FLTracer: Accurate Poisoning Attack Provenance in Federated Learning

TL;DR

FLTracer is a novel framework that accurately detects and traces poisoning attacks in federated learning, effectively handling data heterogeneity and outperforming existing methods in true positive and false positive rates.

Contribution

The paper introduces FLTracer, the first attack provenance framework for federated learning that uses Kalman filter-based detection and novel features to improve attack detection accuracy.

Findings

Achieves over 96.88% true positive rate

Maintains false positive rate below 2.67%

Outperforms state-of-the-art detection methods

Abstract

Federated Learning (FL) is a promising distributed learning approach that enables multiple clients to collaboratively train a shared global model. However, recent studies show that FL is vulnerable to various poisoning attacks, which can degrade the performance of global models or introduce backdoors into them. In this paper, we first conduct a comprehensive study on prior FL attacks and detection methods. The results show that all existing detection methods are only effective against limited and specific attacks. Most detection methods suffer from high false positives, which lead to significant performance degradation, especially in not independent and identically distributed (non-IID) settings. To address these issues, we propose FLTracer, the first FL attack provenance framework to accurately detect various attacks and trace the attack time, objective, type, and poisoned location of updates. Different from existing methodologies that rely solely on cross-client anomaly detection, we propose a Kalman filter-based cross-round detection to identify adversaries by seeking the behavior changes before and after the attack. Thus, this makes it resilient to data heterogeneity and is effective even in non-IID settings. To further improve the accuracy of our detection method, we employ four novel features and capture their anomalies with the joint decisions. Extensive evaluations show that FLTracer achieves an average true positive rate of over $96.88\%$ at an average false positive rate of less than $2.67\%$, significantly outperforming SOTA detection methods. \footnote{Code is available at \url{https://github.com/Eyr3/FLTracer}.}