Abstract
Federated learning provides a way to achieve joint model training while keeping the data of every party stored locally, and it protects the data privacy of all participants in cooperative training. However, there are availability and integrity threats in federated learning, as malicious parties may pretend to be benign ones to interfere with the global model. In this paper, we consider a federated learning scenario with one center server and multiple clients, where malicious clients launch poisoning attacks. We explore the statistical relationship of Euclidean distance among models, including benign versus benign models and malicious versus benign models. Then, we design a defense method based on our findings and inspired by evolutionary clustering. The center server uses this defense scheme to screen possible malicious clients and mitigate their attacks. Our mitigation scheme refers to the detection results of both the current and previous rounds. Moreover, we improve our scheme to apply it to a privacy threat scenario. Finally, we demonstrate the effectiveness of our scheme through experiments in several different scenarios.
Similar content being viewed by others
Notes
This paper is a supplementary version of a previous paper that was selected for fast-track publication by Cyber Security in Networking (CSNET).
References
McMahan B, Moore E, Ramage D, Hampson S, Arcas BA (2017) Communication-efficient learning of deep networks from decentralized data. In: Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, Fort Lauderdale, USA. Proceedings of Machine Learning Research, vol 54, pp 1273–1282
Blanchard P, Mhamdi EME, Guerraoui R, Stainer JJ (2017) Machine learning with adversaries: Byzantine tolerant gradient descent. In: Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, December 4-9, Long Beach, CA, USA, pp 119–129
Yin D, Chen Y, Ramchandran K, Bartlett P (2018) Byzantine-robust distributed learning: Towards optimal statistical rates
El Mhamdi EM, Guerraoui R, Rouault S (2018) The hidden vulnerability of distributed learning in byzantium
Jagielski M, Oprea A, Biggio B, Liu C, Nita-Rotaru C, Li B (2018) Manipulating machine learning: Poisoning attacks and countermeasures for regression learning, pp. 19–35 https://doi.org/10.1109/SP.2018.00057
Biggio B, Nelson B, Laskov P (2012) Poisoning attacks against support vector machines
Chen X, Liu C, Li B, Lu K, Song D (2017) Targeted backdoor attacks on deep learning systems using data poisoning
Nasr M, Shokri R, Houmansadr A (2018) Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning
Shokri R, Stronati M, Song C, Shmatikov V (2017) Membership inference attacks against machine learning models. In: 2017 IEEE Symposium on Security and Privacy (SP)
Melis L, Song C, De Cristofaro E, Shmatikov V (2019) Exploiting unintended feature leakage in collaborative learning, pp 691–706. https://doi.org/10.1109/SP.2019.00029
Zhu L, Han S (2020) Deep Leakage from Gradients, pp 17–31 https://doi.org/10.1007/978-3-030-63076-8_2
Shi Z, Ding X, Li F, Chen Y, Li C (2021) Mitigation of poisoning attack in federated learning by using historical distance detection. In: 2021 5th Cyber Security in Networking Conference (CSNet), pp 10–17. https://doi.org/10.1109/CSNet52717.2021.9614278
Kairouz P, McMahan H (2021) Advances and open problems in federated learning. Foundations and Trends in Machine Learning 14. https://doi.org/10.1561/2200000083
Bagdasaryan E, Veit A, Hua Y, Estrin D, Shmatikov V (2020) How to backdoor federated learning. In: Chiappa S, Calandra R (eds) The 23rd International Conference on Artificial Intelligence and Statistics, AISTATS 2020, 26–28 August 2020, Online [Palermo, Sicily, Italy]. Proceedings of Machine Learning Research, vol. 108, pp 2938–2948
Zhang J, Chen J, Wu D, Chen B, Yu S (2019) Poisoning attack in federated learning using generative adversarial nets, pp 374–380. https://doi.org/10.1109/TrustCom/BigDataSE.2019.00057
