FedGuard: A Diverse-Byzantine-Robust Mechanism for Federated Learning with Major Malicious Clients

TL;DR

FedGuard is a novel federated learning mechanism that effectively detects and mitigates Byzantine attacks, especially in highly non-IID settings with a majority of malicious clients, by leveraging model bias sensitivity.

Contribution

FedGuard introduces a new approach using membership inference to identify poisoned models, enhancing robustness against diverse Byzantine attacks in federated learning.

Findings

Outperforms existing schemes under 90% Byzantine clients.

Effective against seven different Byzantine attack types.

Maintains accuracy in highly non-IID datasets.

Abstract

Federated learning is a distributed training framework vulnerable to Byzantine attacks, particularly when over 50% of clients are malicious or when datasets are highly non-independent and identically distributed (non-IID). Additionally, most existing defense mechanisms are designed for specific attack types (e.g., gradient similarity-based schemes can only defend against outlier model poisoning), limiting their effectiveness. In response, we propose FedGuard, a novel federated learning mechanism. FedGuard cleverly addresses the aforementioned issues by leveraging the high sensitivity of membership inference to model bias. By requiring clients to include an additional mini-batch of server-specified data in their training, FedGuard can identify and exclude poisoned models, as their confidence in the mini-batch will drop significantly. Our comprehensive evaluation unequivocally shows that, under three highly non-IID datasets, with 90% of clients being Byzantine and seven different types of Byzantine attacks occurring in each round, FedGuard significantly outperforms existing robust federated learning schemes in mitigating various types of Byzantine attacks.