FedREDefense: Defending against Model Poisoning Attacks for Federated Learning using Model Update Reconstruction Error

Yueqi Xie, Minghong Fang, Neil Zhenqiang Gong
Proceedings of the 41st International Conference on Machine Learning, PMLR 235:54460-54474, 2024.

Abstract

Federated Learning (FL) faces threats from model poisoning attacks. Existing defenses, typically relying on cross-client/global information to mitigate these attacks, fall short when faced with non-IID data distributions and/or a large number of malicious clients. To address these challenges, we present FedREDefense. Unlike existing methods, it doesn’t hinge on similar distributions across clients or a predominant presence of benign clients. Instead, it assesses the likelihood that a client’s model update is a product of genuine training, solely based on the characteristics of the model update itself. Our key finding is that model updates stemming from genuine training can be approximately reconstructed with some distilled local knowledge, while those from deliberate handcrafted model poisoning attacks cannot. Drawing on this distinction, FedREDefense identifies and filters out malicious clients based on the discrepancies in their model update Reconstruction Errors. Empirical tests on three benchmark datasets confirm that FedREDefense successfully filters model poisoning attacks in FL—even in scenarios with high non-IID degrees and large numbers of malicious clients.

Cite this Paper


BibTeX
@InProceedings{pmlr-v235-xie24c, title = {{F}ed{RED}efense: Defending against Model Poisoning Attacks for Federated Learning using Model Update Reconstruction Error}, author = {Xie, Yueqi and Fang, Minghong and Gong, Neil Zhenqiang}, booktitle = {Proceedings of the 41st International Conference on Machine Learning}, pages = {54460--54474}, year = {2024}, editor = {Salakhutdinov, Ruslan and Kolter, Zico and Heller, Katherine and Weller, Adrian and Oliver, Nuria and Scarlett, Jonathan and Berkenkamp, Felix}, volume = {235}, series = {Proceedings of Machine Learning Research}, month = {21--27 Jul}, publisher = {PMLR}, pdf = {https://raw.githubusercontent.com/mlresearch/v235/main/assets/xie24c/xie24c.pdf}, url = {https://proceedings.mlr.press/v235/xie24c.html}, abstract = {Federated Learning (FL) faces threats from model poisoning attacks. Existing defenses, typically relying on cross-client/global information to mitigate these attacks, fall short when faced with non-IID data distributions and/or a large number of malicious clients. To address these challenges, we present FedREDefense. Unlike existing methods, it doesn’t hinge on similar distributions across clients or a predominant presence of benign clients. Instead, it assesses the likelihood that a client’s model update is a product of genuine training, solely based on the characteristics of the model update itself. Our key finding is that model updates stemming from genuine training can be approximately reconstructed with some distilled local knowledge, while those from deliberate handcrafted model poisoning attacks cannot. Drawing on this distinction, FedREDefense identifies and filters out malicious clients based on the discrepancies in their model update Reconstruction Errors. Empirical tests on three benchmark datasets confirm that FedREDefense successfully filters model poisoning attacks in FL—even in scenarios with high non-IID degrees and large numbers of malicious clients.} }
Endnote
%0 Conference Paper %T FedREDefense: Defending against Model Poisoning Attacks for Federated Learning using Model Update Reconstruction Error %A Yueqi Xie %A Minghong Fang %A Neil Zhenqiang Gong %B Proceedings of the 41st International Conference on Machine Learning %C Proceedings of Machine Learning Research %D 2024 %E Ruslan Salakhutdinov %E Zico Kolter %E Katherine Heller %E Adrian Weller %E Nuria Oliver %E Jonathan Scarlett %E Felix Berkenkamp %F pmlr-v235-xie24c %I PMLR %P 54460--54474 %U https://proceedings.mlr.press/v235/xie24c.html %V 235 %X Federated Learning (FL) faces threats from model poisoning attacks. Existing defenses, typically relying on cross-client/global information to mitigate these attacks, fall short when faced with non-IID data distributions and/or a large number of malicious clients. To address these challenges, we present FedREDefense. Unlike existing methods, it doesn’t hinge on similar distributions across clients or a predominant presence of benign clients. Instead, it assesses the likelihood that a client’s model update is a product of genuine training, solely based on the characteristics of the model update itself. Our key finding is that model updates stemming from genuine training can be approximately reconstructed with some distilled local knowledge, while those from deliberate handcrafted model poisoning attacks cannot. Drawing on this distinction, FedREDefense identifies and filters out malicious clients based on the discrepancies in their model update Reconstruction Errors. Empirical tests on three benchmark datasets confirm that FedREDefense successfully filters model poisoning attacks in FL—even in scenarios with high non-IID degrees and large numbers of malicious clients.
APA
Xie, Y., Fang, M. & Gong, N.Z.. (2024). FedREDefense: Defending against Model Poisoning Attacks for Federated Learning using Model Update Reconstruction Error. Proceedings of the 41st International Conference on Machine Learning, in Proceedings of Machine Learning Research 235:54460-54474 Available from https://proceedings.mlr.press/v235/xie24c.html.

Related Material