Certifiably Byzantine-Robust Federated Conformal Prediction
Mintong Kang, Zhen Lin, Jimeng Sun, Cao Xiao, Bo Li
TL;DR
This paper introduces Rob-FCP, a robust federated conformal prediction framework that maintains statistical coverage guarantees even with malicious clients, validated through theoretical analysis and experiments on healthcare datasets.
Contribution
The paper proposes Rob-FCP, a novel method for Byzantine-robust federated conformal prediction with theoretical coverage guarantees and a malicious client estimator.
Findings
Rob-FCP maintains coverage under Byzantine attacks.
The malicious client estimator effectively detects malicious clients.
Empirical results show robustness across datasets and attack types.
Abstract
Conformal prediction has shown impressive capacity in constructing statistically rigorous prediction sets for machine learning models with exchangeable data samples. The siloed datasets, coupled with the escalating privacy concerns related to local data sharing, have inspired recent innovations extending conformal prediction into federated environments with distributed data samples. However, this framework for distributed uncertainty quantification is susceptible to Byzantine failures. A minor subset of malicious clients can significantly compromise the practicality of coverage guarantees. To address this vulnerability, we introduce a novel framework Rob-FCP, which executes robust federated conformal prediction, effectively countering malicious clients capable of reporting arbitrary statistics with the conformal calibration process. We theoretically provide the conformal coverage bound…
Peer Reviews
Decision·ICML 2024 Poster
The paper is overall easy to follow; and robust prediction intervals against malicious clients are an important question.
It seems to be that the assumptions considered seem over-simplified and may lead to less robustness and under-coverage of difficulty cases when violated: the entire paper is based on the assumption that benign clients have similar conformity score distributions, in both IID settings (identical) and non-IID settings (close), and a client whose conformity score is far from its K_b "neighbors" is claimed malicious. However, in practice, benign clients can have data with different local characteris
1\ This is a very interesting problem for the conformal prediction community. 2\ The paper treats both the iid setting and the non-iid setting. 3\ The paper is well-written, clear, and easy to follow. 4\ The experience shows that the method performs well in this federated learning setting with malicious agents.
1\ A major weakness is that to calculate the vector distance $d_{k_1, k_2}$ in step 8 of the algorithm ("Algorithm 1 Identifying the malicious client"), we need to send all the vectors $v^{(k)}$ to the server. It seems to me that this step is very problematic in a federated learning context. 2\ Another important weakness is that the bounds of Theorem 1 and Corollary 1 are in $1/(\min n_i)$. Therefore, if a non-malicious agent has only one data point, the bound does not improve, even if the othe
-The idea to identify the malicious agents behavior via their deviation from the non-malicious agents in terms of the non-conformal score distribution seems novel. -Their algorithm seem to perform quite well in their experiments.
-The main reason why the algorithm in the paper works seems to be due to the homogeneity of the non-malicious agents. Even in the experiments, the clients are partitioned randomly and hence their distributions will be pretty similar. However, as discussed even in the intro of the paper, there can be many settings where there is quite a bit of heterogeneity among the agents not due to their Byzantine and malicious behaviors but the underlying distributions are just inherently different. In fact,
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsStatistical Methods and Inference · Bayesian Modeling and Causal Inference