FedLAD: A Linear Algebra Based Data Poisoning Defence for Federated Learning

TL;DR

FedLAD introduces a linear algebra-based method to detect and defend against targeted data poisoning in federated learning, effectively identifying malicious nodes even when they dominate the network.

Contribution

The paper presents FedLAD, a novel linear algebra approach that outperforms existing defenses in detecting data poisoning attacks in federated learning.

Findings

FedLAD maintains low attack success rates across malicious node ratios from 0.2 to 0.8.

It preserves high model accuracy when malicious nodes are between 0.2 and 0.5.

Experimental results show FedLAD outperforms five established defense methods.

Abstract

Sybil attacks pose a significant threat to federated learning, as malicious nodes can collaborate and gain a majority, thereby overwhelming the system. Therefore, it is essential to develop countermeasures that ensure the security of federated learning environments. We present a novel defence method against targeted data poisoning, which is one of the types of Sybil attacks, called Linear Algebra-based Detection (FedLAD). Unlike existing approaches, such as clustering and robust training, which struggle in situations where malicious nodes dominate, FedLAD models the federated learning aggregation process as a linear problem, transforming it into a linear algebra optimisation challenge. This method identifies potential attacks by extracting the independent linear combinations from the original linear combinations, effectively filtering out redundant and malicious elements. Extensive experimental evaluations demonstrate the effectiveness of FedLAD compared to five well-established defence methods: Sherpa, CONTRA, Median, Trimmed Mean, and Krum. Using tasks from both image classification and natural language processing, our experiments confirm that FedLAD is robust and not dependent on specific application settings. The results indicate that FedLAD effectively protects federated learning systems across a broad spectrum of malicious node ratios. Compared to baseline defence methods, FedLAD maintains a low attack success rate for malicious nodes when their ratio ranges from 0.2 to 0.8. Additionally, it preserves high model accuracy when the malicious node ratio is between 0.2 and 0.5. These findings underscore FedLAD's potential to enhance both the reliability and performance of federated learning systems in the face of data poisoning attacks.