Visible to the public Detection and Mitigation of Targeted Data Poisoning Attacks in Federated Learning

TitleDetection and Mitigation of Targeted Data Poisoning Attacks in Federated Learning
Publication TypeConference Paper
Year of Publication2022
AuthorsErbil, Pinar, Gursoy, M. Emre
Conference Name2022 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)
KeywordsAdversarial Machine Learning, AI Poisoning, Big Data, Computational modeling, Data models, data poisoning attacks, federated learning, Human Behavior, pubcrawl, resilience, Resiliency, Scalability, security for AI, Servers, Training, Training data
AbstractFederated learning (FL) has emerged as a promising paradigm for distributed training of machine learning models. In FL, several participants train a global model collaboratively by only sharing model parameter updates while keeping their training data local. However, FL was recently shown to be vulnerable to data poisoning attacks, in which malicious participants send parameter updates derived from poisoned training data. In this paper, we focus on defending against targeted data poisoning attacks, where the attacker's goal is to make the model misbehave for a small subset of classes while the rest of the model is relatively unaffected. To defend against such attacks, we first propose a method called MAPPS for separating malicious updates from benign ones. Using MAPPS, we propose three methods for attack detection: MAPPS + X-Means, MAPPS + VAT, and their Ensemble. Then, we propose an attack mitigation approach in which a "clean" model (i.e., a model that is not negatively impacted by an attack) can be trained despite the existence of a poisoning attempt. We empirically evaluate all of our methods using popular image classification datasets. Results show that we can achieve \textgreater 95% true positive rates while incurring only \textless 2% false positive rate. Furthermore, the clean models that are trained using our proposed methods have accuracy comparable to models trained in an attack-free scenario.
DOI10.1109/DASC/PiCom/CBDCom/Cy55231.2022.9927914
Citation Keyerbil_detection_2022