Litcius/Paper detail

Detecting Malicious Model Updates from Federated Learning on Conditional Variational Autoencoder

Zhipin Gu, Yuexiang Yang

202141 citationsDOI

Abstract

In federated learning, the central server combines local model updates from the clients in the network to create an aggregated model. To protect clients' privacy, the server is designed to have no visibility into how these updates are generated. The nature of federated learning makes detecting and defending against malicious model updates a challenging task. Unlike existing works that struggle to defend against Byzantine clients, the paper considers defending against targeted model poisoning attack in the federated learning setting. The adversary aims to reduce the model performance on targeted subtasks while maintaining the main task's performance. This paper proposes Fedcvae, a robust and unsupervised federated learning framework where the central server uses conditional variational autoencoder to detect and exclude malicious model updates. Since the reconstruction error of malicious updates is much larger than that of benign ones, it can be used as an anomaly score. We formulate a dynamic threshold of reconstruction error to differentiate malicious updates from normal ones based on this idea. Fedcvae is tested with extensive experiments on IID and non-IID federated benchmarks, showing a competitive performance over existing aggregation methods under Byzantine attack and targeted model poisoning attack.

Topics & Concepts

AutoencoderComputer scienceFederated learningTask (project management)AdversaryServerAnomaly detectionComputer securityArtificial intelligenceDeep learningVisibilitySoftware deploymentMachine learningComputer networkManagementOperating systemOpticsEconomicsPhysicsAdversarial Robustness in Machine LearningAnomaly Detection Techniques and ApplicationsDomain Adaptation and Few-Shot Learning