FLShadow：Byzantine-robust federated aggregation based on a trusted shadow model

doi:10.7523/j.ucas.2024.051

Abstract

Abstract: In federated learning, Byzantine nodes carefully manipulate the model updates of clients. As a result, the central model accuracy decreases or fails to converge after aggregation. The number of communication rounds increases in turn. Without trusted reference gradients, the central model cannot be properly aggregated only based on updates provided by untrustworthy clients. In this paper, we introduce a trusted reference and we regard it as shadow model. To overcome such challenge, we propose a novel Byzantine robust federated aggregation method. The central server collects the shadow dataset in advance and trains a model called shadow model. The central server compares the update direction between the client model and the trusted shadow model. Accordingly, the central server computes malicious score and marks the malicious clients. Then, the central model deletes or prunes the update of the malicious clients. Finally, the central model aggregates the corrected gradients to ensure the convergence and accuracy of the model. The proposed method has been evaluated on a variety of model architectures and real datasets. The results show that the proposed method can effectively defend against six different Byzantine node attacks in three datasets.

Key words: federated learning, byzantine attack, shadow model, shadow dataset, aggregation rule

CLC Number:

TP393

XU Chenchen, WANG Xutong, WANG Taochun, CHEN Fulong, LIU Qixu. FLShadow：Byzantine-robust federated aggregation based on a trusted shadow model[J]. Journal of University of Chinese Academy of Sciences, DOI: 10.7523/j.ucas.2024.051.

