TY - GEN
T1 - FLMJR
T2 - 27th European Symposium on Research in Computer Security, ESORICS 2022
AU - Guo, Qi
AU - Wu, Di
AU - Qi, Yong
AU - Qi, Saiyu
AU - Li, Qian
N1 - Publisher Copyright:
© 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.
PY - 2022
Y1 - 2022
N2 - Federated Learning (FL) is vulnerable to model poisoning attacks that hurt the joint training global model by sending malicious updates. Existing defenses rely heavily on restrictions on clients’ model updates to defend against attacks. However, the global model can be attacked by elaborate malicious perturbation under defensive restriction due to the sensitivity of the model to perturbations, which leads the model to be vulnerable. Therefore, in this work, we investigate the defense against attacks from a novel perspective of the model stability towards perturbation on parameters. We propose a new method named Federated Learning with Model Jacobian Regularization (FLMJR) to enhance the robustness of FL. Considering prediction volatility of the model is determined by the model-output Jacobian, we reduce the Jacobian regularization to improve model stability towards model perturbations while maintaining the model’s accuracy. We conduct extensive experiments under both IID and NonIID settings to evaluate the defense against state-of-the-art model poisoning attacks, which demonstrates that our method not only has superior fidelity and robustness, but can also be easily integrated to further improve the robustness of existing server-based robust aggregation approaches (e.g., Fedavg, Trimean, Median, Bulyan, and FLTrust).
AB - Federated Learning (FL) is vulnerable to model poisoning attacks that hurt the joint training global model by sending malicious updates. Existing defenses rely heavily on restrictions on clients’ model updates to defend against attacks. However, the global model can be attacked by elaborate malicious perturbation under defensive restriction due to the sensitivity of the model to perturbations, which leads the model to be vulnerable. Therefore, in this work, we investigate the defense against attacks from a novel perspective of the model stability towards perturbation on parameters. We propose a new method named Federated Learning with Model Jacobian Regularization (FLMJR) to enhance the robustness of FL. Considering prediction volatility of the model is determined by the model-output Jacobian, we reduce the Jacobian regularization to improve model stability towards model perturbations while maintaining the model’s accuracy. We conduct extensive experiments under both IID and NonIID settings to evaluate the defense against state-of-the-art model poisoning attacks, which demonstrates that our method not only has superior fidelity and robustness, but can also be easily integrated to further improve the robustness of existing server-based robust aggregation approaches (e.g., Fedavg, Trimean, Median, Bulyan, and FLTrust).
KW - Federated learning
KW - Model poisoning
KW - Model stability
KW - Robustness
UR - https://www.scopus.com/pages/publications/85140786077
U2 - 10.1007/978-3-031-17143-7_20
DO - 10.1007/978-3-031-17143-7_20
M3 - 会议稿件
AN - SCOPUS:85140786077
SN - 9783031171420
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 405
EP - 424
BT - Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings
A2 - Atluri, Vijayalakshmi
A2 - Di Pietro, Roberto
A2 - Jensen, Christian D.
A2 - Meng, Weizhi
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 26 September 2022 through 30 September 2022
ER -