MANDERA: Malicious Node Detection in Federated Learning via Ranking

TL;DR

MANDERA introduces a novel ranking-based method for detecting malicious gradients in federated learning, effectively distinguishing benign and Byzantine attacked gradients without prior attack knowledge, across various attack types and data distributions.

Contribution

This paper presents the first theoretically guaranteed ranking-based approach for malicious node detection in federated learning, addressing high-dimensional gradient challenges without prior attack information.

Findings

Successfully detects all malicious gradients under Byzantine attacks

Effective across multiple attack types including Gaussian and Sign Flipping

Performs well on both IID and Non-IID datasets

Abstract

Byzantine attacks hinder the deployment of federated learning algorithms. Although we know that the benign gradients and Byzantine attacked gradients are distributed differently, to detect the malicious gradients is challenging due to (1) the gradient is high-dimensional and each dimension has its unique distribution and (2) the benign gradients and the attacked gradients are always mixed (two-sample test methods cannot apply directly). To address the above, for the first time, we propose MANDERA which is theoretically guaranteed to efficiently detect all malicious gradients under Byzantine attacks with no prior knowledge or history about the number of attacked nodes. More specifically, we transfer the original updating gradient space into a ranking matrix. By such an operation, the scales of different dimensions of the gradients in the ranking space become identical. The high-dimensional benign gradients and the malicious gradients can be easily separated. The effectiveness of MANDERA is further confirmed by experimentation on four Byzantine attack implementations (Gaussian, Zero Gradient, Sign Flipping, Shifted Mean), comparing with state-of-the-art defenses. The experiments cover both IID and Non-IID datasets.