A Practical and Secure Byzantine Robust Aggregator

TL;DR

This paper introduces a practical, fast Byzantine robust aggregator for high-dimensional vectors that effectively defends against data poisoning attacks without prior distribution knowledge.

Contribution

It presents the first quasi-linear time robust aggregator with near-optimal bias bounds, suitable for direct use in neural network training.

Findings

Runs in quasi-linear time, scalable to large inputs.

Effectively nullifies 10 different ML poisoning attacks.

Does not require distribution knowledge or pre-computed thresholds.

Abstract

In machine learning security, one is often faced with the problem of removing outliers from a given set of high-dimensional vectors when computing their average. For example, many variants of data poisoning attacks produce gradient vectors during training that are outliers in the distribution of clean gradients, which bias the computed average used to derive the ML model. Filtering them out before averaging serves as a generic defense strategy. Byzantine robust aggregation is an algorithmic primitive which computes a robust average of vectors, in the presence of an $\epsilon$ fraction of vectors which may have been arbitrarily and adaptively corrupted, such that the resulting bias in the final average is provably bounded. In this paper, we give the first robust aggregator that runs in quasi-linear time in the size of input vectors and provably has near-optimal bias bounds. Our algorithm also does not assume any knowledge of the distribution of clean vectors, nor does it require pre-computing any filtering thresholds from it. This makes it practical to use directly in standard neural network training procedures. We empirically confirm its expected runtime efficiency and its effectiveness in nullifying 10 different ML poisoning attacks.