Print Email Facebook Twitter Fabricated Flips Title Fabricated Flips: Poisoning Federated Learning without Data Author Huang, J. (TU Delft Data-Intensive Systems) Zhao, Z. (TU Delft Data-Intensive Systems) Chen, Lydia Y. (TU Delft Data-Intensive Systems) Roos, S. (TU Delft Data-Intensive Systems) Contributor O'Conner, Lisa (editor) Date 2023 Abstract Attacks on Federated Learning (FL) can severely reduce the quality of the generated models and limit the usefulness of this emerging learning paradigm that enables on-premise decentralized learning. However, existing untargeted attacks are not practical for many scenarios as they assume that i) the attacker knows every update of benign clients, or ii) the attacker has a large dataset to locally train updates imitating benign parties. In this paper, we propose a data-free untargeted attack (DFA) that synthesizes malicious data to craft adversarial models without eavesdropping on the transmission of benign clients at all or requiring a large quantity of task-specific training data. We design two variants of DFA, namely DFA-R and DFA-G, which differ in how they trade off stealthiness and effectiveness. Specifically, DFA-R iteratively optimizes a malicious data layer to minimize the prediction confidence of all outputs of the global model, whereas DFA-G interactively trains a malicious data generator network by steering the output of the global model toward a particular class. Experimental results on Fashion-MNIST, Cifar-10, and SVHN show that DFA, despite requiring fewer assumptions than existing attacks, achieves similar or even higher attack success rate than state-of-the-art untargeted attacks against various state-of-the-art defense mechanisms. Concretely, they can evade all considered defense mechanisms in at least 50% of the cases for CIFAR-10 and often reduce the accuracy by more than a factor of 2. Consequently, we design REFD, a defense specifically crafted to protect against data-free attacks. REFD leverages a reference dataset to detect updates that are biased or have a low confidence. It greatly improves upon existing defenses by filtering out the malicious updates and achieves high global model accuracy. Subject data heterogeneitydata-free attackFederated learninguntargeted attack To reference this document use: http://resolver.tudelft.nl/uuid:2de3287f-1c61-4c06-a185-3315352bc352 DOI https://doi.org/10.1109/DSN58367.2023.00036 Publisher IEEE, Piscataway Embargo date 2024-02-09 ISBN 979-8-3503-4794-4 Source Proceedings of the 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2023 Event 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2023, 2023-06-27 → 2023-06-30, Porto, Portugal Bibliographical note Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public. Part of collection Institutional Repository Document type conference paper Rights © 2023 J. Huang, Z. Zhao, Lydia Y. Chen, S. Roos Files PDF Fabricated_Flips_Poisonin ... t_Data.pdf 1.43 MB Close viewer /islandora/object/uuid:2de3287f-1c61-4c06-a185-3315352bc352/datastream/OBJ/view