Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
158 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Backdoor Attacks in Peer-to-Peer Federated Learning (2301.09732v4)

Published 23 Jan 2023 in cs.LG and cs.CR

Abstract: Most machine learning applications rely on centralized learning processes, opening up the risk of exposure of their training datasets. While federated learning (FL) mitigates to some extent these privacy risks, it relies on a trusted aggregation server for training a shared global model. Recently, new distributed learning architectures based on Peer-to-Peer Federated Learning (P2PFL) offer advantages in terms of both privacy and reliability. Still, their resilience to poisoning attacks during training has not been investigated. In this paper, we propose new backdoor attacks for P2PFL that leverage structural graph properties to select the malicious nodes, and achieve high attack success, while remaining stealthy. We evaluate our attacks under various realistic conditions, including multiple graph topologies, limited adversarial visibility of the network, and clients with non-IID data. Finally, we show the limitations of existing defenses adapted from FL and design a new defense that successfully mitigates the backdoor attacks, without an impact on model accuracy.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (74)
  1. S. Grigorescu, B. Trasnea, T. Cocias, and G. Macesanu, “A survey of deep learning techniques for autonomous driving,” Journal of Field Robotics, vol. 37, no. 3, pp. 362–386, 2020.
  2. B. R. Kiran, I. Sobh, V. Talpaert, P. Mannion, A. A. A. Sallab, S. Yogamani, and P. Pérez, “Deep reinforcement learning for autonomous driving: A survey,” IEEE Transactions on Intelligent Transportation Systems, vol. 23, no. 6, pp. 4909–4926, 2022.
  3. S. Zhang, L. Yao, A. Sun, and Y. Tay, “Deep learning based recommender system: A survey and new perspectives,” ACM CSUR, 2019.
  4. Z. Batmaz, A. Yurekli, A. Bilge, and C. Kaleli, “A review on deep learning for recommender systems: challenges and remedies,” Artificial Intelligence Review, vol. 52, no. 1, pp. 1–37, 2019.
  5. V. Mhasawade, Y. Zhao, and R. Chunara, “Machine learning and algorithmic fairness in public and population health,” Nature Machine Intelligence, vol. 3, no. 8, pp. 659–666, 2021.
  6. G. Manogaran and D. Lopez, “A survey of big data architectures and machine learning algorithms in healthcare,” International Journal of Biomedical Engineering and Technology, vol. 25, pp. 182–211, 2017.
  7. P. Voigt and A. Von dem Bussche, “The EU general data protection regulation (GDPR),” A Practical Guide, 1st Ed., Cham: Springer International Publishing, vol. 10, no. 3152676, pp. 10–5555, 2017.
  8. E. L. Harding, J. J. Vanto, R. Clark, L. Hannah Ji, and S. C. Ainsworth, “Understanding the scope and impact of the California Consumer Privacy Act of 2018,” Journal of Data Protection & Privacy, 2019.
  9. B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” in Artificial intelligence and statistics.   PMLR, 2017.
  10. J. Konečný, H. B. McMahan, F. X. Yu, P. Richtarik, A. T. Suresh, and D. Bacon, “Federated learning: Strategies for improving communication efficiency,” in NIPS Workshop on Private Multi-Party ML, 2016.
  11. K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan, S. Patel, D. Ramage, A. Segal, and K. Seth, “Practical secure aggregation for privacy-preserving machine learning,” in ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 1175–1191.
  12. H. B. McMahan, D. Ramage, K. Talwar, and L. Zhang, “Learning differentially private recurrent language models,” in ICLR, 2018.
  13. J. Geiping, H. Bauermeister, H. Dröge, and M. Moeller, “Inverting gradients - how easy is it to break privacy in federated learning?” in Advances in Neural Information Processing Systems, 2020.
  14. Y. Wen, J. Geiping, L. Fowl, M. Goldblum, and T. Goldstein, “Fishing for user data in large-batch federated learning via gradient magnification,” in ICML, vol. 162, 2022, pp. 23 668–23 684.
  15. A. Bellet, R. Guerraoui, M. Taziki, and M. Tommasi, “Personalized and private peer-to-peer machine learning,” in AISTATS, 2018, pp. 473–481.
