Attack of the Tails: Yes, You Really Can Backdoor Federated Learning

Wang, Hongyi; Sreenivasan, Kartik; Rajput, Shashank; Vishwakarma, Harit; Agarwal, Saurabh; Sohn, Jy-yong; Lee, Kangwook; Papailiopoulos, Dimitris S.

doi:10.48550/arxiv.2007.05084

Cited by 29 publications

(25 citation statements)

References 56 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• Edge Backdoor: the authors in [65] suggested a type of Backdoor attack that relied on using rare data pieces, i.e., edge samples of the dataset with adversarial labels, for local training so the resulting model will only misclassify those rare inputs. One benefit of this method is that gradient-based defense techniques are unlikely to detect this attack [65]. The attacker uses an edge case dataset D extracted from D. Then it performs standard local training aiming to maximize the accuracy.…”

Section: A Targeting Integrity and Availabilitymentioning

confidence: 99%

On the Security & Privacy in Federated Learning

Abad¹,

Picek²,

Ramírez-Durán³

et al. 2021

Preprint

View full text Add to dashboard Cite

Advances in Machine Learning (ML) and its wide range of applications boosted its popularity. Recent privacy awareness initiatives as the EU General Data Protection Regulation (GDPR) -European Parliament and Council Regulation No 2016/679, subdued ML to privacy and security assessments. Federated Learning (FL) grants a privacy-driven, decentralized training scheme that improves ML models' security. The industry's fast-growing adaptation and security evaluations of FL technology exposed various vulnerabilities. Depending on the FL phase, i.e., training or inference, the adversarial actor capabilities, and the attack type threaten FL's confidentiality, integrity, or availability (CIA). Therefore, the researchers apply the knowledge from distinct domains as countermeasures, like cryptography and statistics.This work assesses the CIA of FL by reviewing the state-of-theart (SoTA) for creating a threat model that embraces the attack's surface, adversarial actors, capabilities, and goals. We propose the first unifying taxonomy for attacks and defenses by applying this model. Additionally, we provide critical insights extracted by applying the suggested novel taxonomies to the SoTA, yielding promising future research directions.

show abstract

Section: A Targeting Integrity and Availabilitymentioning

confidence: 99%

On the Security & Privacy in Federated Learning

Abad¹,

Picek²,

Ramírez-Durán³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Such adversarial goals can be achieved by Byzantine attacks [25], [28], [33], [38], [92], where some participants inside the collaborative learning system can conduct inappropriate behaviors, and propagate wrong information, leading to the failure of the learning system. On the other hand, backdoor attacks try to inject predefined malicious training samples, i.e., backdoors, into a victim model while maintaining the performance of the primary task [31], [93]- [102]. The backdoors would be activated if a input sample contains the injected triggers.…”

Section: A Integrity Threatsmentioning

confidence: 99%

“…Backdoor [97],Wang [31] Clean Federated Tolpegin [100] Unclean Federated DBA [101] Unclean Federated Sun [99] Unclean Federated Sun [53] Federated Bagdasaryan [30] Federated Fang [92] Federated Bhagoji [25] Federated entire training process, but only for one or a few participants. Based on the above assumption, Nguyen et al [97] indicated that the collaborative learning based IoT intrusion detection systems are vulnerable to backdoor attacks and proposed a data poisoning attack method.…”

Section: B Backdoor Attacks 1) Data Poisoningmentioning

confidence: 99%

“…Finally, an adversary can gradually poison the detection model by only using compromised IoT devices to inject small amounts of malicious data into the training process. From another perspective, Wang et al [31] focused on attacking algorithms that leverage data from the tail of the input data distribution. Then, they established in theory that, if a model is vulnerable to adversarial examples, under mild conditions, backdoor attacks are unavoidable.…”

Section: B Backdoor Attacks 1) Data Poisoningmentioning

confidence: 99%

“…For example, malicious participants poison their training datasets with some carefully crafted malicious triggers. Then, at each iteration, they generate malicious updates with the triggers and gradually inject such triggers as backdoors into the global model by sharing the malicious updates to earn extra profit or increase their advantages [30], [31]. Adversaries can also disguise as participants to join the collaborative learning process and destroy the learning process by sending malicious updates to their neighborhoods or parameter servers [25], [32], [33].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Robust and Privacy-Preserving Collaborative Learning: A Comprehensive Survey

Guo¹,

Zhang²,

Yang³

et al. 2021

Preprint

View full text Add to dashboard Cite

With the rapid demand of data and computational resources in deep learning systems, a growing number of algorithms to utilize collaborative machine learning techniques, for example, federated learning, to train a shared deep model across multiple participants. It could effectively take advantage of resource of each participant and obtain a more powerful learning system. However, integrity and privacy threats in such systems have greatly obstructed the applications of collaborative learning. And a large amount of works have been proposed to maintain the model integrity and mitigate the privacy leakage of training data during the training phase for different collaborate learning systems. Compared with existing surveys that mainly focus on one specific collaborate learning system, this survey aims to provide a systematic and comprehensive review of security and privacy researches in collaborative learning. Our survey first provides the system overview of collaborative learning, followed by an brief introduction of integrity and privacy threats. In an organized way, we then detail the existing integrity and privacy attacks as well as their defenses. We also list some open problems in this area and opensource the related papers on GitHub: https://github.com/csl-cqu/awesome-secure-collebrativelearning-papers.

show abstract