Secure Federated Learning against Model Poisoning Attacks via Client Filtering

TL;DR

This paper introduces CosDefense, a simple yet effective method for detecting malicious clients in federated learning by using cosine similarity of model updates, enhancing robustness against poisoning attacks.

Contribution

The paper proposes CosDefense, a novel cosine similarity-based detection algorithm that does not require extra information and is compatible with client sampling in federated learning.

Findings

CosDefense effectively detects malicious clients under state-of-the-art poisoning attacks.

It maintains high model accuracy while filtering out malicious updates.

Experimental results on real datasets validate its robustness and practicality.

Abstract

Given the distributed nature, detecting and defending against the backdoor attack under federated learning (FL) systems is challenging. In this paper, we observe that the cosine similarity of the last layer's weight between the global model and each local update could be used effectively as an indicator of malicious model updates. Therefore, we propose CosDefense, a cosine-similarity-based attacker detection algorithm. Specifically, under CosDefense, the server calculates the cosine similarity score of the last layer's weight between the global model and each client update, labels malicious clients whose score is much higher than the average, and filters them out of the model aggregation in each round. Compared to existing defense schemes, CosDefense does not require any extra information besides the received model updates to operate and is compatible with client sampling. Experiment results on three real-world datasets demonstrate that CosDefense could provide robust performance under the state-of-the-art FL poisoning attack.