  16. P. Vanhaesebrouck, A. Bellet, and M. Tommasi, “Decentralized collaborative learning of personalized models over networks,” in Artificial Intelligence and Statistics.   PMLR, 2017, pp. 509–517.
  17. A. Lalitha, O. C. Kilinc, T. Javidi, and F. Koushanfar, “Peer-to-peer federated learning on graphs,” arXiv preprint arXiv:1901.11173, 2019.
  18. C. Fang, Z. Yang, and W. U. Bajwa, “Bridge: Byzantine-resilient decentralized gradient descent,” IEEE Transactions on Signal and Information Processing over Networks, vol. 8, pp. 610–626, 2022.
  19. Z. Yang and W. U. Bajwa, “Byrdie: Byzantine-resilient distributed coordinate descent for decentralized learning,” IEEE Trans. on Signal and Inform. Processing over Networks, vol. 5, no. 4, pp. 611–627, 2019.
  20. K. Kuwaranancharoen, L. Xin, and S. Sundaram, “Byzantine-resilient distributed optimization of multi-dimensional functions,” in ACC, 2020.
  21. J. Peng, W. Li, and Q. Ling, “Byzantine-robust decentralized stochastic optimization over static and time-varying networks,” Signal Processing, vol. 183, p. 108020, 2021.
  22. N. Gupta and N. H. Vaidya, “Byzantine fault-tolerance in peer-to-peer distributed gradient-descent,” arXiv preprint arXiv:2101.12316, 2021.
  23. H. Tang, X. Lian, M. Yan, C. Zhang, and J. Liu, “d2superscript𝑑2d^{2}italic_d start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT: Decentralized training over decentralized data,” in ICML, 2018, pp. 4848–4856.
  24. I. McGraw, R. Prabhavalkar, R. Alvarez, M. G. Arenas, K. Rao, D. Rybach, O. Alsharif, H. Sak, A. Gruenstein, F. Beaufays, and C. Parada, “Personalized speech recognition on mobile devices,” arXiv, 2016.
  25. F. Granqvist, M. Seigel, R. van Dalen, A. Cahill, S. Shum, and M. Paulik, “Improving on-device speaker verification using federated learning with privacy,” arXiv, 2020.
  26. B. Biggio, B. Nelson, and P. Laskov, “Poisoning attacks against support vector machines,” arXiv preprint arXiv:1206.6389, 2012.
  27. S. Mei and X. Zhu, “Using machine teaching to identify optimal training-set attacks on machine learners,” in AAAI, 2015.
  28. H. Xiao, B. Biggio, G. Brown, G. Fumera, C. Eckert, and F. Roli, “Is feature selection secure against training data poisoning?” in ICML, 2015.
  29. P. W. Koh and P. Liang, “Understanding black-box predictions via influence functions,” in ICML.   PMLR, 2017, pp. 1885–1894.
  30. X. Chen, C. Liu, B. Li, K. Lu, and D. Song, “Targeted backdoor attacks on deep learning systems using data poisoning,” arXiv, 2017.
  31. O. Suciu, R. Marginean, Y. Kaya, H. Daume III, and T. Dumitras, “When does machine learning {{\{{FAIL}}\}}? generalized transferability for evasion and poisoning attacks,” in USENIX Security, 2018, pp. 1299–1316.
  32. A. Shafahi, W. R. Huang, M. Najibi, O. Suciu, C. Studer, T. Dumitras, and T. Goldstein, “Poison frogs! targeted clean-label poisoning attacks on neural networks,” NeurIPS, vol. 31, 2018.
  33. M. Jagielski, A. Oprea, B. Biggio, C. Liu, C. Nita-Rotaru, and B. Li, “Manipulating machine learning: Poisoning attacks and countermeasures for regression learning,” in S&P.   IEEE, 2018, pp. 19–35.
  34. T. Gu, K. Liu, B. Dolan-Gavitt, and S. Garg, “Badnets: Evaluating backdooring attacks on deep neural networks,” IEEE Access, vol. 7, pp. 47 230–47 244, 2019.
  35. V. Tolpegin, S. Truex, M. E. Gursoy, and L. Liu, “Data poisoning attacks against federated learning systems,” in ESORICS.   Springer, 2020.
