Skip to content

Latest commit

 

History

History
223 lines (126 loc) · 15.9 KB

File metadata and controls

223 lines (126 loc) · 15.9 KB

Vulnerabilities and Defenses of Federated Learning

This is a list of papers reviewed in A Survey on Vulnerability of Federated Learning: A Learning Algorithm Perspective.

  @article{XIE2024127225,
      title = {A survey on vulnerability of federated learning: A learning algorithm perspective},
      author = {Xianghua Xie and Chen Hu and Hanchi Ren and Jingjing Deng},
      journal = {Neurocomputing},
      volume = {573},
      pages = {127225},
      year = {2024},
      issn = {0925-2312},
      doi = {https://doi.org/10.1016/j.neucom.2023.127225},
      url = {https://www.sciencedirect.com/science/article/pii/S0925231223013486},
  }

In this paper, we propose a taxonomy of FL attacks centered around attack origins and attack targets, shown in the table below. Our taxonomy of FL attacks emphasizes exploited vulnerabilities and their direct victims.

Type of Attack Definition Example
Data to Model (D2M) Tampering the data alone to degrade model performance Label-flipping
Model to Model (M2M) Tampering updates to prevent learning convergence Byzantine attack
Model to Data (M2D) Intercepting model updates to inference private data information Gradient leakage
Composite (D2M+M2M) Tampering both data and updates to manipulate model behavior Backdoor injection

overview

D2M

We describe Data to Model (D2M) attacks in FL as threat models that are launched by manipulating the local data while the models in training are being targeted as victims. D2M attacks are also considered as black-box attacks because the attackers do not need to access inside information such as client model weights or updates, tampering the data alone is often suffice to launch a D2M attack. However, the attackers can also draw information from local dataset or client models to enhance the effectiveness of D2M attacks.

Attacks

Poisoning Attacks against Support Vector Machines ACM ICML

Mitigating Sybils in Federated Learning Poisoning arXiv

Data Poisoning Attacks Against Federated Learning Systems SPRINGER ESORICS

Semi-Targeted Model Poisoning Attack on Federated Learning via Backward Error Analysis arXiv

Attack of the Tails: Yes, You Really Can Backdoor Federated Learning NeurIPS

PoisonGAN: Generative Poisoning Attacks Against Federated Learning in Edge Computing Systems IEEE ITJ

Turning Federated Learning Systems Into Covert Channels IEEE Access

Challenges and Approaches for Mitigating Byzantine Attacks in Federated Learning arXiv

Turning Privacy-preserving Mechanisms against Federated Learning arXiv

Local Environment Poisoning Attacks on Federated Reinforcement Learning arXiv

Data Poisoning Attacks on Federated Machine Learning arXiv

Understanding Distributed Poisoning Attack in Federated Learning IEEE ICPADS

Defenses

Mitigating Sybils in Federated Learning Poisoning arXiv

Data Poisoning Attacks Against Federated Learning Systems SPRINGER ESORICS

Understanding Distributed Poisoning Attack in Federated Learning IEEE ICPADS

Local Environment Poisoning Attacks on Federated Reinforcement Learning arXiv

M2M

We define Model to Model (M2M) attacks in FL as threat models that manipulate local model updates or weights to affect the global model. The primary objective of an M2M attack is to disrupt the convergence of FL algorithms. The presence of M2M attacks is also described as the Byzantine problem. In a distributed system affected by the Byzantine problem, benign and malicious participants coexist in the system. Malicious participants deliberately disseminate confusing or contradicting information to undermine the system’s normal operations. Therefore the challenge for the system administrator lies in achieving consensus among benign participants despite the presence of malicious ones.

Attacks

Free-rider Attacks on Model Aggregation in Federated Learning PMLR

Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent NeurIPS

Generalized Byzantine-tolerant SGD arXiv

RSA: Byzantine-robust stochastic aggregation methods for distributed learning from heterogeneous datasets AAAI

A Little Is Enough: Circumventing Defenses For Distributed Learning NeurIPS

The Hidden Vulnerability of Distributed Learning in Byzantium PMLR

Local model poisoning attacks to byzantine-robust federated learning ACM SEC

PipAttack: Poisoning Federated Recommender Systems for Manipulating Item Promotion ACM WSDM

FedRecAttack: Model Poisoning Attack to Federated Recommendation IEEE ICDE

Poisoning Deep Learning Based Recommender Model in Federated Learning Scenarios IJCAI

Defenses

Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent NeuIPS

Generalized Byzantine-tolerant SGD arXiv

Byzantine-Robust Distributed Learning: Towards Optimal Statistical Rates ICML

Distributed Statistical Machine Learning in Adversarial Settings: Byzantine Gradient Descent ACM

Robust Aggregation for Federated Learning IEEE

ELITE: Defending Federated Learning against Byzantine Attacks based on Information Entropy IEEE

M2D

We summarize the Model to Data (M2D) attacks in FL to be non-gradient-based leakage and gradient-based data leakage.

We define non-gradient-based data leakage as the disclosure of private information that occurs independently of the gradient generated during the training stage. For instance, the leakage can involve identifying specific attributes or membership details within the training data, or recovering original training images from obscured or masked versions. Typically, such leakage exploits the capabilities of a well-trained model to execute these attacks.