Xie C, Koyejo O, Gupta I 2019 Fall of empires: Breaking byzantine-tolerant SGD by inner product manipulation. In: Proceedings of the Thirty-Fifth Conference on Uncertainty in Artificial Intelligence, UAI 2019, Tel Aviv, Israel, July 22-25. Proceedings of Machine Learning Research, vol 115, pp 261–270
Sun Z, Kairouz P, Suresh AT, McMahan HB (2019) Can you really backdoor federated learning? CoRR abs/1911.07963
Bhagoji AN, Chakraborty S, Mittal P, Calo SB (2019) Analyzing federated learning through an adversarial lens. In: Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9–15 June 2019, Long Beach, California, USA. Proceedings of Machine Learning Research, vol. 97, pp 634–643
Fung C, Yoon CJM, Beschastnikh I (2018) Mitigating sybils in federated learning poisoning. CoRR abs/1808.04866
Shen S, Tople S, Saxena P (2016) A uror: defending against poisoning attacks in collaborative deep learning systems, pp 508–519. https://doi.org/10.1145/2991079.2991125
Wu Z, Ling Q, Chen T, Giannakis G (2020) Federated variance-reduced stochastic gradient descent with robustness to byzantine attacks. IEEE Trans Signal Process 68:1–1. https://doi.org/10.1109/TSP.2020.3012952
Cao D, Chang S, Lin Z, Liu G, Sun D (2019) Understanding distributed poisoning attack in federated learning, pp 233–239. https://doi.org/10.1109/ICPADS47876.2019.00042
Zhao Y, Chen J, Zhang J, Wu D, Blumenstein M, Yu S (2020) Detecting and mitigating poisoning attacks in federated learning using generative adversarial networks. Practice and Experience, Concurrency and Computation. https://doi.org/10.1002/cpe.5906
Manna A, Kasyap H, Tripathy S (2021) Moat: Model agnostic defense against targeted poisoning attacks in federated learning. In: Gao D, Li Q, Guan X, Liao X (eds) Information and Communications Security. Springer, pp 38–55
Chen L-Y, Chiu T-C, Pang A-C, Cheng L-C (2021) Fedequal: Defending model poisoning attacks in heterogeneous federated learning. In: 2021 IEEE Global Communications Conference (GLOBECOM), pp 1–6. https://doi.org/10.1109/GLOBECOM46510.2021.9685082
You X, Liu Z, Yang X, Ding X (2022) Poisoning attack detection using client historical similarity in non-iid environments. In: 2022 12th international conference on cloud computing, data science & engineering (confluence), pp 439–447 https://doi.org/10.1109/Confluence52989.2022.9734158
Liu W, Lin H, Wang X, Hu J, Kaddoum G, Piran MJ, Alamri A (2021) D2mif: A malicious model detection mechanism for federated learning empowered artificial intelligence of things. IEEE Internet of Things Journal 1–1. https://doi.org/10.1109/JIOT.2021.3081606
Chakrabarti D, Kumar R (2006) Tomkins A. Evolutionary clustering 2006:554–560. https://doi.org/10.1007/978-0-387-30164-8_271
Zhao L, Hu S, Wang Q, Jiang J, Shen C, Luo X, Hu P (2021) Shielding collaborative learning: Mitigating poisoning attacks through client-side detection. IEEE Trans Dependable Secure Comput 18(5):2029–2041. https://doi.org/10.1109/TDSC.2020.2986205
Liu X, Li H, Xu G, Chen Z, Huang X, Lu R (2021) Privacy-enhanced federated learning against poisoning adversaries. IEEE Trans Inf Forensics Secur 16:4574–4588. https://doi.org/10.1109/TIFS.2021.3108434
Fang M, Cao X, Jia J, Gong NZ 2020 Local model poisoning attacks to byzantine-robust federated learning. In: 29th USENIX Security Symposium, USENIX Security 2020, pp 1605–1622
Funding
This work is supported by Fundamental Research Funds for the Central Universities (UESTC) (Grant No. ZYGX2020ZB025) and Sichuan Science and Technology Program, China (Grant No. 2021YFG0157).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no competing interests.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Shi, Z., Ding, X., Li, F. et al. Mitigation of a poisoning attack in federated learning by using historical distance detection. Ann. Telecommun. 78, 135–147 (2023). https://doi.org/10.1007/s12243-022-00929-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12243-022-00929-4