SPFL: A Self-purified Federated Learning Method Against Poisoning Attacks

TL;DR

SPFL introduces a self-purification approach in federated learning that effectively defends against poisoning attacks by leveraging trusted historical features and attention-guided self-knowledge distillation, enhancing security without sacrificing privacy.

Contribution

The paper proposes a novel self-purified federated learning method that does not restrict communication protocols and can work with existing secure aggregation, significantly improving robustness against poisoning attacks.

Findings

SPFL reduces attack success rate to at most 3% above a clean model.

SPFL outperforms state-of-the-art defenses under various poisoning attacks.

SPFL improves model quality on normal inputs, even under attack.

Abstract

While Federated learning (FL) is attractive for pulling privacy-preserving distributed training data, the credibility of participating clients and non-inspectable data pose new security threats, of which poisoning attacks are particularly rampant and hard to defend without compromising privacy, performance or other desirable properties of FL. To tackle this problem, we propose a self-purified FL (SPFL) method that enables benign clients to exploit trusted historical features of locally purified model to supervise the training of aggregated model in each iteration. The purification is performed by an attention-guided self-knowledge distillation where the teacher and student models are optimized locally for task loss, distillation loss and attention-based loss simultaneously. SPFL imposes no restriction on the communication protocol and aggregator at the server. It can work in tandem with any existing secure aggregation algorithms and protocols for augmented security and privacy guarantee. We experimentally demonstrate that SPFL outperforms state-of-the-art FL defenses against various poisoning attacks. The attack success rate of SPFL trained model is at most 3$\%$ above that of a clean model, even if the poisoning attack is launched in every iteration with all but one malicious clients in the system. Meantime, it improves the model quality on normal inputs compared to FedAvg, either under attack or in the absence of an attack.