A Data-Driven Defense against Edge-case Model Poisoning Attacks on Federated Learning

TL;DR

This paper introduces DataDefense, a novel federated learning defense mechanism that uses an external dataset to detect poisoned data and estimate malicious client updates, significantly reducing attack success rates.

Contribution

The paper presents DataDefense, a new method leveraging an external dataset to effectively detect edge-case poisoning attacks in federated learning, outperforming existing defenses.

Findings

Reduces attack success rate by at least 40% in standard scenarios.

Requires as few as five defense examples for effective defense.

Outperforms state-of-the-art defenses in experiments.

Abstract

Federated Learning systems are increasingly subjected to a multitude of model poisoning attacks from clients. Among these, edge-case attacks that target a small fraction of the input space are nearly impossible to detect using existing defenses, leading to a high attack success rate. We propose an effective defense using an external defense dataset, which provides information about the attack target. The defense dataset contains a mix of poisoned and clean examples, with only a few known to be clean. The proposed method, DataDefense, uses this dataset to learn a poisoned data detector model which marks each example in the defense dataset as poisoned or clean. It also learns a client importance model that estimates the probability of a client update being malicious. The global model is then updated as a weighted average of the client models' updates. The poisoned data detector and the client importance model parameters are updated using an alternating minimization strategy over the Federated Learning rounds. Extensive experiments on standard attack scenarios demonstrate that DataDefense can defend against model poisoning attacks where other state-of-the-art defenses fail. In particular, DataDefense is able to reduce the attack success rate by at least ~ 40% on standard attack setups and by more than 80% on some setups. Furthermore, DataDefense requires very few defense examples (as few as five) to achieve a near-optimal reduction in attack success rate.