PFAttack: Stealthy Attack Bypassing Group Fairness in Federated Learning

• URL: http://arxiv.org/abs/2410.06509v1
• Date: Wed, 9 Oct 2024 03:23:07 GMT
• Title: PFAttack: Stealthy Attack Bypassing Group Fairness in Federated Learning
• Authors: Jiashi Gao, Ziwei Wang, Xiangyu Zhao, Xin Yao, Xuetao Wei,
• Abstract summary: Federated learning (FL) allows clients to collaboratively train a global model that makes unbiased decisions for different populations. Previous studies have demonstrated that FL systems are vulnerable to model poisoning attacks. We propose Profit-driven Fairness Attack (PFATTACK) which aims not to degrade global model accuracy but to bypass fairness mechanisms.
• Score: 24.746843739848003
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Federated learning (FL), integrating group fairness mechanisms, allows multiple clients to collaboratively train a global model that makes unbiased decisions for different populations grouped by sensitive attributes (e.g., gender and race). Due to its distributed nature, previous studies have demonstrated that FL systems are vulnerable to model poisoning attacks. However, these studies primarily focus on perturbing accuracy, leaving a critical question unexplored: Can an attacker bypass the group fairness mechanisms in FL and manipulate the global model to be biased? The motivations for such an attack vary; an attacker might seek higher accuracy, yet fairness considerations typically limit the accuracy of the global model or aim to cause ethical disruption. To address this question, we design a novel form of attack in FL, termed Profit-driven Fairness Attack (PFATTACK), which aims not to degrade global model accuracy but to bypass fairness mechanisms. Our fundamental insight is that group fairness seeks to weaken the dependence of outputs on input attributes related to sensitive information. In the proposed PFATTACK, an attacker can recover this dependence through local fine-tuning across various sensitive groups, thereby creating a biased yet accuracy-preserving malicious model and injecting it into FL through model replacement. Compared to attacks targeting accuracy, PFATTACK is more stealthy. The malicious model in PFATTACK exhibits subtle parameter variations relative to the original global model, making it robust against detection and filtering by Byzantine-resilient aggregations. Extensive experiments on benchmark datasets are conducted for four fair FL frameworks and three Byzantine-resilient aggregations against model poisoning, demonstrating the effectiveness and stealth of PFATTACK in bypassing group fairness mechanisms in FL.

Related papers

• EAB-FL: Exacerbating Algorithmic Bias through Model Poisoning Attacks in Federated Learning [3.699715556687871]
  Federated Learning (FL) is a technique that allows multiple parties to train a shared model collaboratively without disclosing their private data. FL models can suffer from biases against certain demographic groups due to the heterogeneity of data and party selection. We propose a new type of model poisoning attack, EAB-FL, with a focus on exacerbating group unfairness while maintaining a good level of model utility.
  arXiv  Detail & Related papers  (2024-10-02T21:22:48Z)
• Mitigating Malicious Attacks in Federated Learning via Confidence-aware Defense [3.685395311534351]
  Federated Learning (FL) is a distributed machine learning diagram that enables multiple clients to collaboratively train a global model without sharing their private local data. FL systems are vulnerable to attacks that are happening in malicious clients through data poisoning and model poisoning. Existing defense methods typically focus on mitigating specific types of poisoning and are often ineffective against unseen types of attack.
  arXiv  Detail & Related papers  (2024-08-05T20:27:45Z)
• Towards Robust Federated Learning via Logits Calibration on Non-IID Data [49.286558007937856]
  Federated learning (FL) is a privacy-preserving distributed management framework based on collaborative model training of distributed devices in edge networks. Recent studies have shown that FL is vulnerable to adversarial examples, leading to a significant drop in its performance. In this work, we adopt the adversarial training (AT) framework to improve the robustness of FL models against adversarial example (AE) attacks.
  arXiv  Detail & Related papers  (2024-03-05T09:18:29Z)
• FreqFed: A Frequency Analysis-Based Approach for Mitigating Poisoning Attacks in Federated Learning [98.43475653490219]
  Federated learning (FL) is susceptible to poisoning attacks. FreqFed is a novel aggregation mechanism that transforms the model updates into the frequency domain. We demonstrate that FreqFed can mitigate poisoning attacks effectively with a negligible impact on the utility of the aggregated model.
  arXiv  Detail & Related papers  (2023-12-07T16:56:24Z)
• Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach [65.2993866461477]
  This paper proposes a data-agnostic, model poisoning attack on Federated Learning (FL) The attack requires no knowledge of FL training data and achieves both effectiveness and undetectability. Experiments show that the FL accuracy drops gradually under the proposed attack and existing defense mechanisms fail to detect it.
  arXiv  Detail & Related papers  (2023-11-30T12:19:10Z)
• Client-side Gradient Inversion Against Federated Learning from Poisoning [59.74484221875662]
  Federated Learning (FL) enables distributed participants to train a global model without sharing data directly to a central server. Recent studies have revealed that FL is vulnerable to gradient inversion attack (GIA), which aims to reconstruct the original training samples. We propose Client-side poisoning Gradient Inversion (CGI), which is a novel attack method that can be launched from clients.
  arXiv  Detail & Related papers  (2023-09-14T03:48:27Z)
• Learning for Counterfactual Fairness from Observational Data [62.43249746968616]
  Fairness-aware machine learning aims to eliminate biases of learning models against certain subgroups described by certain protected (sensitive) attributes such as race, gender, and age. A prerequisite for existing methods to achieve counterfactual fairness is the prior human knowledge of the causal model for the data. In this work, we address the problem of counterfactually fair prediction from observational data without given causal models by proposing a novel framework CLAIRE.
  arXiv  Detail & Related papers  (2023-07-17T04:08:29Z)
• Denial-of-Service or Fine-Grained Control: Towards Flexible Model Poisoning Attacks on Federated Learning [20.737871279189]
  Federated learning (FL) is vulnerable to poisoning attacks, where adversaries corrupt the global aggregation results and cause denial-of-service (DoS) We propose a Flexible Model Poisoning Attack (FMPA) that can achieve versatile attack goals. Experiments show that FMPA significantly decreases the global accuracy, outperforming six state-of-the-art attacks.
  arXiv  Detail & Related papers  (2023-04-21T07:19:41Z)
• FLIP: A Provable Defense Framework for Backdoor Mitigation in Federated Learning [66.56240101249803]
  We study how hardening benign clients can affect the global model (and the malicious clients) We propose a trigger reverse engineering based defense and show that our method can achieve improvement with guarantee robustness. Our results on eight competing SOTA defense methods show the empirical superiority of our method on both single-shot and continuous FL backdoor attacks.
  arXiv  Detail & Related papers  (2022-10-23T22:24:03Z)
• FL-Defender: Combating Targeted Attacks in Federated Learning [7.152674461313707]
  Federated learning (FL) enables learning a global machine learning model from local data distributed among a set of participating workers. FL is vulnerable to targeted poisoning attacks that negatively impact the integrity of the learned model. We propose textitFL-Defender as a method to combat FL targeted attacks.
  arXiv  Detail & Related papers  (2022-07-02T16:04:46Z)
• FL-WBC: Enhancing Robustness against Model Poisoning Attacks in Federated Learning from a Client Perspective [35.10520095377653]
  Federated learning (FL) is a popular distributed learning framework that trains a global model through iterative communications between a central server and edge devices. Recent works have demonstrated that FL is vulnerable to model poisoning attacks. We propose a client-based defense, named White Blood Cell for Federated Learning (FL-WBC), which can mitigate model poisoning attacks.
  arXiv  Detail & Related papers  (2021-10-26T17:13:35Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.