Local Model Poisoning Attacks to Byzantine-Robust Federated Learning

TL;DR

This paper systematically studies local model poisoning attacks in federated learning, demonstrating their effectiveness against Byzantine-robust methods and evaluating potential defenses, revealing the need for improved security strategies.

Contribution

It introduces the first systematic formulation of local model poisoning attacks in federated learning and evaluates their impact on recent Byzantine-robust methods.

Findings

Attacks significantly increase error rates of robust federated models

Existing defenses are only partially effective against these attacks

Highlights the need for developing new defenses against local model poisoning

Abstract

In federated learning, multiple client devices jointly learn a machine learning model: each client device maintains a local model for its local training dataset, while a master device maintains a global model via aggregating the local models from the client devices. The machine learning community recently proposed several federated learning methods that were claimed to be robust against Byzantine failures (e.g., system failures, adversarial manipulations) of certain client devices. In this work, we perform the first systematic study on local model poisoning attacks to federated learning. We assume an attacker has compromised some client devices, and the attacker manipulates the local model parameters on the compromised client devices during the learning process such that the global model has a large testing error rate. We formulate our attacks as optimization problems and apply our attacks to four recent Byzantine-robust federated learning methods. Our empirical results on four real-world datasets show that our attacks can substantially increase the error rates of the models learnt by the federated learning methods that were claimed to be robust against Byzantine failures of some client devices. We generalize two defenses for data poisoning attacks to defend against our local model poisoning attacks. Our evaluation results show that one defense can effectively defend against our attacks in some cases, but the defenses are not effective enough in other cases, highlighting the need for new defenses against our local model poisoning attacks to federated learning.