Hongyong Xiao1, Xutong Mu1, and Ke Cheng1,*
Ke Cheng
1 School of Computer Science and Technology, Xidian University, Xi’an, 710071, China
*Corresponding author
Federated learning allows clients to collaboratively train models without disclosing local data, yet it faces the threat of poisoning attacks from malicious clients. Existing research has proposed various robust federated learning schemes, but these often consider only a single type of poisoning attack and are inadequate for scenarios where multiple poisoning attacks occur simultaneously. To address this problem, this paper proposes FedRMA, a robust federated learning scheme resistant to multiple poisoning attacks. FedRMA eliminates the need for unrealistic prior knowledge and defends against multiple poisoning attacks by identifying and removing malicious clients. FedRMA adopts the Affinity Propagation clustering algorithm to adaptively partition clients, thereby enhancing its ability to handle multiple poisoning attacks. To mitigate the impact of uncertainty in client data distribution on model selection, FedRMA uses the L-BFGS algorithm to predict the expected global model and uses it to identify malicious clients. We evaluate the performance of FedRMA on the MNIST and CIFAR-10 datasets and compare it with two existing baselines. The experimental results show that FedRMA successfully eliminates the negative impact of multiple poisoning attacks by accurately identifying malicious clients and outperforms the baseline schemes.
Federated learning, poisoning attacks, adaptive clustering, robust aggregation, artificial intelligence security
Hongyong Xiao, Xutong Mu, and Ke Cheng (2024). FedRMA: A Robust Federated Learning Resistant to Multiple Poisoning Attacks. Journal of Networking and Network Applications, Volume 4, Issue 1, pp. 31–38. https://doi.org/10.33969/J-NaNA.2024.040104.
[1] J. Koneˇcn´y, H. B. McMahan, F. X. Yu, P. Richt´arik, A. T. Suresh, and D. Bacon, “Federated learning: strategies for improving communication efficiency,” arXiv preprint arXiv:1610.05492, 2016.
[2] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” in Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, 2017, pp. 1273-1282.
[3] M. Fang, X. Cao, J. Jia, and N. Gong, “Local model poisoning attacks to byzantine-robust federated learning,” in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 1605-1622.
[4] X. Ma, Q. Jiang, M. Shojafar, M. Alazab, S. Kumar and S. Kumari, “Dis-Bezant: secure and robust federated learning against byzantine attack in iot-enabled MTS,” in IEEE Transactions on Intelligent Transportation Systems, 2023, pp. 2492-2502.
[5] B. Biggio, B. Nelson, and P. Laskov, “Poisoning attacks against support vector machines,” in Proceedings of the 29th International Coference on International Conference on Machine Learning (ICML), 2012, pp. 1467–1474.
[6] E. Bagdasaryan, A. Veit, Y. Hua, D. Estrin, and V. Shmatikov, “How to backdoor federated learning,” in Proceedings of the Twenty Third International Conference on Artificial Intelligence and Statistics, 2020, pp. 2938-2948.
[7] A. N. Bhagoji, S. Chakraborty, P. Mittal, and S. Calo, “Analyzing federated learning through an adversarial lens,” in Proceedings of the 36th International Conference on Machine Learning, 2019, pp. 634-643.
[8] G. Baruch, M. Baruch, and Y. Goldberg, “A little is enough: circumvent-ing defenses for distributed learning,” Advances in Neural Information Processing Systems, vol. 32, 2019.
[9] Y. Chen, L. Su, and J. Xu, “Distributed statistical machine learning in adversarial settings: byzantine gradient descent,” Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 1, no. 2, pp. 1-25, 2017.
[10] P. Blanchard, E. M. E. Mhamdi, R. Guerraoui, and J Stainer, “Machine learning with adversaries: byzantine tolerant gradient descent,” Advances in Neural Information Processing Systems, vol. 30, 2017.
[11] D. Yin, Y. Chen, R. Kannan, and P. Bartlett, “Byzantine-robust dis-tributed learning: towards optimal statistical rates,” in Proceedings of the 35th International Conference on Machine Learning, 2018, pp. 5650-5659.
[12] E. M. E. Mhamdi, R. Guerraoui, and S. Rouault, “The hidden vulnera-bility of distributed learning in byzantium,” in Proceedings of the 35th International Conference on Machine Learning, 2018, pp. 3521-3530.
[13] C. Xie, S. Koyejo, I. Gupta, “Zeno: distributed stochastic gradient descent with suspicion-based fault-tolerance,” in Proceedings of the 36th International Conference on Machine Learning, 2019, pp. 6893-6901.
[14] X. Cao, M. Fang, J. Liu, and N. Z. Gong, “FLTrust: byzantine-robust federated learning via trust bootstrapping,” in 28th Annual Network and Distributed System Security Symposium (NDSS), 2021.
[15] C. Fung, C. J. M. Yoon, and I. Beschastnikh, “The limitations of federated learning in sybil settings,” in 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), 2020, pp. 301-316.
[16] Z. Zhang, X. Cao, J. Jia, and N. Z. Gong, “FLDetector: defending federated learning against model poisoning attacks via detecting mali-cious clients,” in Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD), 2022, pp. 2545–2555.
[17] T. D. Nguyen, P. Rieger, H. Chen H. Yalame, H. M¨ollering, H. Fereidooni , S. Marchal, et al., “FLAME: taming backdoors in federated learning,” in 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1415–1432.
[18] B. J. Frey, and D. Dueck, “Clustering by passing messages between data points,” Science, vol. 315, no. 5814, pp. 972-976, 2007.
[19] R. Shokri, M. Stronati, C. Song and V. Shmatikov, “Membership inference attacks against machine learning models,” in 2017 IEEE Symposium on Security and Privacy (SP), 2017, pp. 3-18.
[20] S. Yeom, I. Giacomelli, M. Fredrikson and S. Jha, “Privacy risk in machine learning: analyzing the connection to overfitting,” in 2018 IEEE 31st Computer Security Foundations Symposium (CSF), 2018, pp. 268-282.
[21] M. Nasr, R. Shokri and A. Houmansadr, “Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning,” in 2019 IEEE Symposium on Security and Privacy (SP), 2019, pp. 739-753.
[22] R. H. Byrd, J. Nocedal, and R. B. Schnabel, “Representations of quasi-Newton matrices and their use in limited memory methods,” Mathematical Programming, vol. 63, pp. 129–156, 1994.
[23] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016, pp. 770-778.