DISBELIEVE: Distance Between Client Models is Very Essential for Effective Local Model Poisoning Attacks

TL;DR

This paper introduces DISBELIEVE, a novel local model poisoning attack in federated learning that exploits the reliance of robust aggregation methods on parameter distances, significantly degrading model performance in medical imaging and natural image classification.

Contribution

The paper proposes DISBELIEVE, a new attack that creates malicious client models with low distance to benign models but high adverse impact, challenging existing defenses.

Findings

DISBELIEVE significantly reduces model accuracy in medical image datasets.

It effectively bypasses robust aggregation defenses based on parameter distance.

The attack causes severe performance drops on CIFAR-10 classification.

Abstract

Federated learning is a promising direction to tackle the privacy issues related to sharing patients' sensitive data. Often, federated systems in the medical image analysis domain assume that the participating local clients are \textit{honest}. Several studies report mechanisms through which a set of malicious clients can be introduced that can poison the federated setup, hampering the performance of the global model. To overcome this, robust aggregation methods have been proposed that defend against those attacks. We observe that most of the state-of-the-art robust aggregation methods are heavily dependent on the distance between the parameters or gradients of malicious clients and benign clients, which makes them prone to local model poisoning attacks when the parameters or gradients of malicious and benign clients are close. Leveraging this, we introduce DISBELIEVE, a local model poisoning attack that creates malicious parameters or gradients such that their distance to benign clients' parameters or gradients is low respectively but at the same time their adverse effect on the global model's performance is high. Experiments on three publicly available medical image datasets demonstrate the efficacy of the proposed DISBELIEVE attack as it significantly lowers the performance of the state-of-the-art \textit{robust aggregation} methods for medical image analysis. Furthermore, compared to state-of-the-art local model poisoning attacks, DISBELIEVE attack is also effective on natural images where we observe a severe drop in classification performance of the global model for multi-class classification on benchmark dataset CIFAR-10.