Characterizing Internal Evasion Attacks in Federated Learning
Federated learning allows for clients in a distributed system to jointly train a machine learning model. However, clients' models are vulnerable to attacks during the training and testing phases. In this paper, we address the issue of adversarial clients performing "internal evasion attack...
Saved in:
Main Authors | , , , |
---|---|
Format | Journal Article |
Language | English |
Published |
17.09.2022
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | Federated learning allows for clients in a distributed system to jointly
train a machine learning model. However, clients' models are vulnerable to
attacks during the training and testing phases. In this paper, we address the
issue of adversarial clients performing "internal evasion attacks": crafting
evasion attacks at test time to deceive other clients. For example, adversaries
may aim to deceive spam filters and recommendation systems trained with
federated learning for monetary gain. The adversarial clients have extensive
information about the victim model in a federated learning setting, as weight
information is shared amongst clients. We are the first to characterize the
transferability of such internal evasion attacks for different learning methods
and analyze the trade-off between model accuracy and robustness depending on
the degree of similarities in client data. We show that adversarial training
defenses in the federated learning setting only display limited improvements
against internal attacks. However, combining adversarial training with
personalized federated learning frameworks increases relative internal attack
robustness by 60% compared to federated adversarial training and performs well
under limited system resources. |
---|---|
DOI: | 10.48550/arxiv.2209.08412 |