A Learning-Based Attack Framework to Break SOTA Poisoning Defenses in Federated Learning

TL;DR

This paper presents an optimization-based attack framework that successfully bypasses state-of-the-art poisoning defenses in federated learning, revealing vulnerabilities in recent robust aggregation methods.

Contribution

It introduces a novel attack framework that exploits the limitations of recent robust aggregation defenses in federated learning.

Findings

The attack can break multiple robust AGRs across datasets.

Breaking defenses reduces to bypassing clipping or filtering strategies.

Extensive experiments confirm the attack's effectiveness.

Abstract

Federated Learning (FL) is a novel client-server distributed learning framework that can protect data privacy. However, recent works show that FL is vulnerable to poisoning attacks. Many defenses with robust aggregators (AGRs) are proposed to mitigate the issue, but they are all broken by advanced attacks. Very recently, some renewed robust AGRs are designed, typically with novel clipping or/and filtering strate-gies, and they show promising defense performance against the advanced poisoning attacks. In this paper, we show that these novel robust AGRs are also vulnerable to carefully designed poisoning attacks. Specifically, we observe that breaking these robust AGRs reduces to bypassing the clipping or/and filtering of malicious clients, and propose an optimization-based attack framework to leverage this observation. Under the framework, we then design the customized attack against each robust AGR. Extensive experiments on multiple datasets and threat models verify our proposed optimization-based attack can break the SOTA AGRs. We hence call for novel defenses against poisoning attacks to FL. Code is available at: https://github.com/Yuxin104/ BreakSTOAPoisoningDefenses.