Byzantine-Resilient Secure Federated Learning

So, Jinhyun; Güler, Başak; Avestimehr, A. Salman

doi:10.1109/jsac.2020.3041404

Cited by 157 publications

(91 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Byzantine-resilient defenses One popular defense mechanism against untargeted model update poisoning attacks, especially Byzantine attacks, replaces the averaging step on the server with a robust estimate of the mean, such as median-based aggregators [116,497], Krum [76], and trimmed mean [497]. Past work has shown that various robust aggregators are provably effective for Byzantine-tolerant distributed learning [436,76,116] under appropriate assumptions, even in federated settings [379,486,427]. Despite this, Fang et al [183] recently showed that multiple Byzantine-resilient defenses did little to defend against model poisoning attacks in federated learning.…”

Section: Model Update Poisoningmentioning

confidence: 99%

Advances and Open Problems in Federated Learning

Kairouz

McMahan²

2021

FNT in Machine Learning

2,215

1,214

View full text Add to dashboard Cite

Federated learning (FL) is a machine learning setting where many clients (e.g. mobile devices or whole organizations) collaboratively train a model under the orchestration of a central server (e.g. service provider), while keeping the training data decentralized. FL embodies the principles of focused data collection and minimization, and can mitigate many of the systemic privacy risks and costs resulting from traditional, centralized machine learning and data science approaches. Motivated by the explosive growth in FL research, this paper discusses recent advances and presents an extensive collection of open problems and challenges.

show abstract

Section: Model Update Poisoningmentioning

confidence: 99%

Advances and Open Problems in Federated Learning

Kairouz

McMahan²

2021

FNT in Machine Learning

2,215

1,214

View full text Add to dashboard Cite

show abstract

“…Furthermore, the authors use additive secret sharing to protect the privacy of the data, which provide weaker guarantees than DP. We also mention BREA [33], that is a single-server approach but does not use DP either. The approach that might be the most related to our work is LearningChain [10] since it seems to be the only other framework that combines DP and Byzantine resilience.…”

Section: Related Workmentioning

confidence: 99%

Differential Privacy and Byzantine Resilience in SGD

Guerraoui

Gupta

Pinot

et al. 2021

Proceedings of the 2021 ACM Symposium on Principles of Distributed Computing

View full text Add to dashboard Cite

This paper addresses the problem of combining Byzantine resilience with privacy in machine learning (ML). Specifically, we study if a distributed implementation of the renowned Stochastic Gradient Descent (SGD) learning algorithm is feasible with both differential privacy (DP) and ( , )-Byzantine resilience. To the best of our knowledge, this is the first work to tackle this problem from a theoretical point of view. A key finding of our analyses is that the classical approaches to these two (seemingly) orthogonal issues are incompatible. More precisely, we show that a direct composition of these techniques makes the guarantees of the resulting SGD algorithm depend unfavourably upon the number of parameters of the ML model, making the training of large models practically infeasible. We validate our theoretical results through numerical experiments on publicly-available datasets; showing that it is impractical to ensure DP and Byzantine resilience simultaneously. CCS Concepts• Security and privacy → Privacy-preserving protocols; • Mathematics of computing → Continuous optimization.

show abstract

“…In [18], [22], [19] and [21], the proposed defences 439 consumed additional computation time to compute gradients, high dimensional update vectors, Principal Component Analysis, and reconstruction errors, respectively. The solutions proposed in [20] and [23] are required to compute dissimilarity and related information through clients. Thus incurred additional computation cost.…”

Section: E Evaluation Metricsmentioning

confidence: 99%

“…In contrast, to [20] and [23], which involve clients in the identification and verification procedure of the poison local model weights, TIMPANY, evaluates the local model weights without indulging the clients in the evaluation procedure at the server side. As a result, TIMPANY provides complete security and privacy to the clients, i.e., no information gets disclosed to another client in the FL setup.…”

Section: ) Security and Privacymentioning

confidence: 99%

See 1 more Smart Citation

TIMPANY—deTectIon of Model Poisoning Attacks usiNg accuracY

Sameen

Hwang²

2021

IEEE Access

View full text Add to dashboard Cite

Nowadays, Federated Learning has widely been adopted for data security in the Industrial IoTs. With Federated Learning, local Industrial IoTs devices download the current machine learning model and update it on their own local Industrial IoTs devices. Then, local Industrial IoTs devices transmit these locally trained models back to the Industrial Server. The Industrial Server aggregates all the locally trained models into a single consolidated and enhanced global model. On one side, Federated Learning secures the data; on the other side, Federated Learning itself is vulnerable to one subtle yet severe attack: the model poisoning attack. Model poisoning attack is difficult to detect, especially in Industrial IoTs applications, for two reasons: a) neither the Industrial Server nor the local Industrial IoTs devices in Federated Learning is capable of identifying poisoned local models, and b) every iteration of Federated Learning consists of many Industrial IoTs devices, and therefore, verification of every single device is computationally expensive. Thus, this study proposes an effective and efficient framework for deTectIon of Model Poisoning Attacks usiNg AccuracY (TIMPANY). TIMPANY is the first detection framework for the model poisoning attack that utilizes accuracy as a detection measure. We performed theoretical analysis of TIMPANY with other detection solutions (for model poisoning attack) concerning communication and computational efficiency, security, and detection accuracy. Our thorough theoretical comparative analysis showed that TIMPANY efficiently addresses these open research challenges that previous studies failed to address. In our thorough experimental analysis, error analysis from the first iteration shows that TIMPANY results in 0% error, leading to a True Positive Rate and accuracy of 100% with 0% False Positive Rate. Thus, TIMPANY outperformed some of the existing detection solutions for model poisoning attacks against Federated Learning. We conclude that TIMPANY is effective and efficient against model poisoning attacks in Federated Learning, even for resource-constrained Industrial IoTs devices widely used in various industrial applications.

show abstract

Byzantine-Resilient Secure Federated Learning

Cited by 157 publications

References 15 publications

Advances and Open Problems in Federated Learning

Advances and Open Problems in Federated Learning

Differential Privacy and Byzantine Resilience in SGD

TIMPANY—deTectIon of Model Poisoning Attacks usiNg accuracY

Contact Info

Product

Resources

About