TL;DR
This paper introduces a lightweight defense mechanism for federated learning that adjusts the server's learning rate based on agents' update signs to effectively prevent backdoor attacks while maintaining model accuracy.
Contribution
The paper proposes a novel defense method that modifies the aggregation learning rate per dimension and round, based on a conjecture about attack steps, with empirical validation and convergence analysis.
Findings
Backdoor attacks are either eliminated or significantly reduced.
The proposed defense outperforms recent methods in effectiveness.
Minimal impact on the overall model accuracy.
Abstract
Federated learning (FL) allows a set of agents to collaboratively train a model without sharing their potentially sensitive data. This makes FL suitable for privacy-preserving applications. At the same time, FL is susceptible to adversarial attacks due to decentralized and unvetted data. One important line of attacks against FL is the backdoor attacks. In a backdoor attack, an adversary tries to embed a backdoor functionality to the model during training that can later be activated to cause a desired misclassification. To prevent backdoor attacks, we propose a lightweight defense that requires minimal change to the FL protocol. At a high level, our defense is based on carefully adjusting the aggregation server's learning rate, per dimension and per round, based on the sign information of agents' updates. We first conjecture the necessary steps to carry a successful backdoor attack in FL…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
