Poisoning Attacks and Defenses to Federated Unlearning

• URL: http://arxiv.org/abs/2501.17396v1
• Date: Wed, 29 Jan 2025 03:23:46 GMT
• Title: Poisoning Attacks and Defenses to Federated Unlearning
• Authors: Wenbin Wang, Qiwen Ma, Zifan Zhang, Yuchen Liu, Zhuqing Liu, Minghong Fang,
• Abstract summary: Federated unlearning is susceptible to poisoning attacks by malicious clients. We propose BadUnlearn, the first poisoning attack targeting federated unlearning. We show that BadUnlearn can effectively corrupt existing federated unlearning methods, while UnlearnGuard remains secure against poisoning attacks.
• Score: 9.518552973479684
• License:
• Abstract: Federated learning allows multiple clients to collaboratively train a global model with the assistance of a server. However, its distributed nature makes it susceptible to poisoning attacks, where malicious clients can compromise the global model by sending harmful local model updates to the server. To unlearn an accurate global model from a poisoned one after identifying malicious clients, federated unlearning has been introduced. Yet, current research on federated unlearning has primarily concentrated on its effectiveness and efficiency, overlooking the security challenges it presents. In this work, we bridge the gap via proposing BadUnlearn, the first poisoning attacks targeting federated unlearning. In BadUnlearn, malicious clients send specifically designed local model updates to the server during the unlearning process, aiming to ensure that the resulting unlearned model remains poisoned. To mitigate these threats, we propose UnlearnGuard, a robust federated unlearning framework that is provably robust against both existing poisoning attacks and our BadUnlearn. The core concept of UnlearnGuard is for the server to estimate the clients' local model updates during the unlearning process and employ a filtering strategy to verify the accuracy of these estimations. Theoretically, we prove that the model unlearned through UnlearnGuard closely resembles one obtained by train-from-scratch. Empirically, we show that BadUnlearn can effectively corrupt existing federated unlearning methods, while UnlearnGuard remains secure against poisoning attacks.

Related papers

• Robust Federated Learning Mitigates Client-side Training Data Distribution Inference Attacks [48.70867241987739]
  InferGuard is a novel Byzantine-robust aggregation rule aimed at defending against client-side training data distribution inference attacks. The results of our experiments indicate that our defense mechanism is highly effective in protecting against client-side training data distribution inference attacks.
  arXiv  Detail & Related papers  (2024-03-05T17:41:35Z)
• FLGuard: Byzantine-Robust Federated Learning via Ensemble of Contrastive Models [2.7539214125526534]
  Federated Learning (FL) thrives in training a global model with numerous clients. Recent research proposed poisoning attacks that cause a catastrophic loss in the accuracy of the global model. We propose FLGuard, a novel byzantine-robust FL method that detects malicious clients and discards malicious local updates.
  arXiv  Detail & Related papers  (2024-03-05T10:36:27Z)
• FreqFed: A Frequency Analysis-Based Approach for Mitigating Poisoning Attacks in Federated Learning [98.43475653490219]
  Federated learning (FL) is susceptible to poisoning attacks. FreqFed is a novel aggregation mechanism that transforms the model updates into the frequency domain. We demonstrate that FreqFed can mitigate poisoning attacks effectively with a negligible impact on the utility of the aggregated model.
  arXiv  Detail & Related papers  (2023-12-07T16:56:24Z)
• FedDefender: Client-Side Attack-Tolerant Federated Learning [60.576073964874]
  Federated learning enables learning from decentralized data sources without compromising privacy. It is vulnerable to model poisoning attacks, where malicious clients interfere with the training process. We propose a new defense mechanism that focuses on the client-side, called FedDefender, to help benign clients train robust local models.
  arXiv  Detail & Related papers  (2023-07-18T08:00:41Z)
• CrowdGuard: Federated Backdoor Detection in Federated Learning [39.58317527488534]
  This paper presents a novel defense mechanism, CrowdGuard, that effectively mitigates backdoor attacks in Federated Learning. CrowdGuard employs a server-located stacked clustering scheme to enhance its resilience to rogue client feedback. The evaluation results demonstrate that CrowdGuard achieves a 100% True-Positive-Rate and True-Negative-Rate across various scenarios.
  arXiv  Detail & Related papers  (2022-10-14T11:27:49Z)
• FLCert: Provably Secure Federated Learning against Poisoning Attacks [67.8846134295194]
  We propose FLCert, an ensemble federated learning framework that is provably secure against poisoning attacks. Our experiments show that the label predicted by our FLCert for a test input is provably unaffected by a bounded number of malicious clients.
  arXiv  Detail & Related papers  (2022-10-02T17:50:04Z)
• MPAF: Model Poisoning Attacks to Federated Learning based on Fake Clients [51.973224448076614]
  We propose the first Model Poisoning Attack based on Fake clients called MPAF. MPAF can significantly decrease the test accuracy of the global model, even if classical defenses and norm clipping are adopted.
  arXiv  Detail & Related papers  (2022-03-16T14:59:40Z)
• TESSERACT: Gradient Flip Score to Secure Federated Learning Against Model Poisoning Attacks [25.549815759093068]
  Federated learning is vulnerable to model poisoning attacks. This is because malicious clients can collude to make the global model inaccurate. We develop TESSERACT, a defense against this directed deviation attack.
  arXiv  Detail & Related papers  (2021-10-19T17:03:29Z)
• CRFL: Certifiably Robust Federated Learning against Backdoor Attacks [59.61565692464579]
  This paper provides the first general framework, Certifiably Robust Federated Learning (CRFL), to train certifiably robust FL models against backdoors. Our method exploits clipping and smoothing on model parameters to control the global model smoothness, which yields a sample-wise robustness certification on backdoors with limited magnitude.
  arXiv  Detail & Related papers  (2021-06-15T16:50:54Z)
• Learning to Detect Malicious Clients for Robust Federated Learning [20.5238037608738]
  Federated learning systems are vulnerable to attacks from malicious clients. We propose a new framework for robust federated learning where the central server learns to detect and remove the malicious model updates.
  arXiv  Detail & Related papers  (2020-02-01T14:09:48Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.