Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
117 tokens/sec
GPT-4o
8 tokens/sec
Gemini 2.5 Pro Pro
47 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Invariant Aggregator for Defending against Federated Backdoor Attacks (2210.01834v4)

Published 4 Oct 2022 in cs.LG and cs.CR

Abstract: Federated learning enables training high-utility models across several clients without directly sharing their private data. As a downside, the federated setting makes the model vulnerable to various adversarial attacks in the presence of malicious clients. Despite the theoretical and empirical success in defending against attacks that aim to degrade models' utility, defense against backdoor attacks that increase model accuracy on backdoor samples exclusively without hurting the utility on other samples remains challenging. To this end, we first analyze the failure modes of existing defenses over a flat loss landscape, which is common for well-designed neural networks such as Resnet (He et al., 2015) but is often overlooked by previous works. Then, we propose an invariant aggregator that redirects the aggregated update to invariant directions that are generally useful via selectively masking out the update elements that favor few and possibly malicious clients. Theoretical results suggest that our approach provably mitigates backdoor attacks and remains effective over flat loss landscapes. Empirical results on three datasets with different modalities and varying numbers of clients further demonstrate that our approach mitigates a broad class of backdoor attacks with a negligible cost on the model utility.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (50)
  1. Deep residual learning for image recognition. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 770–778, 2015.
  2. Trojaning attack on neural networks. In NDSS, 2018.
  3. How to backdoor federated learning. In Silvia Chiappa and Roberto Calandra, editors, Proceedings of the Twenty Third International Conference on Artificial Intelligence and Statistics, volume 108 of Proceedings of Machine Learning Research, pages 2938–2948. PMLR, 26–28 Aug 2020. URL https://proceedings.mlr.press/v108/bagdasaryan20a.html.
  4. Back to the drawing board: A critical evaluation of poisoning attacks on production federated learning. In 2022 IEEE Symposium on Security and Privacy (SP), pages 1354–1371, 2022. doi: 10.1109/SP46214.2022.9833647.
  5. Attack of the tails: Yes, you really can backdoor federated learning. In H. Larochelle, M. Ranzato, R. Hadsell, M.F. Balcan, and H. Lin, editors, Advances in Neural Information Processing Systems, volume 33, pages 16070–16084. Curran Associates, Inc., 2020. URL https://proceedings.neurips.cc/paper/2020/file/b8ffa41d4e492f0fad2f13e29e1762eb-Paper.pdf.
  6. Visualizing the loss landscape of neural nets. In Neural Information Processing Systems, 2017.
  7. The global landscape of neural networks: An overview. IEEE Signal Processing Magazine, 37:95–108, 2020.
  8. How does batch normalization help optimization? Advances in neural information processing systems, 31, 2018.
  9. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. 2019 IEEE Symposium on Security and Privacy (SP), pages 707–723, 2019.
  10. FLIP: A provable defense framework for backdoor mitigation in federated learning. In The Eleventh International Conference on Learning Representations, 2023. URL https://openreview.net/forum?id=Xo2E217_M4n.
  11. Learning explanations that are hard to vary. In International Conference on Learning Representations, 2021. URL https://openreview.net/forum?id=hb1sDDSLbV.
  12. Slsgd: Secure and efficient distributed on-device machine learning. In Machine Learning and Knowledge Discovery in Databases, pages 213–228, Cham, 2020a. Springer International Publishing. ISBN 978-3-030-46147-8.
  13. Robust multivariate mean estimation: The optimality of trimmed mean. The Annals of Statistics, 49(1):393 – 410, 2021. doi: 10.1214/20-AOS1961. URL https://doi.org/10.1214/20-AOS1961.
  14. Alex Krizhevsky. Learning multiple layers of features from tiny images. 2009.
  15. Communication-Efficient Learning of Deep Networks from Decentralized Data. In Aarti Singh and Jerry Zhu, editors, Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, volume 54 of Proceedings of Machine Learning Research, pages 1273–1282. PMLR, 20–22 Apr 2017. URL https://proceedings.mlr.press/v54/mcmahan17a.html.
  16. Leaf: A benchmark for federated settings. ArXiv, abs/1812.01097, 2018.
  17. Backdoor attacks against deep learning systems in the physical world. 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 6202–6211, 2021.
  18. Invisible backdoor attack with sample-specific triggers. 2021 IEEE/CVF International Conference on Computer Vision (ICCV), pages 16443–16452, 2021a.
  19. Spectral signatures in backdoor attacks. In S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 31. Curran Associates, Inc., 2018. URL https://proceedings.neurips.cc/paper/2018/file/280cf18baf4311c92aa5a042336587d3-Paper.pdf.
  20. Anti-backdoor learning: Training clean models on poisoned data. In Advances in Neural Information Processing Systems, 2021b.
  21. Can you really backdoor federated learning? ArXiv, abs/1911.07963, 2019.
  22. Flame: Taming backdoors in federated learning. 2021.
  23. Adversarial neuron pruning purifies backdoored deep models. In A. Beygelzimer, Y. Dauphin, P. Liang, and J. Wortman Vaughan, editors, Advances in Neural Information Processing Systems, 2021. URL https://openreview.net/forum?id=4cEapqXfP30.