  36. A. N. Bhagoji, S. Chakraborty, P. Mittal, and S. Calo, “Model poisoning attacks in federated learning,” in SecML, 2018, pp. 1–23.
  37. E. Bagdasaryan, A. Veit, Y. Hua, D. Estrin, and V. Shmatikov, “How to backdoor federated learning,” in AISTATS.   PMLR, 2020.
  38. M. Fang, X. Cao, J. Jia, and N. Gong, “Local model poisoning attacks to {{\{{Byzantine-Robust}}\}} federated learning,” in USENIX Security, 2020.
  39. V. Shejwalkar and A. Houmansadr, “Manipulating the byzantine: Optimizing model poisoning attacks and defenses for federated learning,” in NDSS, 2021.
  40. Z. Sun, P. Kairouz, A. T. Suresh, and H. B. McMahan, “Can you really backdoor federated learning?” arXiv preprint arXiv:1911.07963, 2019.
  41. H. Wang, K. Sreenivasan, S. Rajput, H. Vishwakarma, S. Agarwal, J.-y. Sohn, K. Lee, and D. Papailiopoulos, “Attack of the tails: Yes, you really can backdoor federated learning,” NeurIPS, vol. 33, 2020.
  42. F. V. Martins, E. G. Carrano, E. F. Wanner, R. H. Takahashi, and G. R. Mateus, “A hybrid multiobjective evolutionary approach for improving the performance of wireless sensor networks,” IEEE Sensors, 2010.
  43. Y. Jiang, X. Ge, Y. Zhong, G. Mao, and Y. Li, “A new small-world IoT routing mechanism based on Cayley graphs,” IEEE Internet of Things Journal, vol. 6, no. 6, pp. 10 384–10 395, 2019.
  44. Z. Dong, Z. Wang, W. Xie, O. Emelumadu, C. Lin, and R. Rojas-Cessa, “An experimental study of small world network model for wireless networks,” in IEEE Sarnoff Symposium, 2015, pp. 70–75.
  45. C. Liu and G. Cao, “Distributed critical location coverage in wireless sensor networks with lifetime constraint,” in INFOCOM.   IEEE, 2012.
  46. P. Kairouz, H. B. McMahan, B. Avent, A. Bellet, M. Bennis, A. N. Bhagoji, K. Bonawitz, Z. Charles, G. Cormode, R. Cummings et al., “Advances and open problems in federated learning,” Foundations and Trends® in Machine Learning, vol. 14, no. 1–2, pp. 1–210, 2021.
  47. M. Teng and F. Wood, “Bayesian distributed stochastic gradient descent,” Advances in Neural Information Processing Systems, vol. 31, 2018.
  48. S. Pu, A. Olshevsky, and I. C. Paschalidis, “Asymptotic network independence in distributed stochastic optimization for machine learning: Examining distributed and centralized stochastic gradient descent,” IEEE signal processing magazine, vol. 37, no. 3, pp. 114–122, 2020.
  49. V. Shejwalkar, A. Houmansadr, P. Kairouz, and D. Ramage, “Back to the drawing board: A critical evaluation of poisoning attacks on production federated learning,” in 2022 IEEE Symposium on Security and Privacy (SP).   IEEE, 2022, pp. 1354–1371.
  50. P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer, “Machine learning with adversaries: Byzantine tolerant gradient descent,” Advances in Neural Information Processing Systems, vol. 30, 2017.
  51. R. Guerraoui, S. Rouault et al., “The hidden vulnerability of distributed learning in byzantium,” in ICML.   ACM, 2018, pp. 3521–3530.
  52. B. Wang, Y. Yao, S. Shan, H. Li, B. Viswanath, H. Zheng, and B. Y. Zhao, “Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,” in 2019 IEEE Symposium on Security and Privacy (SP).   IEEE, 2019, pp. 707–723.
  53. T. Gu, B. Dolan-Gavitt, and S. Garg, “Badnets: Identifying vulnerabilities in the machine learning model supply chain,” arXiv, 2017.
  54. D. Vyzovitis, Y. Napora, D. McCormick, D. Dias, and Y. Psaras, “GossipSub: Attack-Resilient Message Propagation in the Filecoin and ETH2.0 Networks,” arXiv, 2020.
