Characterizing Internal Evasion Attacks in Federated Learning

TL;DR

This paper investigates internal evasion attacks in federated learning, analyzing their transferability, the impact of data similarity, and evaluating defenses like adversarial training and personalization for robustness.

Contribution

It is the first to characterize transferability of internal evasion attacks and assess defense strategies, highlighting the benefits of combining adversarial training with personalized federated learning.

Findings

Adversarial training offers limited defense against internal attacks.

Personalized federated learning significantly improves robustness.

Transferability of attacks depends on data similarity among clients.

Abstract

Federated learning allows for clients in a distributed system to jointly train a machine learning model. However, clients' models are vulnerable to attacks during the training and testing phases. In this paper, we address the issue of adversarial clients performing "internal evasion attacks": crafting evasion attacks at test time to deceive other clients. For example, adversaries may aim to deceive spam filters and recommendation systems trained with federated learning for monetary gain. The adversarial clients have extensive information about the victim model in a federated learning setting, as weight information is shared amongst clients. We are the first to characterize the transferability of such internal evasion attacks for different learning methods and analyze the trade-off between model accuracy and robustness depending on the degree of similarities in client data. We show that adversarial training defenses in the federated learning setting only display limited improvements against internal attacks. However, combining adversarial training with personalized federated learning frameworks increases relative internal attack robustness by 60% compared to federated adversarial training and performs well under limited system resources.