Federated learning (FL) has been shown vulnerable to a new class of adversarial attacks, known as model poisoning attacks (MPA), where one or more malicious clients try to poison the global model by sending carefully crafted local model updates to the central parameter server. Existing defenses that have been fixated on analyzing model parameters show limited effectiveness in detecting such carefully crafted poisonous models. In this work, we propose FLARE, a robust model aggregation mechanism for FL, which is resilient against state-of-the-art MPAs. Instead of solely depending on model parameters, FLARE leverages the penultimate layer representations (PLRs) of the model for characterizing the adversarial influence on each local model update. PLRs demonstrate a better capability to differentiate malicious models from benign ones than model parameter-based solutions. We further propose a trust evaluation method that estimates a trust score for each model update based on pairwise PLR discrepancies among all model updates. Under the assumption that honest clients make up the majority, FLARE assigns a trust score to each model update in a way that those far from the benign cluster are assigned low scores. FLARE then aggregates the model updates weighted by their trust scores and finally updates the global model. Extensive experimental results demonstrate the effectiveness of FLARE in defending FL against various MPAs, including semantic backdoor attacks, trojan backdoor attacks, and untargeted attacks, and safeguarding the accuracy of FL.
|Title of host publication||ASIA CCS 2022 - Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security|
|Number of pages||13|
|State||Published - May 30 2022|
|Event||17th ACM ASIA Conference on Computer and Communications Security 2022, ASIA CCS 2022 - Virtual, Online, Japan|
Duration: May 30 2022 → Jun 3 2022
|Name||ASIA CCS 2022 - Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security|
|Conference||17th ACM ASIA Conference on Computer and Communications Security 2022, ASIA CCS 2022|
|Period||5/30/22 → 6/3/22|
Bibliographical noteFunding Information:
This work was supported in part by the Office of Naval Research under grant N00014-19-1-2621, the US National Science Foundation under grants CNS-1837519 and CNS-19169026, the Army Research Office under grant W911NF-20-1-0141, and the Virginia Commonwealth Cyber Initiative (CCI).
© 2022 Owner/Author.
- federated learning
- model poisoning attack
ASJC Scopus subject areas
- Computer Networks and Communications
- Computer Science Applications
- Information Systems