  55. C. Xie, O. Koyejo, and I. Gupta, “Phocas: dimensional byzantine-resilient stochastic gradient descent,” arXiv, 2018.
  56. S. P. Borgatti, “Structural holes: Unpacking Burt’s redundancy measures,” Connections, vol. 20, no. 1, pp. 35–38, 1997.
  57. L. Page, S. Brin, R. Motwani, and T. Winograd, “The pagerank citation ranking: Bringing order to the web.” Stanford InfoLab, Tech. Rep., 1999.
  58. J. Saramäki, M. Kivelä, J.-P. Onnela, K. Kaski, and J. Kertesz, “Generalizations of the clustering coefficient to weighted complex networks,” Physical Review E, vol. 75, no. 2, p. 027105, 2007.
  59. R. S. Burt, “Structural holes,” in Social Stratification.   Routledge, 2018, pp. 659–663.
  60. J. Kleinberg, S. Suri, E. Tardos, and T. Wexler, “Strategic network formation with structural holes,” in Proceedings of the 9th ACM Conference on Electronic Commerce, ser. EC ’08.   New York, NY, USA: Association for Computing Machinery, 2008, p. 284–293. [Online]. Available: https://doi.org/10.1145/1386790.1386835
  61. A. Chernikova, N. Gozzi, S. Boboila, P. Angadi, J. Loughner, M. Wilden, N. Perra, T. Eliassi-Rad, and A. Oprea, “Cyber network resilience against self-propagating malware attacks,” in ESORICS.   Springer, 2022.
  62. P. Erdos, A. Rényi et al., “On the evolution of random graphs,” Publ. Math. Inst. Hung. Acad. Sci, vol. 5, no. 1, pp. 17–60, 1960.
  63. D. J. Watts and S. H. Strogatz, “Collective dynamics of ‘small-world’networks,” nature, vol. 393, no. 6684, pp. 440–442, 1998.
  64. R. Albert and A.-L. Barabási, “Statistical mechanics of complex networks,” Reviews of modern physics, vol. 74, no. 1, p. 47, 2002.
  65. M. Newman, “The structure and function of complex networks,” SIAM review, vol. 45, no. 2, pp. 167–256, 2003.
  66. Q. Li, Y. Diao, Q. Chen, and B. He, “Federated learning on non-iid data silos: An experimental study,” in ICDE.   IEEE, 2022, pp. 965–978.
  67. M. Yurochkin, M. Agarwal, S. Ghosh, K. Greenewald, N. Hoang, and Y. Khazaeni, “Bayesian nonparametric federated learning of neural networks,” in ICML, vol. 97.   PMLR, 2019, pp. 7252–7261.
  68. J. Wang, Q. Liu, H. Liang, G. Joshi, and H. V. Poor, “Tackling the objective inconsistency problem in heterogeneous federated optimization,” in NIPS.   ACM, 2020.
  69. E. Wei and A. Ozdaglar, “Distributed alternating direction method of multipliers,” in CDC.   IEEE, 2012, pp. 5445–5450.
  70. L. He, S. P. Karimireddy, and M. Jaggi, “Byzantine-robust decentralized learning via clippedgossip,” 2023. [Online]. Available: https://openreview.net/forum?id=qxcQqFUTIpQ
  71. G. Severi, M. Jagielski, G. Yar, Y. Wang, A. Oprea, and C. Nita-Rotaru, “Network-level adversaries in federated learning,” in CNS.   IEEE, 2022.
  72. L. U. Khan, S. R. Pandey, N. H. Tran, W. Saad, Z. Han, M. N. Nguyen, and C. S. Hong, “Federated learning for edge networks: Resource optimization and incentive mechanism,” IEEE COMMAG, vol. 5, 2020.
  73. W. Y. B. Lim, N. C. Luong, D. T. Hoang, Y. Jiao, Y.-C. Liang, Q. Yang, D. Niyato, and C. Miao, “Federated learning in mobile edge networks: A comprehensive survey,” IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 2031–2063, 2020.
  74. S. Wang, T. Tuor, T. Salonidis, K. K. Leung, C. Makaya, T. He, and K. Chan, “Adaptive federated learning in resource constrained edge computing systems,” IEEE J-SAC, vol. 37, no. 6, pp. 1205–1221, 2019.
Citations (9)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now