LearnDefend: Learning to Defend against Targeted Model-Poisoning Attacks
on Federated Learning
- URL: http://arxiv.org/abs/2305.02022v1
- Date: Wed, 3 May 2023 10:20:26 GMT
- Title: LearnDefend: Learning to Defend against Targeted Model-Poisoning Attacks
on Federated Learning
- Authors: Kiran Purohit, Soumi Das, Sourangshu Bhattacharya and Santu Rana
- Abstract summary: Recent studies show that edge-case targeted attacks, which target a small fraction of the input space are nearly impossible to counter using existing fixed defense strategies.
In this paper, we strive to design a learned-defense strategy against such attacks, using a small defense dataset.
The proposed framework, LearnDefend, estimates the probability of a client update being malicious.
- Score: 15.649086996679914
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: Targeted model poisoning attacks pose a significant threat to federated
learning systems. Recent studies show that edge-case targeted attacks, which
target a small fraction of the input space are nearly impossible to counter
using existing fixed defense strategies. In this paper, we strive to design a
learned-defense strategy against such attacks, using a small defense dataset.
The defense dataset can be collected by the central authority of the federated
learning task, and should contain a mix of poisoned and clean examples. The
proposed framework, LearnDefend, estimates the probability of a client update
being malicious. The examples in defense dataset need not be pre-marked as
poisoned or clean. We also learn a poisoned data detector model which can be
used to mark each example in the defense dataset as clean or poisoned. We
estimate the poisoned data detector and the client importance models in a
coupled optimization approach. Our experiments demonstrate that LearnDefend is
capable of defending against state-of-the-art attacks where existing fixed
defense strategies fail. We also show that LearnDefend is robust to size and
noise in the marking of clean examples in the defense dataset.
Related papers
- Have You Poisoned My Data? Defending Neural Networks against Data Poisoning [0.393259574660092]
We propose a novel approach to detect and filter poisoned datapoints in the transfer learning setting.
We show that effective poisons can be successfully differentiated from clean points in the characteristic vector space.
Our evaluation shows that our proposal outperforms existing approaches in defense rate and final trained model performance.
arXiv Detail & Related papers (2024-03-20T11:50:16Z) - Towards Attack-tolerant Federated Learning via Critical Parameter
Analysis [85.41873993551332]
Federated learning systems are susceptible to poisoning attacks when malicious clients send false updates to the central server.
This paper proposes a new defense strategy, FedCPA (Federated learning with Critical Analysis)
Our attack-tolerant aggregation method is based on the observation that benign local models have similar sets of top-k and bottom-k critical parameters, whereas poisoned local models do not.
arXiv Detail & Related papers (2023-08-18T05:37:55Z) - FedDefender: Client-Side Attack-Tolerant Federated Learning [60.576073964874]
Federated learning enables learning from decentralized data sources without compromising privacy.
It is vulnerable to model poisoning attacks, where malicious clients interfere with the training process.
We propose a new defense mechanism that focuses on the client-side, called FedDefender, to help benign clients train robust local models.
arXiv Detail & Related papers (2023-07-18T08:00:41Z) - Avoid Adversarial Adaption in Federated Learning by Multi-Metric
Investigations [55.2480439325792]
Federated Learning (FL) facilitates decentralized machine learning model training, preserving data privacy, lowering communication costs, and boosting model performance through diversified data sources.
FL faces vulnerabilities such as poisoning attacks, undermining model integrity with both untargeted performance degradation and targeted backdoor attacks.
We define a new notion of strong adaptive adversaries, capable of adapting to multiple objectives simultaneously.
MESAS is the first defense robust against strong adaptive adversaries, effective in real-world data scenarios, with an average overhead of just 24.37 seconds.
arXiv Detail & Related papers (2023-06-06T11:44:42Z) - Defending against the Label-flipping Attack in Federated Learning [5.769445676575767]
Federated learning (FL) provides autonomy and privacy by design to participating peers.
The label-flipping (LF) attack is a targeted poisoning attack where the attackers poison their training data by flipping the labels of some examples.
We propose a novel defense that first dynamically extracts those gradients from the peers' local updates.
arXiv Detail & Related papers (2022-07-05T12:02:54Z) - A Unified Evaluation of Textual Backdoor Learning: Frameworks and
Benchmarks [72.7373468905418]
We develop an open-source toolkit OpenBackdoor to foster the implementations and evaluations of textual backdoor learning.
We also propose CUBE, a simple yet strong clustering-based defense baseline.
arXiv Detail & Related papers (2022-06-17T02:29:23Z) - Influence Based Defense Against Data Poisoning Attacks in Online
Learning [9.414651358362391]
Data poisoning is an attack where an attacker manipulates a fraction of data to degrade the performance of machine learning model.
We propose a defense mechanism to minimize the degradation caused by the poisoned training data on a learner's model in an online setup.
arXiv Detail & Related papers (2021-04-24T08:39:13Z) - SPECTRE: Defending Against Backdoor Attacks Using Robust Statistics [44.487762480349765]
A small fraction of poisoned data changes the behavior of a trained model when triggered by an attacker-specified watermark.
We propose a novel defense algorithm using robust covariance estimation to amplify the spectral signature of corrupted data.
arXiv Detail & Related papers (2021-04-22T20:49:40Z) - Witches' Brew: Industrial Scale Data Poisoning via Gradient Matching [56.280018325419896]
Data Poisoning attacks modify training data to maliciously control a model trained on such data.
We analyze a particularly malicious poisoning attack that is both "from scratch" and "clean label"
We show that it is the first poisoning method to cause targeted misclassification in modern deep networks trained from scratch on a full-sized, poisoned ImageNet dataset.
arXiv Detail & Related papers (2020-09-04T16:17:54Z) - Subpopulation Data Poisoning Attacks [18.830579299974072]
Poisoning attacks against machine learning induce adversarial modification of data used by a machine learning algorithm to selectively change its output when it is deployed.
We introduce a novel data poisoning attack called a emphsubpopulation attack, which is particularly relevant when datasets are large and diverse.
We design a modular framework for subpopulation attacks, instantiate it with different building blocks, and show that the attacks are effective for a variety of datasets and machine learning models.
arXiv Detail & Related papers (2020-06-24T20:20:52Z) - A Self-supervised Approach for Adversarial Robustness [105.88250594033053]
Adversarial examples can cause catastrophic mistakes in Deep Neural Network (DNNs) based vision systems.
This paper proposes a self-supervised adversarial training mechanism in the input space.
It provides significant robustness against the textbfunseen adversarial attacks.
arXiv Detail & Related papers (2020-06-08T20:42:39Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.