FedRAD: Federated Robust Adaptive Distillation

Páll, Sturluson, Stefán; Samuel, Trew,; Muñoz-González, Luis; Grama, Matei; Passerat–Palmbach, Jonathan; Rueckert, Daniel; Alansary, Amir

doi:10.48550/arxiv.2112.01405

Cited by 3 publications

(4 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…FedDF is regarded as a backdoor defense as recent studies (Li et al 2021) have shown that distillation is effective in removing backdoor from general (non-FL) backdoored models. FedRAD (Sturluson et al 2021) extends FedDF by giving each client a median-based score s i , which measures the frequency that the client output logits become the median for class predictions. FedRAD normalizes the score to a weight s i / K i=1 (s i ) and use the weight for model aggregation:…”

Section: Attacking Model-refinement Defensesmentioning

confidence: 99%

On the Vulnerability of Backdoor Defenses for Federated Learning

Fang¹,

Chen²

2023

Preprint

View full text Add to dashboard Cite

Federated Learning (FL) is a popular distributed machine learning paradigm that enables jointly training a global model without sharing clients' data. However, its repetitive serverclient communication gives room for backdoor attacks with aim to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. In response to such backdoor threats on federated learning, various defense measures have been proposed. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning in a practical setting by proposing a new federated backdoor attack method for possible countermeasures. Different from traditional training (on triggered data) and rescaling (the malicious client model) based backdoor injection, the proposed backdoor attack framework (1) directly modifies (a small proportion of) local model weights to inject the backdoor trigger via sign flips; (2) jointly optimize the trigger pattern with the client model, thus is more persistent and stealthy for circumventing existing defenses. In a case study, we examine the strength and weaknesses of recent federated backdoor defenses from three major categories and provide suggestions to the practitioners when training federated models in practice.

show abstract

Section: Attacking Model-refinement Defensesmentioning

confidence: 99%

On the Vulnerability of Backdoor Defenses for Federated Learning

Fang¹,

Chen²

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…The distillation process of [140] assumes that clean data is available to the defender. This requirement is also inherited by FedRAD [141], a knowledge distillation based defense for FL. FedRAD needs to prepare synthetic data [142] on the central server for model evaluation.…”

Section: Model Cleansingmentioning

confidence: 99%

A Survey on Vulnerability of Federated Learning: A Learning Algorithm Perspective

XIE,

Hu,

Ren

et al. 2023

Preprint

View full text Add to dashboard Cite

“…FedRAD (Sturluson et al 2021) extends FedDF by giving each client a median-based score s i , which measures the frequency that the client output logits become the median for class predictions. FedRAD normalizes the score to a weight s i / K i=1 (s i ) and use the weight for model aggregation.…”

Section: Attacking Model-refinement Defensesmentioning

confidence: 99%

“…Based on the different defense mechanisms they adopt, the federated backdoor defenses can be classified into three major categories: model-refinement, robust-aggregation, and certifiedrobustness. Model-refinement defenses attempt to refine the global model to erase the possible backdoor, through methods such as fine-tuning (Wu et al 2020) or distillation (Lin et al 2020;Sturluson et al 2021). Intuitively, distillation or pruning-based FL can also be more robust to current federated backdoor attacks as recent studies on backdoor defenses (Li et al 2021;Liu, Dolan-Gavitt, and Garg 2018) have shown that such methods are effective in removing backdoor from general (non-FL) backdoored models.…”

Section: Introductionmentioning

confidence: 99%

On the Vulnerability of Backdoor Defenses for Federated Learning

Fang

Chen

2023

AAAI

View full text Add to dashboard Cite

Federated learning (FL) is a popular distributed machine learning paradigm which enables jointly training a global model without sharing clients' data. However, its repetitive server-client communication gives room for possible backdoor attacks which aims to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. In response to such backdoor threats on federated learning, various defense measures have been proposed. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning in a practical setting by proposing a new federated backdoor attack framework for possible countermeasures. Different from traditional training (on triggered data) and rescaling (the malicious client model) based backdoor injection, the proposed backdoor attack framework (1) directly modifies (a small proportion of) local model weights to inject the backdoor trigger via sign flips; (2) jointly optimize the trigger pattern with the client model, thus is more persistent and stealthy for circumventing existing defenses. In a case study, we examine the strength and weaknesses of several recent federated backdoor defenses from three major categories and provide suggestions to the practitioners when training federated models in practice.

show abstract

FedRAD: Federated Robust Adaptive Distillation

Cited by 3 publications

References 12 publications

On the Vulnerability of Backdoor Defenses for Federated Learning

On the Vulnerability of Backdoor Defenses for Federated Learning

A Survey on Vulnerability of Federated Learning: A Learning Algorithm Perspective

On the Vulnerability of Backdoor Defenses for Federated Learning

Contact Info

Product

Resources

About