Certifiably-Robust Federated Adversarial Learning via Randomized Smoothing

TL;DR

This paper introduces a federated adversarial learning framework using randomized smoothing that provides certifiable robustness against adversarial attacks, matching centralized training robustness and improving training efficiency.

Contribution

It integrates randomized smoothing into federated adversarial training to achieve certifiable robustness and demonstrates faster training methods without sacrificing robustness.

Findings

Models achieve robustness comparable to centralized training.

The approach provides certifiable robustness against $ ext{l}_2$-bounded adversarial attacks.

One-point gradient estimation accelerates training by 2-3 times.

Abstract

Federated learning is an emerging data-private distributed learning framework, which, however, is vulnerable to adversarial attacks. Although several heuristic defenses are proposed to enhance the robustness of federated learning, they do not provide certifiable robustness guarantees. In this paper, we incorporate randomized smoothing techniques into federated adversarial training to enable data-private distributed learning with certifiable robustness to test-time adversarial perturbations. Our experiments show that such an advanced federated adversarial learning framework can deliver models as robust as those trained by the centralized training. Further, this enables provably-robust classifiers to $\ell_2$-bounded adversarial perturbations in a distributed setup. We also show that one-point gradient estimation based training approach is $2-3\times$ faster than popular stochastic estimator based approach without any noticeable certified robustness differences.