Poisoning Attacks and Defenses to Federated Unlearning

TL;DR

This paper introduces BadUnlearn, a novel poisoning attack on federated unlearning, and proposes UnlearnGuard, a robust framework that defends against such attacks, ensuring secure and accurate model unlearning.

Contribution

It presents the first poisoning attack targeting federated unlearning and a provably robust defense framework, bridging security gaps in existing unlearning methods.

Findings

BadUnlearn effectively poisons existing federated unlearning methods.

UnlearnGuard is provably robust against poisoning attacks.

Empirical results confirm UnlearnGuard's security and effectiveness.

Abstract

Federated learning allows multiple clients to collaboratively train a global model with the assistance of a server. However, its distributed nature makes it susceptible to poisoning attacks, where malicious clients can compromise the global model by sending harmful local model updates to the server. To unlearn an accurate global model from a poisoned one after identifying malicious clients, federated unlearning has been introduced. Yet, current research on federated unlearning has primarily concentrated on its effectiveness and efficiency, overlooking the security challenges it presents. In this work, we bridge the gap via proposing BadUnlearn, the first poisoning attacks targeting federated unlearning. In BadUnlearn, malicious clients send specifically designed local model updates to the server during the unlearning process, aiming to ensure that the resulting unlearned model remains poisoned. To mitigate these threats, we propose UnlearnGuard, a robust federated unlearning framework that is provably robust against both existing poisoning attacks and our BadUnlearn. The core concept of UnlearnGuard is for the server to estimate the clients' local model updates during the unlearning process and employ a filtering strategy to verify the accuracy of these estimations. Theoretically, we prove that the model unlearned through UnlearnGuard closely resembles one obtained by train-from-scratch. Empirically, we show that BadUnlearn can effectively corrupt existing federated unlearning methods, while UnlearnGuard remains secure against poisoning attacks.