Safeguarding Federated Learning-based Road Condition Classification

TL;DR

This paper investigates the vulnerability of federated learning-based road condition classification systems to label flipping attacks, introduces a metric to quantify risks, and proposes FLARE, a defense mechanism that effectively mitigates such attacks.

Contribution

It reveals the susceptibility of FL-RCC systems to targeted label flipping attacks, introduces a new safety risk metric, and develops FLARE, a neuron-wise analysis-based defense method.

Findings

TLFAs significantly degrade FL-RCC performance.

FLARE effectively reduces attack impact.

The proposed metric accurately quantifies safety risks.

Abstract

Federated Learning (FL) has emerged as a promising solution for privacy-preserving autonomous driving, specifically camera-based Road Condition Classification (RCC) systems, harnessing distributed sensing, computing, and communication resources on board vehicles without sharing sensitive image data. However, the collaborative nature of FL-RCC frameworks introduces new vulnerabilities: Targeted Label Flipping Attacks (TLFAs), in which malicious clients (vehicles) deliberately alter their training data labels to compromise the learned model inference performance. Such attacks can, e.g., cause a vehicle to mis-classify slippery, dangerous road conditions as pristine and exceed recommended speed. However, TLFAs for FL-based RCC systems are largely missing. We address this challenge with a threefold contribution: 1) we disclose the vulnerability of existing FL-RCC systems to TLFAs; 2) we introduce a novel label-distance-based metric to precisely quantify the safety risks posed by TLFAs; and 3) we propose FLARE, a defensive mechanism leveraging neuron-wise analysis of the output layer to mitigate TLFA effects. Extensive experiments across three RCC tasks, four evaluation metrics, six baselines, and three deep learning models demonstrate both the severity of TLFAs on FL-RCC systems and the effectiveness of FLARE in mitigating the attack impact.