Federated learning has gained widespread attention for its privacy protection and distributed training characteristics, but it is vulnerable to model poisoning attacks. Existing model poisoning attacks often rely on the local model parameters or training data of real clients and are significantly less effective when the server deploys a defense strategy. To address this, we propose a new model poisoning attack, Dynamic Mixed Poisoning Attack (DMPA), which improves the stealthiness of the attack by mixing benign and malicious model updates and dynamically adjusting the size of malicious updates. In addition, DMPA employs the strategy of injecting fake clients to launch the attack in a minimal-knowledge scenario to overcome the limitation of requiring real client information. We further propose a new defense, Median-Norm Credibility Defense (MNCD). MNCD normalizes the magnitudes of uploaded model updates and calculates credibility by comparing each model update’s similarity to the global optimization direction from the previous round, determining aggregation weights. Experimental results show that DMPA bypasses the baseline defense and outperforms the baseline poisoning attack. Compared with the baseline defense, MNCD can effectively resist DMPA and other baseline poisoning attacks. When the fraction of fake clients does not exceed 45%, MNCD maintains strong robustness.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Federated Learning Against Dynamic Mixed Poisoning Attack and Defense

  • Jianhong Zhang,
  • Qi Li

摘要

Federated learning has gained widespread attention for its privacy protection and distributed training characteristics, but it is vulnerable to model poisoning attacks. Existing model poisoning attacks often rely on the local model parameters or training data of real clients and are significantly less effective when the server deploys a defense strategy. To address this, we propose a new model poisoning attack, Dynamic Mixed Poisoning Attack (DMPA), which improves the stealthiness of the attack by mixing benign and malicious model updates and dynamically adjusting the size of malicious updates. In addition, DMPA employs the strategy of injecting fake clients to launch the attack in a minimal-knowledge scenario to overcome the limitation of requiring real client information. We further propose a new defense, Median-Norm Credibility Defense (MNCD). MNCD normalizes the magnitudes of uploaded model updates and calculates credibility by comparing each model update’s similarity to the global optimization direction from the previous round, determining aggregation weights. Experimental results show that DMPA bypasses the baseline defense and outperforms the baseline poisoning attack. Compared with the baseline defense, MNCD can effectively resist DMPA and other baseline poisoning attacks. When the fraction of fake clients does not exceed 45%, MNCD maintains strong robustness.