Pelta: Shielding Transformers to Mitigate Evasion Attacks in Federated Learning

TL;DR

Pelta is a novel hardware-based shielding mechanism using Trusted Execution Environments to protect federated learning models from adversarial probing attacks, enhancing privacy and security.

Contribution

Introducing Pelta, a new shielding approach leveraging TEEs to mitigate evasion attacks in federated learning by masking back-propagation details.

Findings

Pelta effectively defends against Self Attention Gradient adversarial attacks.

Hardware-based shielding improves privacy without significant performance loss.

Pelta demonstrates robustness in ensemble model evaluations.

Abstract

The main premise of federated learning is that machine learning model updates are computed locally, in particular to preserve user data privacy, as those never leave the perimeter of their device. This mechanism supposes the general model, once aggregated, to be broadcast to collaborating and non malicious nodes. However, without proper defenses, compromised clients can easily probe the model inside their local memory in search of adversarial examples. For instance, considering image-based applications, adversarial examples consist of imperceptibly perturbed images (to the human eye) misclassified by the local model, which can be later presented to a victim node's counterpart model to replicate the attack. To mitigate such malicious probing, we introduce Pelta, a novel shielding mechanism leveraging trusted hardware. By harnessing the capabilities of Trusted Execution Environments (TEEs), Pelta masks part of the back-propagation chain rule, otherwise typically exploited by attackers for the design of malicious samples. We evaluate Pelta on a state of the art ensemble model and demonstrate its effectiveness against the Self Attention Gradient adversarial Attack.