  24. Machine learning with adversaries: Byzantine tolerant gradient descent. In NIPS, 2017.
  25. signSGD: Compressed optimisation for non-convex problems. In Jennifer Dy and Andreas Krause, editors, Proceedings of the 35th International Conference on Machine Learning, volume 80 of Proceedings of Machine Learning Research, pages 560–569. PMLR, 10–15 Jul 2018. URL https://proceedings.mlr.press/v80/bernstein18a.html.
  26. signsgd with majority vote is communication efficient and fault tolerant. In ICLR, 2019.
  27. A field guide to federated optimization. arXiv preprint arXiv:2107.06917, 2021.
  28. On the noisy gradient descent that generalizes as sgd. In International Conference on Machine Learning, 2019.
  29. On large-batch training for deep learning: Generalization gap and sharp minima. In International Conference on Learning Representations, 2017. URL https://openreview.net/forum?id=H1oyRlYgg.
  30. Loss landscapes are all you need: Neural network generalization can be explained without the implicit bias of gradient descent. In The Eleventh International Conference on Learning Representations, 2023. URL https://openreview.net/forum?id=QC10RmRbZy9.
  31. Notes on the symmetries of 2-layer relu-networks. In NLDL, 2020a.
  32. Relative flatness and generalization. In Neural Information Processing Systems, 2020b.
  33. Fltrust: Byzantine-robust federated learning via trust bootstrapping. ArXiv, abs/2012.13995, 2020.
  34. Zeno: Distributed stochastic gradient descent with suspicion-based fault-tolerance. In Kamalika Chaudhuri and Ruslan Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning, volume 97 of Proceedings of Machine Learning Research, pages 6893–6901. PMLR, 09–15 Jun 2019. URL https://proceedings.mlr.press/v97/xie19b.html.
  35. Robust aggregation for federated learning. IEEE Transactions on Signal Processing, 70:1142–1154, 2022. doi: 10.1109/TSP.2022.3153135.
  36. Accelerating stochastic gradient descent using predictive variance reduction. In C.J. Burges, L. Bottou, M. Welling, Z. Ghahramani, and K.Q. Weinberger, editors, Advances in Neural Information Processing Systems, volume 26. Curran Associates, Inc., 2013. URL https://proceedings.neurips.cc/paper_files/paper/2013/file/ac1dd209cbcc5e5d1c6e28598e8cbbe8-Paper.pdf.
  37. Defending against backdoors in federated learning with robust learning rate. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 35, pages 9268–9276, 2021.
  38. Sparsefed: Mitigating model poisoning attacks in federated learning with sparsification. In Gustau Camps-Valls, Francisco J. R. Ruiz, and Isabel Valera, editors, Proceedings of The 25th International Conference on Artificial Intelligence and Statistics, volume 151 of Proceedings of Machine Learning Research, pages 7587–7624. PMLR, 28–30 Mar 2022. URL https://proceedings.mlr.press/v151/panda22a.html.
  39. Dba: Distributed backdoor attacks against federated learning. In International Conference on Learning Representations, 2020b. URL https://openreview.net/forum?id=rkgyS0VFvr.
  40. Advances and open problems in federated learning. ArXiv, abs/1912.04977, 2021.
  41. Can shape structure features improve model robustness under diverse adversarial settings? 2021 IEEE/CVF International Conference on Computer Vision (ICCV), pages 7506–7515, 2021.
  42. Sharpness-aware minimization for efficiently improving generalization. In International Conference on Learning Representations, 2021. URL https://openreview.net/forum?id=6Tm1mposlrM.
  43. Learning models with uniform performance via distributionally robust optimization. The Annals of Statistics, 49(3):1378 – 1406, 2021. doi: 10.1214/20-AOS2004. URL https://doi.org/10.1214/20-AOS2004.
  44. Distributionally robust neural networks. In International Conference on Learning Representations, 2020. URL https://openreview.net/forum?id=ryxGuJrFvS.
  45. Deep residual learning for image recognition. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 770–778, 2016.
  46. GloVe: Global vectors for word representation. In Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP), pages 1532–1543, Doha, Qatar, October 2014. Association for Computational Linguistics. doi: 10.3115/v1/D14-1162. URL https://aclanthology.org/D14-1162.
  47. A survey of trust and reputation systems for online service provision. Decis. Support Syst., 43:618–644, 2007.
  48. SGD converges to global minimum in deep learning via star-convex path. In International Conference on Learning Representations, 2019. URL https://openreview.net/forum?id=BylIciRcYQ.
  49. An alternative view: When does SGD escape local minima? In Jennifer Dy and Andreas Krause, editors, Proceedings of the 35th International Conference on Machine Learning, volume 80 of Proceedings of Machine Learning Research, pages 2698–2707. PMLR, 10–15 Jul 2018. URL https://proceedings.mlr.press/v80/kleinberg18a.html.
  50. Byzantine-robust learning on heterogeneous datasets via bucketing. In International Conference on Learning Representations, 2022. URL https://openreview.net/forum?id=jXKKDEi5vJt.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now