Suppressing Poisoning Attacks on Federated Learning for Medical Imaging

TL;DR

This paper introduces a robust aggregation method called DOS for federated learning in medical imaging, effectively defending against poisoning attacks without hyperparameter tuning, even with heterogeneous data.

Contribution

The paper proposes DOS, a novel outlier suppression technique using distance metrics and copula-based detection, enhancing federated learning robustness against malicious clients.

Findings

DOS outperforms existing methods in robustness against poisoning attacks.

Effective even with heterogeneous data distributions.

No hyperparameter tuning required for DOS.

Abstract

Collaboration among multiple data-owning entities (e.g., hospitals) can accelerate the training process and yield better machine learning models due to the availability and diversity of data. However, privacy concerns make it challenging to exchange data while preserving confidentiality. Federated Learning (FL) is a promising solution that enables collaborative training through exchange of model parameters instead of raw data. However, most existing FL solutions work under the assumption that participating clients are \emph{honest} and thus can fail against poisoning attacks from malicious parties, whose goal is to deteriorate the global model performance. In this work, we propose a robust aggregation rule called Distance-based Outlier Suppression (DOS) that is resilient to byzantine failures. The proposed method computes the distance between local parameter updates of different clients and obtains an outlier score for each client using Copula-based Outlier Detection (COPOD). The resulting outlier scores are converted into normalized weights using a softmax function, and a weighted average of the local parameters is used for updating the global model. DOS aggregation can effectively suppress parameter updates from malicious clients without the need for any hyperparameter selection, even when the data distributions are heterogeneous. Evaluation on two medical imaging datasets (CheXpert and HAM10000) demonstrates the higher robustness of DOS method against a variety of poisoning attacks in comparison to other state-of-the-art methods. The code can be found here https://github.com/Naiftt/SPAFD.