Tracing Back the Malicious Clients in Poisoning Attacks to Federated Learning

TL;DR

This paper introduces FLForensics, a novel method to identify malicious clients in federated learning poisoning attacks, especially effective when traditional defenses fail, supported by theoretical guarantees and empirical validation.

Contribution

FLForensics is the first forensic approach for federated learning that traces malicious clients post-attack, complementing existing defenses and handling adaptive attack strategies.

Findings

FLForensics accurately distinguishes malicious clients under formal attack definitions.

The method effectively traces back attacks on five benchmark datasets.

It enhances security when training-phase defenses are insufficient.

Abstract

Poisoning attacks compromise the training phase of federated learning (FL) such that the learned global model misclassifies attacker-chosen inputs called target inputs. Existing defenses mainly focus on protecting the training phase of FL such that the learnt global model is poison free. However, these defenses often achieve limited effectiveness when the clients' local training data is highly non-iid or the number of malicious clients is large, as confirmed in our experiments. In this work, we propose FLForensics, the first poison-forensics method for FL. FLForensics complements existing training-phase defenses. In particular, when training-phase defenses fail and a poisoned global model is deployed, FLForensics aims to trace back the malicious clients that performed the poisoning attack after a misclassified target input is identified. We theoretically show that FLForensics can accurately distinguish between benign and malicious clients under a formal definition of poisoning attack. Moreover, we empirically show the effectiveness of FLForensics at tracing back both existing and adaptive poisoning attacks on five benchmark datasets.