Federated Robustness Propagation: Sharing Robustness in Heterogeneous Federated Learning

TL;DR

This paper introduces a novel federated learning strategy that propagates adversarial robustness from resource-rich users to resource-poor users, effectively enhancing model robustness in heterogeneous, non-iid settings.

Contribution

It proposes an efficient robustness propagation method using batch-normalization to improve federated learning robustness without requiring all users to perform adversarial training.

Findings

The method significantly improves model robustness in federated settings.

Robustness is effectively propagated even with limited adversarial training users.

The approach outperforms existing techniques in heterogeneous federated learning scenarios.

Abstract

Federated learning (FL) emerges as a popular distributed learning schema that learns a model from a set of participating users without sharing raw data. One major challenge of FL comes with heterogeneous users, who may have distributionally different (or non-iid) data and varying computation resources. As federated users would use the model for prediction, they often demand the trained model to be robust against malicious attackers at test time. Whereas adversarial training (AT) provides a sound solution for centralized learning, extending its usage for federated users has imposed significant challenges, as many users may have very limited training data and tight computational budgets, to afford the data-hungry and costly AT. In this paper, we study a novel FL strategy: propagating adversarial robustness from rich-resource users that can afford AT, to those with poor resources that cannot afford it, during federated learning. We show that existing FL techniques cannot be effectively integrated with the strategy to propagate robustness among non-iid users and propose an efficient propagation approach by the proper use of batch-normalization. We demonstrate the rationality and effectiveness of our method through extensive experiments. Especially, the proposed method is shown to grant federated models remarkable robustness even when only a small portion of users afford AT during learning. Source code will be released.