FLTrust: Byzantine-robust Federated Learning via Trust Bootstrapping (2012.13995v3)

Abstract: Byzantine-robust federated learning aims to enable a service provider to learn an accurate global model when a bounded number of clients are malicious. The key idea of existing Byzantine-robust federated learning methods is that the service provider performs statistical analysis among the clients' local model updates and removes suspicious ones, before aggregating them to update the global model. However, malicious clients can still corrupt the global models in these methods via sending carefully crafted local model updates to the service provider. The fundamental reason is that there is no root of trust in existing federated learning methods. In this work, we bridge the gap via proposing FLTrust, a new federated learning method in which the service provider itself bootstraps trust. In particular, the service provider itself collects a clean small training dataset (called root dataset) for the learning task and the service provider maintains a model (called server model) based on it to bootstrap trust. In each iteration, the service provider first assigns a trust score to each local model update from the clients, where a local model update has a lower trust score if its direction deviates more from the direction of the server model update. Then, the service provider normalizes the magnitudes of the local model updates such that they lie in the same hyper-sphere as the server model update in the vector space. Our normalization limits the impact of malicious local model updates with large magnitudes. Finally, the service provider computes the average of the normalized local model updates weighted by their trust scores as a global model update, which is used to update the global model. Our extensive evaluations on six datasets from different domains show that our FLTrust is secure against both existing attacks and strong adaptive attacks.

An Expert Overview of "FLTrust: Byzantine-robust Federated Learning via Trust Bootstrapping"

This paper presents "FLTrust," a federated learning (FL) method designed to enhance Byzantine robustness against malicious clients. The research focuses on addressing vulnerabilities in existing FL methods, which often fail when faced with carefully crafted adversarial attacks. The approach centers on a "root of trust" mechanism facilitated by a small, service provider-controlled, clean dataset called the "root dataset."

Key Contributions

The primary contribution of FLTrust is providing robustness in FL by leveraging a server-managed root dataset. This dataset serves as a baseline for trust, permitting the server to assign trust scores to client model updates based on their alignment with the server's own model update. The paper outlines the following key mechanisms of FLTrust:

1. Trust Scores: FLTrust assigns trust scores to each client's model update using the ReLU-clipped cosine similarity between a client's update direction and the server's model update direction. This approach ensures that only positively aligned updates influence the global model.
2. Normalization of Updates: The method normalizes the magnitude of client updates to match the server update, preventing attackers from dominating the global model update via large-magnitude malicious updates.
3. Aggregation: The system computes a global model update as a weighted average of normalized client updates, using the trust scores as weights. This enables more accurate global model updates even amid high proportions of malicious clients.

Numerical Results and Robustness Evaluation

The paper provides extensive empirical verification across six diverse datasets, using various network architectures suited to each dataset. Notably, the method shows resilience against a range of attacks, including adaptive attacks optimized specifically against FLTrust.

1. Performance Against Attacks: FLTrust maintains low testing error rates under a wide variety of attack conditions. For instance, with up to 40%-60% of clients being malicious, the models trained using FLTrust achieve error rates similar to models trained with FedAvg absent attacks.
2. Impact of Root Dataset: The method is effective with a relatively minimal root dataset—fewer than 100 examples sufficed for robust model performance. The experiments confirm the importance of the distribution match between the root dataset and the overall task dataset for optimal protection.

Implications and Future Directions

The introduction of a server-side root of trust has notable implications. It presents a viable pathway toward deploying FL in settings where client manipulations are a concern. Theoretically, the approach bridges crucial gaps in existing Byzantine-robust FL techniques by introducing quantitative measures of trust and controlled contributions from clients.

The research stimulates potential future explorations in several directions:

1. Exploration of Hierarchical Trust Models: Exploring hierarchical or multi-tier trust mechanisms may further enhance robustness, distributing the trust decision-making process.
2. Adaptive Attack Resilience: While FLTrust shows strength against the designed adaptive attacks, there remains room for analyzing unknown, potentially stronger strategies under adaptive adversarial conditions.
3. Broader Applications: Extending the ideas of FLTrust to nuanced applications like privacy-preserving data analytics or different machine learning tasks beyond classification could substantially impact numerous domains.

In summary, FLTrust offers a methodologically sound approach to improving the robustness of FL systems under adversarial conditions by leveraging controlled trust bootstrapping, introducing a milestone in Byzantine-robust federated learning research.