Precision Guided Approach to Mitigate Data Poisoning Attacks in Federated Learning

TL;DR

This paper introduces FedZZ, a novel federated learning defense mechanism that uses zone-based updates and precision-guided client clustering to effectively detect and mitigate data poisoning attacks, improving robustness and accuracy.

Contribution

FedZZ is a new approach combining zone-based deviating updates and client clustering to counter data poisoning in federated learning, outperforming existing methods.

Findings

FedZZ effectively mitigates data poisoning attacks on CIFAR10 and EMNIST datasets.

FedZZ outperforms state-of-the-art defenses in accuracy under attack scenarios.

FedZZ maintains higher accuracy even with 50% malicious clients, achieving 67.43%.

Abstract

Federated Learning (FL) is a collaborative learning paradigm enabling participants to collectively train a shared machine learning model while preserving the privacy of their sensitive data. Nevertheless, the inherent decentralized and data-opaque characteristics of FL render its susceptibility to data poisoning attacks. These attacks introduce malformed or malicious inputs during local model training, subsequently influencing the global model and resulting in erroneous predictions. Current FL defense strategies against data poisoning attacks either involve a trade-off between accuracy and robustness or necessitate the presence of a uniformly distributed root dataset at the server. To overcome these limitations, we present FedZZ, which harnesses a zone-based deviating update (ZBDU) mechanism to effectively counter data poisoning attacks in FL. Further, we introduce a precision-guided methodology that actively characterizes these client clusters (zones), which in turn aids in recognizing and discarding malicious updates at the server. Our evaluation of FedZZ across two widely recognized datasets: CIFAR10 and EMNIST, demonstrate its efficacy in mitigating data poisoning attacks, surpassing the performance of prevailing state-of-the-art methodologies in both single and multi-client attack scenarios and varying attack volumes. Notably, FedZZ also functions as a robust client selection strategy, even in highly non-IID and attack-free scenarios. Moreover, in the face of escalating poisoning rates, the model accuracy attained by FedZZ displays superior resilience compared to existing techniques. For instance, when confronted with a 50% presence of malicious clients, FedZZ sustains an accuracy of 67.43%, while the accuracy of the second-best solution, FL-Defender, diminishes to 43.36%.