An Experimental Study of Byzantine-Robust Aggregation Schemes in Federated Learning

TL;DR

This paper systematically evaluates Byzantine-robust aggregation schemes in federated learning under various attacks, revealing their limitations especially with Non-IID data, and introduces a new scheme, ClippedClustering, to improve robustness.

Contribution

It provides a comprehensive empirical comparison of existing schemes, proposes ClippedClustering, and highlights the challenges of robustness in Non-IID federated learning scenarios.

Findings

Aggregation schemes perform variably across different attacks.

ClippedClustering enhances robustness against most attacks with IID data.

All schemes' effectiveness diminishes significantly with Non-IID data.

Abstract

Byzantine-robust federated learning aims at mitigating Byzantine failures during the federated training process, where malicious participants may upload arbitrary local updates to the central server to degrade the performance of the global model. In recent years, several robust aggregation schemes have been proposed to defend against malicious updates from Byzantine clients and improve the robustness of federated learning. These solutions were claimed to be Byzantine-robust, under certain assumptions. Other than that, new attack strategies are emerging, striving to circumvent the defense schemes. However, there is a lack of systematic comparison and empirical study thereof. In this paper, we conduct an experimental study of Byzantine-robust aggregation schemes under different attacks using two popular algorithms in federated learning, FedSGD and FedAvg . We first survey existing Byzantine attack strategies and Byzantine-robust aggregation schemes that aim to defend against Byzantine attacks. We also propose a new scheme, ClippedClustering , to enhance the robustness of a clustering-based scheme by automatically clipping the updates. Then we provide an experimental evaluation of eight aggregation schemes in the scenario of five different Byzantine attacks. Our results show that these aggregation schemes sustain relatively high accuracy in some cases but are ineffective in others. In particular, our proposed ClippedClustering successfully defends against most attacks under independent and IID local datasets. However, when the local datasets are Non-IID, the performance of all the aggregation schemes significantly decreases. With Non-IID data, some of these aggregation schemes fail even in the complete absence of Byzantine clients. We conclude that the robustness of all the aggregation schemes is limited, highlighting the need for new defense strategies, in particular for Non-IID datasets.