References

[1] Qasim R, Bangyal W H, Alqarni M A, et al.A fine-tuned BERT-based transfer learning approach for text classification[J]. Journal of Healthcare Engineering, 2022, 2022:3498123. DOI:10.1155/2022/3498123.
[2] Li Y L.Research and application of deep learning in image recognition[C]//2022 IEEE 2nd International Conference on Power,Electronics and Computer Applications (ICPECA). January 21-23, 2022, Shenyang, China. IEEE, 2022:994-999. DOI:10.1109/ICPECA53709.2022.9718847.
[3] 赵敏钧,赵亚伟,赵雅捷,等.一种新的基于深度学习的重叠关系联合抽取模型[J].中国科学院大学学报,2022,39(2):240-251.DOI:10.7523/j.ucas.2020.0026.
[4] 张萌,潘志刚.基于分层模糊聚类和小波卷积神经网络的SAR图像变化检测算法[J]. 中国科学院大学学报,2023,40(5):637-646.DOI:10.7523/j.ucas.2022.013.
[5] 霍鑫怡,李焱磊,陈龙永,等.基于卷积注意力和胶囊网络的SAR少样本目标识别方法[J].中国科学院大学学报,2022,39(6):783-792.DOI:10.7523/j.ucas.2021.0022.
[6] 朱嘉桐,卿来云,黄庆明.基于双流LSTM与自监督学习的在线动作检测算法[J]. 中国科学院大学学报, 2022,39(6):827-835.DOI:10.7523/j.ucas.2021.0049.
[7] 顾育豪,白跃彬.联邦学习模型安全与隐私研究进展[J].软件学报,2023,34(6):2833-2864.DOI:10.13328/j.cnki.jos.006658.
[8] McMahan H B, Moore E,Ramage D, et al. Communication-efficient learning of deep networks from decentralized data[EB/OL]. ArXiv Preprint, arXiv:1602.05629. (2023-01-26) [2023-12-10]. https://arxiv.org/abs/1602.05629.
[9] Che C J, Li X L, Chen C, et al.A decentralized federated learning framework via committee mechanism with convergence guarantee[J]. IEEE Transactions on Parallel and Distributed Systems, 2022, 33(12): 4783-4800. DOI: 10.1109/TPDS.2022.3202887.
[10] Karras A, Karras C, Giotopoulos K C, et al.Peer to peer federated learning: Towards decentralized machine learning on edge devices[C]//2022 7th South-East Europe Design Automation,Computer Engineering, Computer Networks and Social Media Conference (SEEDA-CECNSM). September 23-25, 2022, Ioannina, Greece. IEEE, 2022: 1-9.DOI: 10.1109/SEEDA-CECNSM57760.2022.9932980.
[11] Nasr M, Shokri R, Houmansadr A.Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning[C]//2019 IEEE Symposium on Security and Privacy (SP). May 19-23, 2019, San Francisco, CA, USA. IEEE, 2019:739—753. DOI:10.1109/SP.2019.00065.
[12] Garov K, Dimitrov D I, Jovanović N, et al. Hiding in plain sight: Disguising data stealing attacks in federated learning[EB/OL]. ArXiv Preprint, arXiv:2306.03013.(2023-6-25)[2023-08-25]. https://arxiv.org/abs/2306.03013.
[13] Bhagoji A N, Chakraborty S, Mittal P, et al. Analyzing federated learning through an adversarial lens[EB/OL]. ArXiv Preprint, arXiv:1811.12470. (2019-11-25)[2023-12-10]. https://arxiv.org/abs/1811.12470.
[14] Chen J Y, Huang G H, Zheng H B, et al.Graph-fraudster: Adversarial attacks on graph neural network-based vertical federated learning[J]. IEEE Transactions on Computational Social Systems, 2023, 10(2): 492-506. DOI: 10.1109/TCSS.2022.3161016.
[15] Tolpegin V, Truex S, Gursoy M E, et al.Data poisoning attacks against federated learning systems[C]//25th European Symposium on Research in Computer Security (ESORICS). September 14-18, 2020, Guildford, UK. Springer, 2020: 480-501. DOI: 10.1007/978-3-030-58951-6_24.
[16] Fang M H, Cao X Y, Jia J Y, et al. Local model poisoning attacks to byzantine-robust federated learning. [EB/OL]. ArXiv Preprint, arXiv:1911.11815. (2021-11-21)[2023-12-10].https://arxiv.org/abs/1911.11815.pdf.
[17] Xiao X, Tang Z, Li C Y, et al.SCA:Sybil-based collusion attacks of IIoT data poisoning in federated learning[J]. IEEE Transactions on Industrial Informatics, 2023, 19(3): 2608-2618. DOI:10.1109/TII.2022.3172310.
[18] Hidano S, Murakami T, Kawamoto Y.TransMIA: Membership inference attacks using transfer shadow training[C]//2021 International Joint Conference on Neural Networks (IJCNN). July 18-22, 2021, Shenzhen, China. IEEE, 2021:1-10. DOI:10.1109/IJCNN52387.2021.9534207.
[19] Tan J X, Zhong N, Qian Z X, et al.Deep neural network watermarking against model extraction attack[C]//Proceedings of the 31st ACM International Conference on Multimedia (ACM MM). October 29, 2023, Ottawa, Canada. ACM, 2023: 1588-1597. DOI: 10.1145/3581783.3612515.
[20] Blanchard P, Mhamdi E M E, Guerraoui R, et al. Machine learning with adversaries: Byzantine tolerant gradient descent[C]// Advances in Neural Information Processing Systems (NeurIPS). December 4-9, 2017, Long Beach, USA. MIT Press, 2017:118-128. DOI:10.5555/3294771.3294783
[21] Yin D, Chen Y D, Ramchandran K, et al. Byzantine-robust distributed learning: Towards optimal statistical rates[EB/OL]. ArXiv Preprint, arXiv:1803.01498. (2021-2-25) [2023-12-10]. https://arxiv.org/abs/1803.01498.pdf.
[22] Cao X Y, Fang M H, Liu J, et al.FLTrust: Byzantine-robust federated learning via trust bootstrapping[C]//28th Annual Network and Distributed System Security Symposium (NDSS). February 21-25, 2021, virtually. ISOC, 2021.DOI:10.14722/ndss.2021.24434.
[23] 高莹,陈晓峰,张一余,等.联邦学习系统攻击与防御技术研究综述[J].计算机学报,2023,46(9):1781-1805. DOI:10.11897/SP.J.1016.2023.01781.
[24] Li Y Z, Li Y M, Wu B Y, et al.Invisible backdoor attack with sample-specific triggers[C]//2021 IEEE/CVF International Conference on Computer Vision (ICCV). October 10-17, 2021, Montreal, QC, Canada. IEEE, 2021: 16443-16452. DOI:10.1109/ICCV48922.2021.01615.
[25] Zhou X C, Xu M, Wu Y M, et al.Deep model poisoning attack on federated learning[J]. Future Internet, 2021, 13(3): 73. DOI: 10.3390/fi13030073.
[26] Bagdasaryan E, Veit A, Hua Y Q, et al. How to backdoor federated learning[EB/OL].ArXiv Preprint,arxiv:1807.00459.(2019-08-06) [2023-12-10]. http://arxiv.org/abs/1807.00459.pdf.
[27] Cao X Y, Gong N Z.MPAF: Model poisoning attacks to federated learning based on fake clients[C]//2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW). June 19-20, 2022, New Orleans, LA, USA. IEEE, 2022: 3395-3403. DOI: 10.1109/CVPRW56347.2022.00383.
[28] Qayyum A, Janjua M U, Qadir J.Making federated learning robust to adversarial attacks by learning data and model association[J]. Computers & Security, 2022, 121: 102827. DOI: 10.1016/j.cose.2022.102827.
[29] Cao X Y, Zhang Z X, Jia J Y, et al.FLCert: Provably secure federated learning against poisoning attacks[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 3691-3705. DOI: 10.1109/TIFS.2022.3212174.
[30] Guo S W, Zhang T W, Yu H, et al.Byzantine-resilient decentralized stochastic gradient descent[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2022, 32(6): 4096-4106. DOI: 10.1109/TCSVT.2021.3116976.
[31] Pillutla K, Kakade S M, Harchaoui Z.Robust aggregation for federated learning[J]. IEEE Transactions on Signal Processing, 2022, 70: 1142-1154. DOI: 10.1109/TSP.2022.3153135.
[32] Kieu T, Yang B, Guo C J, et al.Anomaly detection in time series with robust variational quasi-recurrent autoencoders[C]//2022 IEEE 38th International Conference on Data Engineering (ICDE). May 9-12, 2022, Kuala Lumpur, Malaysia. IEEE, 2022: 1342-1354. DOI: 10.1109/ICDE53745.2022.00105.
[33] Zhang Z, Zhang Y, Guo D, et al.SecFedNIDS: Robust defense for poisoning attack against federated learning-based network intrusion detection system[J]. Future Generation Computer Systems, 2022, 134: 154-169. DOI: 10.1016/j.future.2022.04.010.
[34] Wang X X, Zhang H Q, Bilal A, et al.WGM-dSAGA: Federated learning strategies with Byzantine robustness based on weighted geometric Median[J]. Electronics, 2023, 12(5): 1190. DOI: 10.3390/electronics12051190.
[35] Li X Y, Qu Z, Zhao S Q, et al.LoMar: A local defense against poisoning attack on federated learning[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(1): 437-450. DOI: 10.1109/TDSC.2021.3135422.
[36] Sharma A, Chen W, Zhao J, et al. TESSERACT: Gradient flip score to secure federated learning against model poisoning attacks[EB/OL]. ArXiv Preprint, arXiv:2110.10108. (2021-10-19) [2023-12-10]. https://arxiv.org/abs/2110.10108.pdf.