Avoid Adversarial Adaption in Federated Learning by Multi-Metric Investigations

TL;DR

This paper introduces MESAS, a multi-metric defense method for federated learning, which effectively detects adaptive poisoning attacks and backdoors in realistic scenarios, outperforming existing defenses.

Contribution

The paper proposes MESAS, a novel multi-metric defense approach that is robust against strong adaptive adversaries in federated learning, addressing limitations of prior methods.

Findings

MESAS detects strong adaptive attacks effectively.

Existing defenses are easily circumvented by adaptive adversaries.

MESAS outperforms prior defenses in real-world data scenarios.

Abstract

Federated Learning (FL) facilitates decentralized machine learning model training, preserving data privacy, lowering communication costs, and boosting model performance through diversified data sources. Yet, FL faces vulnerabilities such as poisoning attacks, undermining model integrity with both untargeted performance degradation and targeted backdoor attacks. Preventing backdoors proves especially challenging due to their stealthy nature. Prominent mitigation techniques against poisoning attacks rely on monitoring certain metrics and filtering malicious model updates. While shown effective in evaluations, we argue that previous works didn't consider realistic real-world adversaries and data distributions. We define a new notion of strong adaptive adversaries, capable of adapting to multiple objectives simultaneously. Through extensive empirical tests, we show that existing defense methods can be easily circumvented in this adversary model. We also demonstrate, that existing defenses have limited effectiveness when no assumptions are made about underlying data distributions. We introduce Metric-Cascades (MESAS), a novel defense method for more realistic scenarios and adversary models. MESAS employs multiple detection metrics simultaneously to identify poisoned model updates, creating a complex multi-objective optimization problem for adaptive attackers. In our extensive evaluation featuring nine backdoors and three datasets, MESAS consistently detects even strong adaptive attackers. Furthermore, MESAS outperforms existing defenses in distinguishing backdoors from data distribution-related distortions within and across clients. MESAS is the first defense robust against strong adaptive adversaries, effective in real-world data scenarios, with an average overhead of just 24.37 seconds.