Author, as appears in the article.: Jebreel, Najeeb Moharram; Domingo-Ferrer, Josep
Department: Enginyeria Informàtica i Matemàtiques
URV's Author/s: Domingo Ferrer, Josep
Keywords: Targeted poisoning attacks Security and robustness Label-flipping attacks Federated learning Backdoor attacks targeted poisoning attacks security and robustness label-flipping attacks backdoor attacks
Abstract: Federated learning (FL) enables learning a global machine learning model from data distributed among a set of participating workers. This makes it possible (i) to train more accurate models due to learning from rich, joint training data and (ii) to improve privacy by not sharing the workers’ local private data with others. However, the distributed nature of FL makes it vulnerable to targeted poisoning attacks that negatively impact on the integrity of the learned model while, unfortunately, being difficult to detect. Existing defenses against those attacks are limited by assumptions on the workers’ data distribution and/or are ill-suited to high-dimensional models. In this paper, we analyze targeted attacks against FL, specifically label-flipping and backdoor attacks, and find that the neurons in the last layer of a deep learning (DL) model that are related to these attacks exhibit a different behavior from the unrelated neurons. This makes the last-layer gradients valuable features for attack detection. Accordingly, we propose FL-Defender to combat FL targeted attacks. It consists of (i) engineering robust discriminative features by calculating the worker-wise angle similarity for the workers’ last-layer gradients, (ii) compressing the resulting similarity vectors using PCA to reduce redundant information, and (iii) re-weighting the workers’ updates based on their deviation from the centroid of the compressed similarity vectors. Experiments on three data sets show the effectiveness of our method in defending against label-flipping and backdoor attacks. Compared to several state-of-the-art defenses, FL-Defender achieves the lowest attack success rates while maintaining the main task accuracy.
Thematic Areas: Software Matemática / probabilidade e estatística Management information systems Interdisciplinar Information systems and management Información y documentación Engenharias iv Engenharias iii Economia Computer science, artificial intelligence Ciencias sociales Ciências biológicas i Ciência da computação Astronomia / física Artificial intelligence Administração pública e de empresas, ciências contábeis e turismo
licence for use: https://creativecommons.org/licenses/by/3.0/es/
Author's mail: josep.domingo@urv.cat
Author identifier: 0000-0001-7213-4962
Record's date: 2024-10-12
Paper version: info:eu-repo/semantics/acceptedVersion
Paper original source: Knowledge-Based Systems. 260 110178-
APA: Jebreel, Najeeb Moharram; Domingo-Ferrer, Josep (2023). FL-Defender: Combating targeted attacks in federated learning. Knowledge-Based Systems, 260(), 110178-. DOI: 10.1016/j.knosys.2022.110178
Licence document URL: https://repositori.urv.cat/ca/proteccio-de-dades/
Entity: Universitat Rovira i Virgili
Journal publication year: 2023
Publication Type: Journal Publications
Repositori URV