An Equivalence Between Data Poisoning and Byzantine Gradient Attacks

Sadegh Farhadkhani, Rachid Guerraoui, Lê Nguyên Hoang, Oscar Villemaud
Proceedings of the 39th International Conference on Machine Learning, PMLR 162:6284-6323, 2022.

Abstract

To study the resilience of distributed learning, the “Byzantine" literature considers a strong threat model where workers can report arbitrary gradients to the parameter server. Whereas this model helped obtain several fundamental results, it has sometimes been considered unrealistic, when the workers are mostly trustworthy machines. In this paper, we show a surprising equivalence between this model and data poisoning, a threat considered much more realistic. More specifically, we prove that every gradient attack can be reduced to data poisoning, in any personalized federated learning system with PAC guarantees (which we show are both desirable and realistic). This equivalence makes it possible to obtain new impossibility results on the resilience of any “robust” learning algorithm to data poisoning in highly heterogeneous applications, as corollaries of existing impossibility theorems on Byzantine machine learning. Moreover, using our equivalence, we derive a practical attack that we show (theoretically and empirically) can be very effective against classical personalized federated learning models.

Cite this Paper


BibTeX
@InProceedings{pmlr-v162-farhadkhani22b, title = {An Equivalence Between Data Poisoning and {B}yzantine Gradient Attacks}, author = {Farhadkhani, Sadegh and Guerraoui, Rachid and Hoang, L{\^e} Nguy{\^e}n and Villemaud, Oscar}, booktitle = {Proceedings of the 39th International Conference on Machine Learning}, pages = {6284--6323}, year = {2022}, editor = {Chaudhuri, Kamalika and Jegelka, Stefanie and Song, Le and Szepesvari, Csaba and Niu, Gang and Sabato, Sivan}, volume = {162}, series = {Proceedings of Machine Learning Research}, month = {17--23 Jul}, publisher = {PMLR}, pdf = {https://proceedings.mlr.press/v162/farhadkhani22b/farhadkhani22b.pdf}, url = {https://proceedings.mlr.press/v162/farhadkhani22b.html}, abstract = {To study the resilience of distributed learning, the “Byzantine" literature considers a strong threat model where workers can report arbitrary gradients to the parameter server. Whereas this model helped obtain several fundamental results, it has sometimes been considered unrealistic, when the workers are mostly trustworthy machines. In this paper, we show a surprising equivalence between this model and data poisoning, a threat considered much more realistic. More specifically, we prove that every gradient attack can be reduced to data poisoning, in any personalized federated learning system with PAC guarantees (which we show are both desirable and realistic). This equivalence makes it possible to obtain new impossibility results on the resilience of any “robust” learning algorithm to data poisoning in highly heterogeneous applications, as corollaries of existing impossibility theorems on Byzantine machine learning. Moreover, using our equivalence, we derive a practical attack that we show (theoretically and empirically) can be very effective against classical personalized federated learning models.} }
Endnote
%0 Conference Paper %T An Equivalence Between Data Poisoning and Byzantine Gradient Attacks %A Sadegh Farhadkhani %A Rachid Guerraoui %A Lê Nguyên Hoang %A Oscar Villemaud %B Proceedings of the 39th International Conference on Machine Learning %C Proceedings of Machine Learning Research %D 2022 %E Kamalika Chaudhuri %E Stefanie Jegelka %E Le Song %E Csaba Szepesvari %E Gang Niu %E Sivan Sabato %F pmlr-v162-farhadkhani22b %I PMLR %P 6284--6323 %U https://proceedings.mlr.press/v162/farhadkhani22b.html %V 162 %X To study the resilience of distributed learning, the “Byzantine" literature considers a strong threat model where workers can report arbitrary gradients to the parameter server. Whereas this model helped obtain several fundamental results, it has sometimes been considered unrealistic, when the workers are mostly trustworthy machines. In this paper, we show a surprising equivalence between this model and data poisoning, a threat considered much more realistic. More specifically, we prove that every gradient attack can be reduced to data poisoning, in any personalized federated learning system with PAC guarantees (which we show are both desirable and realistic). This equivalence makes it possible to obtain new impossibility results on the resilience of any “robust” learning algorithm to data poisoning in highly heterogeneous applications, as corollaries of existing impossibility theorems on Byzantine machine learning. Moreover, using our equivalence, we derive a practical attack that we show (theoretically and empirically) can be very effective against classical personalized federated learning models.
APA
Farhadkhani, S., Guerraoui, R., Hoang, L.N. & Villemaud, O.. (2022). An Equivalence Between Data Poisoning and Byzantine Gradient Attacks. Proceedings of the 39th International Conference on Machine Learning, in Proceedings of Machine Learning Research 162:6284-6323 Available from https://proceedings.mlr.press/v162/farhadkhani22b.html.

Related Material