Byzantine-robust federated learning (FL) tries to minimize the effects of malicious attacks that aim to lower the accuracy of the global model. However, when the proportion of malicious clients in the FL system rises or exceeds 50%, the fidelity and robustness of the aggregation rule (AGR) is compromised. Some AGRs can hardly work because they aggregate based on statistical characteristics of all models, and some perform poorly because many benign local models were removed or weakened by mistake. In this work, we bridge the gap by proposing FLKT, a new malicious clients detection method via the key data and trap model to help existing AGRs achieve higher fidelity and robustness. In FLKT, the service provider independently collects a small amount of training data as the root dataset, then takes a piece of data from it as the key data to construct a trap model every round and identifies whether a client is malicious by the client’s local trap model update in detection rounds. Experiments verify that the combination of FLKT (working in the detection rounds) and FedAvg (working in the training rounds) can cope with various attacks, especially local model attacks, and it can continue to protect the global model even when the proportion of malicious clients exceeds half. Furthermore, FLKT can integrate seamlessly with data protection methods to effectively defend membership inference attack (MIA), especially when combined with RelaxLoss.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

FLKT: Improving the Fidelity and Robustness of Federated Learning Aggregation Rules via the Key-Data and Trap-Model

  • Peng Tang,
  • Xiaojie Xu,
  • Xinpeng Li,
  • Weidong Qiu,
  • Zheng Huang

摘要

Byzantine-robust federated learning (FL) tries to minimize the effects of malicious attacks that aim to lower the accuracy of the global model. However, when the proportion of malicious clients in the FL system rises or exceeds 50%, the fidelity and robustness of the aggregation rule (AGR) is compromised. Some AGRs can hardly work because they aggregate based on statistical characteristics of all models, and some perform poorly because many benign local models were removed or weakened by mistake. In this work, we bridge the gap by proposing FLKT, a new malicious clients detection method via the key data and trap model to help existing AGRs achieve higher fidelity and robustness. In FLKT, the service provider independently collects a small amount of training data as the root dataset, then takes a piece of data from it as the key data to construct a trap model every round and identifies whether a client is malicious by the client’s local trap model update in detection rounds. Experiments verify that the combination of FLKT (working in the detection rounds) and FedAvg (working in the training rounds) can cope with various attacks, especially local model attacks, and it can continue to protect the global model even when the proportion of malicious clients exceeds half. Furthermore, FLKT can integrate seamlessly with data protection methods to effectively defend membership inference attack (MIA), especially when combined with RelaxLoss.