Can You Really Backdoor Federated Learning?

AI-generated keywords: Federated Learning Backdoor Attacks Non-Malicious Clients EMNIST Dataset Defense Strategies

AI-generated Key Points

The license of the paper does not allow us to build upon its content and the key points are generated using the paper metadata rather than the full article.

  • Federated learning involves decentralized data across multiple devices or servers
  • Backdoor attacks in federated learning aim to reduce model performance on specific tasks while maintaining high performance on the primary task
  • Study includes non-malicious clients with accurately labeled samples from targeted tasks
  • Research analyzes backdoor attacks and defenses using the EMNIST dataset, which is user-partitioned and non-iid
  • Success of an attack depends on factors like proportion of adversaries and complexity of targeted task
  • Techniques like norm clipping and "weak" differential privacy can mitigate attacks without compromising overall model performance
  • Authors implemented attacks and defenses using TensorFlow Federated (TFF) framework, open-sourcing their code for further exploration in the field
Also access our AI generated: Comprehensive summary, Lay summary, Blog-like article; or ask questions about this paper to our AI assistant.

Authors: Ziteng Sun, Peter Kairouz, Ananda Theertha Suresh, H. Brendan McMahan

To appear at the 2nd International Workshop on Federated Learning for Data Privacy and Confidentiality at NeurIPS 2019

Abstract: The decentralized nature of federated learning makes detecting and defending against adversarial attacks a challenging task. This paper focuses on backdoor attacks in the federated learning setting, where the goal of the adversary is to reduce the performance of the model on targeted tasks while maintaining good performance on the main task. Unlike existing works, we allow non-malicious clients to have correctly labeled samples from the targeted tasks. We conduct a comprehensive study of backdoor attacks and defenses for the EMNIST dataset, a real-life, user-partitioned, and non-iid dataset. We observe that in the absence of defenses, the performance of the attack largely depends on the fraction of adversaries present and the "complexity'' of the targeted task. Moreover, we show that norm clipping and "weak'' differential privacy mitigate the attacks without hurting the overall performance. We have implemented the attacks and defenses in TensorFlow Federated (TFF), a TensorFlow framework for federated learning. In open-sourcing our code, our goal is to encourage researchers to contribute new attacks and defenses and evaluate them on standard federated datasets.

Submitted to arXiv on 18 Nov. 2019

Ask questions about this paper to our AI assistant

You can also chat with multiple papers at once here.

The license of the paper does not allow us to build upon its content and the AI assistant only knows about the paper metadata rather than the full article.

AI assistant instructions?

Results of the summarizing process for the arXiv paper: 1911.07963v2

This paper's license doesn't allow us to build upon its content and the summarizing process is here made with the paper's metadata rather than the article.

In the realm of federated learning, where data is decentralized across multiple devices or servers, detecting and defending against adversarial attacks presents a significant challenge. This paper delves into the realm of backdoor attacks within the federated learning framework. These attacks aim to diminish the model's performance on specific tasks while maintaining high performance on the primary task. What sets this study apart is its inclusion of non-malicious clients with accurately labeled samples from targeted tasks. The research focuses on analyzing backdoor attacks and corresponding defenses using the EMNIST dataset, which mirrors real-life scenarios by being user-partitioned and non-iid (non-independent and identically distributed). The findings reveal that without proper defenses in place, the success of an attack hinges on factors such as the proportion of adversaries present and the complexity of the targeted task. Furthermore, through experimentation, it was demonstrated that techniques like norm clipping and "weak" differential privacy can effectively mitigate these attacks without compromising overall model performance. To facilitate further exploration in this field, the authors have implemented these attacks and defenses using TensorFlow Federated (TFF), a framework designed for federated learning. By open-sourcing their code, they aim to inspire researchers to develop new attack strategies, defense mechanisms, and evaluate them using established federated datasets. This comprehensive study sheds light on the intricacies of backdoor attacks in federated learning environments and underscores the importance of robust defense strategies to safeguard against malicious interventions while preserving model integrity and performance.
Created on 05 Dec. 2024

Assess the quality of the AI-generated content by voting

Score: 0

Why do we need votes?

Votes are used to determine whether we need to re-run our summarizing tools. If the count reaches -10, our tools can be restarted.

Similar papers summarized with our AI tools

Navigate through even more similar papers through a

tree representation

Look for similar papers (in beta version)

By clicking on the button above, our algorithm will scan all papers in our database to find the closest based on the contents of the full papers and not just on metadata. Please note that it only works for papers that we have generated summaries for and you can rerun it from time to time to get a more accurate result while our database grows.

Disclaimer: The AI-based summarization tool and virtual assistant provided on this website may not always provide accurate and complete summaries or responses. We encourage you to carefully review and evaluate the generated content to ensure its quality and relevance to your needs.