Byzantines can also Learn from History: Fall of Centered Clipping in Federated Learning

TL;DR

This paper reveals vulnerabilities in the centered clipping (CC) framework for federated learning, introduces a new attack that circumvents CC defenses, and proposes a robust method to defend against such Byzantine attacks.

Contribution

The work exposes weaknesses of the CC framework, presents a novel attack strategy, and develops a new defense mechanism to improve security in federated learning.

Findings

The new attack reduces test accuracy by up to 33% in image classification.

The proposed defense effectively counters the new attack and other Byzantine threats.

Vulnerabilities in existing robust aggregation methods are demonstrated.

Abstract

The increasing popularity of the federated learning (FL) framework due to its success in a wide range of collaborative learning tasks also induces certain security concerns. Among many vulnerabilities, the risk of Byzantine attacks is of particular concern, which refers to the possibility of malicious clients participating in the learning process. Hence, a crucial objective in FL is to neutralize the potential impact of Byzantine attacks and to ensure that the final model is trustable. It has been observed that the higher the variance among the clients' models/updates, the more space there is for Byzantine attacks to be hidden. As a consequence, by utilizing momentum, and thus, reducing the variance, it is possible to weaken the strength of known Byzantine attacks. The centered clipping (CC) framework has further shown that the momentum term from the previous iteration, besides reducing the variance, can be used as a reference point to neutralize Byzantine attacks better. In this work, we first expose vulnerabilities of the CC framework, and introduce a novel attack strategy that can circumvent the defences of CC and other robust aggregators and reduce their test accuracy up to %33 on best-case scenarios in image classification tasks. Then, we propose a new robust and fast defence mechanism that is effective against the proposed and other existing Byzantine attacks.