Exploit Gradient Skewness to Circumvent Byzantine Defenses for Federated Learning

TL;DR

This paper reveals a gradient skewness phenomenon in federated learning that Byzantine defenses exploit, and introduces a new attack method, STRIKE, which effectively bypasses existing defenses by exploiting this skewness.

Contribution

The paper uncovers the gradient skewness phenomenon in federated learning and proposes STRIKE, a novel attack that exploits this skewness to bypass Byzantine defenses.

Findings

STRIKE effectively bypasses existing Byzantine defenses.

Gradient skewness causes honest gradients to appear suspicious.

Experiments validate the attack's success on benchmark datasets.

Abstract

Federated Learning (FL) is notorious for its vulnerability to Byzantine attacks. Most current Byzantine defenses share a common inductive bias: among all the gradients, the densely distributed ones are more likely to be honest. However, such a bias is a poison to Byzantine robustness due to a newly discovered phenomenon in this paper - gradient skew. We discover that a group of densely distributed honest gradients skew away from the optimal gradient (the average of honest gradients) due to heterogeneous data. This gradient skew phenomenon allows Byzantine gradients to hide within the densely distributed skewed gradients. As a result, Byzantine defenses are confused into believing that Byzantine gradients are honest. Motivated by this observation, we propose a novel skew-aware attack called STRIKE: first, we search for the skewed gradients; then, we construct Byzantine gradients within the skewed gradients. Experiments on three benchmark datasets validate the effectiveness of our attack