RECESS Vaccine for Federated Learning: Proactive Defense Against Model Poisoning Attacks

TL;DR

RECESS is a proactive defense mechanism for federated learning that detects and mitigates model poisoning attacks by querying clients with crafted gradients and using a trust scoring system based on performance over multiple iterations.

Contribution

It introduces a novel proactive approach with a trust scoring mechanism that improves detection accuracy and fault tolerance against poisoning attacks in federated learning.

Findings

RECESS outperforms five classic and two state-of-the-art defenses in accuracy preservation.

It effectively detects malicious clients with higher accuracy than previous methods.

RECESS maintains robustness across various datasets, models, and attack types.

Abstract

Model poisoning attacks greatly jeopardize the application of federated learning (FL). The effectiveness of existing defenses is susceptible to the latest model poisoning attacks, leading to a decrease in prediction accuracy. Besides, these defenses are intractable to distinguish benign outliers from malicious gradients, which further compromises the model generalization. In this work, we propose a novel proactive defense named RECESS against model poisoning attacks. Different from the passive analysis in previous defenses, RECESS proactively queries each participating client with a delicately constructed aggregation gradient, accompanied by the detection of malicious clients according to their responses with higher accuracy. Furthermore, RECESS uses a new trust scoring mechanism to robustly aggregate gradients. Unlike previous methods that score each iteration, RECESS considers clients' performance correlation across multiple iterations to estimate the trust score, substantially increasing fault tolerance. Finally, we extensively evaluate RECESS on typical model architectures and four datasets under various settings. We also evaluated the defensive effectiveness against other types of poisoning attacks, the sensitivity of hyperparameters, and adaptive adversarial attacks. Experimental results show the superiority of RECESS in terms of reducing accuracy loss caused by the latest model poisoning attacks over five classic and two state-of-the-art defenses.