Gradient-based data leakage refers to techniques that exploit gradients from the target model to expose privacy-sensitive information. Deep learning models are trained on datasets, and parameter updates occur through alignment with the feature space. This establishes an inherent relationship between the weights or gradients and the dataset. Consequently, numerous studies aim to reveal private information by leveraging these gradients. The effectiveness and success rates of gradient-based approaches have consistently surpassed those of non-gradient-based methods. Unlike non-gradient-based leakage, gradient-based data leakage can occur even in models that have not yet converged.

Attacks

Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers arXiv

Membership inference attacks against machine learning models IEEE SP

Defeating image obfuscation with deep learning arXiv

The secret revealer: Generative model-inversion attacks against deep neural networks IEEE CVPR

Deep Models under the GAN: Information Leakage from Collaborative Deep Learning ACM CCCS

Exploiting Unintended Feature Leakage in Collaborative Learning IEEE SP

Auditing Privacy Defenses in Federated Learning via Generative Gradient Leakage IEEE CVPR

Deep Leakage from Gradients NeurIPS

Idlg: Improved Deep Leakage from Gradients arXiv

Inverting Gradients-How Easy Is It to Break Privacy in Federated Learning? NeurIPS

GRNN: Generative Regression Neural Network: A Data Leakage Attack for Federated Learning ACM TIST

Gradient Inversion with Generative Image Prior NeurIPS

See through Gradients: {{Image}} Batch Recovery via Gradinversion IEEE CVPR

Beyond Inferring Class Representatives: {{User-level}} Privacy Leakage from Federated Learning IEEE ICCC

Defenses

An Accuracy-Lossless Perturbation Method for Defending Privacy Attacks in Federated Learning ACM WC

LDP-FL: Practical private aggregation in federated learning with local differential privacy arXiv

Soteria: Provable Defense against Privacy Leakage in Federated Learning from Representation Perspective IEEE CVPR

An effective value swapping method for privacy preserving data publishing SCN

Efficient data perturbation for privacy preserving and accurate data stream mining ELSEVIER PMC

Efficient privacy preservation of big data for accurate data mining ELSEVIER IS

Digestive neural networks: A novel defense strategy against inference attacks in federated learning ELSEVIER CS

Privacy preserving distributed machine learning with federated learning ELSEVIER CC

Deep learning with gaussian differential privacy HDSR

FedBoosting: Federated Learning with Gradient Protected Boosting for Text Recognition ELSEVIER NEUROCOMPUTING

Privacy-preserving federated learning framework based on chained secure multiparty computing IEEE ITJ

Differential privacy approach to solve gradient leakage attack in a federated machine learning environment SPRINGER ICCDSN

Gradient-leakage resilient federated learning IEEE ICDCS

Gradient Leakage Defense with Key-Lock Module for Federated Learning arXiv

PRECODE-A Generic Model Extension to Prevent Deep Gradient Leakage IEEE CVPR

Composite

We define composite attacks as threat models that corrupt multiple aspects of FL. The attacker can combine D2M and M2M attacks to launch backdoor attacks. The attacker surreptitiously adds trigger patterns to local training data, then poisons model updates such that the global model learns how to react to triggers. Backdoored models behave normally when fed with clean data. In the presence of trigger data, these models are trained to give predictions designated by the attacker. Compared to D2M or M2M attacks, now that the attacker also has control over client model updates, composite attacks tend to be stealthier and more destructive.

Attacks

Analyzing Federated Learning through an Adversarial Lens ICML

How To Backdoor Federated Learning ICAIS

Can You Really Backdoor Federated Federated Learning? NeurIPS Workshop

Attack of the Tails: Yes, You Really Can Backdoor Federated Learning NeurIPS

A Little Is Enough: Circumventing Defenses For Distributed Learning NeurIPS

DBA: Distributed Backdoor Attacks against Federated Learning ICLR

Coordinated Backdoor Attacks against Federated Learning with Model-Dependent Triggers IEEE Networks

Neurotoxin: Durable Backdoors in Federated Learning ICML

Learning to backdoor federated learning ICLR Workshop

On the Vulnerability of Backdoor Defenses for Federated Learning NeurIPS Workshop

Backdoor Attacks in Federated Learning by Rare Embeddings and Gradient Ensembling EMNLP

Thinking two moves ahead: Anticipating other users improves backdoor attacks in federated learning arXiv

Accumulative Poisoning Attacks on Real-time Data NeurIPS

Defenses

Defending against Backdoors in Federated Learning with Robust Learning Rate AAAI

Learning Differentially Private Recurrent Language Models ICLR

Mitigating Backdoor Attacks in Federated Learning arXiv

FedRAD: Federated Robust Adaptive Distillation NeuIPS Workshop

CRFL: Certifiably Robust Federated Learning against Backdoor Attacks ICML

FLCert: Provably Secure Federated Learning Against Poisoning Attacks IEEE

BaFFLe: Backdoor Detection via Feedback-based Federated Learning IEEE

DeepSight: Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection NDSS

FLAME: Taming Backdoors in Federated Learning USENIX