ARFED: Attack-Resistant Federated averaging based on outlier elimination

TL;DR

ARFED is a novel federated learning defense method that identifies and eliminates outlier model updates to protect against various poisoning attacks without relying on data distribution assumptions.

Contribution

It introduces ARFED, a robust outlier-based defense algorithm for federated learning that works under diverse attack scenarios and data distributions.

Findings

ARFED effectively defends against label flipping, Byzantine, and partial knowledge attacks.

It performs well in both IID and Non-IID data settings.

The new organized partial knowledge attack demonstrates higher effectiveness than independent attacks.

Abstract

In federated learning, each participant trains its local model with its own data and a global model is formed at a trusted server by aggregating model updates coming from these participants. Since the server has no effect and visibility on the training procedure of the participants to ensure privacy, the global model becomes vulnerable to attacks such as data poisoning and model poisoning. Although many defense algorithms have recently been proposed to address these attacks, they often make strong assumptions that do not agree with the nature of federated learning, such as assuming Non-IID datasets. Moreover, they mostly lack comprehensive experimental analyses. In this work, we propose a defense algorithm called ARFED that does not make any assumptions about data distribution, update similarity of participants, or the ratio of the malicious participants. ARFED mainly considers the outlier status of participant updates for each layer of the model architecture based on the distance to the global model. Hence, the participants that do not have any outlier layer are involved in model aggregation. We have performed extensive experiments on diverse scenarios and shown that the proposed approach provides a robust defense against different attacks. To test the defense capability of the ARFED in different conditions, we considered label flipping, Byzantine, and partial knowledge attacks for both IID and Non-IID settings in our experimental evaluations. Moreover, we proposed a new attack, called organized partial knowledge attack, where malicious participants use their training statistics collaboratively to define a common poisoned model. We have shown that organized partial knowledge attacks are more effective than independent attacks.