Towards Understanding Adversarial Transferability in Federated Learning

TL;DR

This paper examines the security vulnerabilities of federated learning against covert adversarial clients, revealing that while FL shows higher robustness than centralized systems, it remains susceptible to subtle, high-impact attacks.

Contribution

It provides an empirical and theoretical analysis of adversarial transferability in federated learning, highlighting its robustness and vulnerabilities compared to centralized learning.

Findings

High attack success rate with only 3% malicious data

Federated learning shows higher robustness than centralized systems

Decentralized training and averaging dilute malicious influence

Abstract

We investigate a specific security risk in FL: a group of malicious clients has impacted the model during training by disguising their identities and acting as benign clients but later switching to an adversarial role. They use their data, which was part of the training set, to train a substitute model and conduct transferable adversarial attacks against the federated model. This type of attack is subtle and hard to detect because these clients initially appear to be benign. The key question we address is: How robust is the FL system to such covert attacks, especially compared to traditional centralized learning systems? We empirically show that the proposed attack imposes a high security risk to current FL systems. By using only 3\% of the client's data, we achieve the highest attack rate of over 80\%. To further offer a full understanding of the challenges the FL system faces in transferable attacks, we provide a comprehensive analysis over the transfer robustness of FL across a spectrum of configurations. Surprisingly, FL systems show a higher level of robustness than their centralized counterparts, especially when both systems are equally good at handling regular, non-malicious data. We attribute this increased robustness to two main factors: 1) Decentralized Data Training: Each client trains the model on its own data, reducing the overall impact of any single malicious client. 2) Model Update Averaging: The updates from each client are averaged together, further diluting any malicious alterations. Both practical experiments and theoretical analysis support our conclusions. This research not only sheds light on the resilience of FL systems against hidden attacks but also raises important considerations for their future application and development.