Training [24.951227624475443]
An abnormal Byzantine behavior of the worker nodes can derail the training and compromise the quality of the inference.
Recent work considers a wide range of attack models and has explored robust aggregation and/or computational redundancy to correct the distorted gradients.
In this work, we consider attack models ranging from strong ones: $q$ omniscient adversaries with full knowledge of the defense protocol that can change from iteration to iteration to weak ones: $q$ randomly chosen adversaries with limited collusion abilities.
arXiv Detail & Related papers (2022-08-17T05:49:52Z) - Large-Scale Sequential Learning for Recommender and Engineering Systems [91.3755431537592]
In this thesis, we focus on the design of an automatic algorithms that provide personalized ranking by adapting to the current conditions.
For the former, we propose novel algorithm called SAROS that take into account both kinds of feedback for learning over the sequence of interactions.
The proposed idea of taking into account the neighbour lines shows statistically significant results in comparison with the initial approach for faults detection in power grid.
arXiv Detail & Related papers (2022-05-13T21:09:41Z) - Byzantine-robust Federated Learning through Collaborative Malicious
Gradient Filtering [32.904425716385575]
We show that element-wise sign of gradient vector can provide valuable insight in detecting model poisoning attacks.
We propose a novel approach called textitSignGuard to enable Byzantine-robust federated learning through collaborative malicious gradient filtering.
arXiv Detail & Related papers (2021-09-13T11:15:15Z) - LEGATO: A LayerwisE Gradient AggregaTiOn Algorithm for Mitigating
Byzantine Attacks in Federated Learning [10.667821026727573]
Federated learning has arisen as a mechanism to allow multiple participants to collaboratively train a model without sharing their data.
We introduce LayerwisE Gradient AggregatTiOn (LEGATO), an aggregation algorithm that is, by contrast, scalable and generalizable.
We show that LEGATO is more computationally efficient than multiple state-of-the-art techniques and more generally robust across a variety of attack settings in practice.
arXiv Detail & Related papers (2021-07-26T21:34:45Z) - Discriminator-Free Generative Adversarial Attack [87.71852388383242]
Agenerative-based adversarial attacks can get rid of this limitation.
ASymmetric Saliency-based Auto-Encoder (SSAE) generates the perturbations.
The adversarial examples generated by SSAE not only make thewidely-used models collapse, but also achieves good visual quality.
arXiv Detail & Related papers (2021-07-20T01:55:21Z) - Shaping Deep Feature Space towards Gaussian Mixture for Visual
Classification [74.48695037007306]
We propose a Gaussian mixture (GM) loss function for deep neural networks for visual classification.
With a classification margin and a likelihood regularization, the GM loss facilitates both high classification performance and accurate modeling of the feature distribution.
The proposed model can be implemented easily and efficiently without using extra trainable parameters.
arXiv Detail & Related papers (2020-11-18T03:32:27Z) - ByzShield: An Efficient and Robust System for Distributed Training [12.741811850885309]
In this work we consider an omniscient attack model where the adversary has full knowledge about the gradient assignments of the workers.
Our redundancy-based method ByzShield leverages the properties of bipartite expander graphs for the assignment of tasks to workers.
Our experiments on training followed by image classification on the CIFAR-10 dataset show that ByzShield has on average a 20% advantage in accuracy under the most sophisticated attacks.
arXiv Detail & Related papers (2020-10-10T04:41:53Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.