FLCert: Provably Secure Federated Learning against Poisoning Attacks

TL;DR

FLCert introduces a provably secure federated learning framework that effectively defends against poisoning attacks by grouping clients and using majority voting, ensuring robustness even with malicious clients.

Contribution

Proposes FLCert, a novel ensemble federated learning method with provable security guarantees against poisoning attacks involving a bounded number of malicious clients.

Findings

FLCert maintains accurate predictions despite malicious clients.

The framework provides formal security guarantees against poisoning.

Experimental results validate robustness across multiple datasets.

Abstract

Due to its distributed nature, federated learning is vulnerable to poisoning attacks, in which malicious clients poison the training process via manipulating their local training data and/or local model updates sent to the cloud server, such that the poisoned global model misclassifies many indiscriminate test inputs or attacker-chosen ones. Existing defenses mainly leverage Byzantine-robust federated learning methods or detect malicious clients. However, these defenses do not have provable security guarantees against poisoning attacks and may be vulnerable to more advanced attacks. In this work, we aim to bridge the gap by proposing FLCert, an ensemble federated learning framework, that is provably secure against poisoning attacks with a bounded number of malicious clients. Our key idea is to divide the clients into groups, learn a global model for each group of clients using any existing federated learning method, and take a majority vote among the global models to classify a test input. Specifically, we consider two methods to group the clients and propose two variants of FLCert correspondingly, i.e., FLCert-P that randomly samples clients in each group, and FLCert-D that divides clients to disjoint groups deterministically. Our extensive experiments on multiple datasets show that the label predicted by our FLCert for a test input is provably unaffected by a bounded number of malicious clients, no matter what poisoning attacks they use.