TESSERACT: Gradient Flip Score to Secure Federated Learning Against Model Poisoning Attacks

TL;DR

TESSERACT is a novel defense mechanism for federated learning that detects and mitigates gradient flip-based model poisoning attacks by assigning reputation scores to clients, ensuring robustness across various settings.

Contribution

This paper introduces TESSERACT, a simple yet effective method to defend against gradient flip attacks in federated learning, outperforming prior defenses.

Findings

TESSERACT effectively detects gradient flip attacks.

It maintains model accuracy under attack conditions.

It is robust across different algorithms and datasets.

Abstract

Federated learning---multi-party, distributed learning in a decentralized environment---is vulnerable to model poisoning attacks, even more so than centralized learning approaches. This is because malicious clients can collude and send in carefully tailored model updates to make the global model inaccurate. This motivated the development of Byzantine-resilient federated learning algorithms, such as Krum, Bulyan, FABA, and FoolsGold. However, a recently developed untargeted model poisoning attack showed that all prior defenses can be bypassed. The attack uses the intuition that simply by changing the sign of the gradient updates that the optimizer is computing, for a set of malicious clients, a model can be diverted from the optima to increase the test error rate. In this work, we develop TESSERACT---a defense against this directed deviation attack, a state-of-the-art model poisoning attack. TESSERACT is based on a simple intuition that in a federated learning setting, certain patterns of gradient flips are indicative of an attack. This intuition is remarkably stable across different learning algorithms, models, and datasets. TESSERACT assigns reputation scores to the participating clients based on their behavior during the training phase and then takes a weighted contribution of the clients. We show that TESSERACT provides robustness against even a white-box version of the attack.