MPAF: Model Poisoning Attacks to Federated Learning based on Fake Clients

TL;DR

This paper introduces MPAF, a novel model poisoning attack in federated learning using fake clients that can significantly reduce model accuracy even against existing defenses.

Contribution

The work presents the first attack method based on fake clients in federated learning, demonstrating its effectiveness and exposing vulnerabilities in current defense mechanisms.

Findings

MPAF significantly decreases global model accuracy.

Classical defenses and norm clipping are insufficient against MPAF.

Fake clients can effectively manipulate federated learning models.

Abstract

Existing model poisoning attacks to federated learning assume that an attacker has access to a large fraction of compromised genuine clients. However, such assumption is not realistic in production federated learning systems that involve millions of clients. In this work, we propose the first Model Poisoning Attack based on Fake clients called MPAF. Specifically, we assume the attacker injects fake clients to a federated learning system and sends carefully crafted fake local model updates to the cloud server during training, such that the learnt global model has low accuracy for many indiscriminate test inputs. Towards this goal, our attack drags the global model towards an attacker-chosen base model that has low accuracy. Specifically, in each round of federated learning, the fake clients craft fake local model updates that point to the base model and scale them up to amplify their impact before sending them to the cloud server. Our experiments show that MPAF can significantly decrease the test accuracy of the global model, even if classical defenses and norm clipping are adopted, highlighting the need for more advanced defenses.