TY - JOUR
T1 - A federated learning attack method based on edge collaboration via cloud
AU - Yang, Jie
AU - Baker, Thar
AU - Gill, Sukhpal Singh
AU - Yang, Xiaochuan
AU - Han, Weifeng
AU - Li, Yuanzhang
N1 - Publisher Copyright:
© 2022 John Wiley & Sons Ltd.
PY - 2022
Y1 - 2022
N2 - Federated learning (FL) is widely used in edge-cloud collaborative training due to its distributed architecture and privacy-preserving properties without sharing local data. FLTrust, the most state-of-the-art FL defense method, is a federated learning defense system with trust guidance. However, we found that FLTrust is not very robust. Therefore, in the edge collaboration scenario, we mainly study the poisoning attack on the FLTrust defense system. Due to the aggregation rule, FLTrust, with trust guidance, the model updates of participants with a significant deviation from the root gradient direction will be eliminated, which makes the poisoning effect on the global model not obvious. To solve this problem, under the premise of not being deleted by the FLTrust aggregation rules, we construct malicious model updates that deviate from the trust gradient to the greatest extent to achieve model poisoning attacks. First, we utilize the rotation of high-dimensional vectors around axes to construct malicious vectors with fixed orientations. Second, the malicious vector is constructed by the gradient inversion method to achieve an efficient and fast attack. Finally, a method of optimizing random noise is used to construct a malicious vector with a fixed direction. Experimental results show that our attack method reduces the model accuracy by 20%, severely undermining the usability of the model. Attacks are also successful hundreds of times faster than the FLTrust adaptive attack method.
AB - Federated learning (FL) is widely used in edge-cloud collaborative training due to its distributed architecture and privacy-preserving properties without sharing local data. FLTrust, the most state-of-the-art FL defense method, is a federated learning defense system with trust guidance. However, we found that FLTrust is not very robust. Therefore, in the edge collaboration scenario, we mainly study the poisoning attack on the FLTrust defense system. Due to the aggregation rule, FLTrust, with trust guidance, the model updates of participants with a significant deviation from the root gradient direction will be eliminated, which makes the poisoning effect on the global model not obvious. To solve this problem, under the premise of not being deleted by the FLTrust aggregation rules, we construct malicious model updates that deviate from the trust gradient to the greatest extent to achieve model poisoning attacks. First, we utilize the rotation of high-dimensional vectors around axes to construct malicious vectors with fixed orientations. Second, the malicious vector is constructed by the gradient inversion method to achieve an efficient and fast attack. Finally, a method of optimizing random noise is used to construct a malicious vector with a fixed direction. Experimental results show that our attack method reduces the model accuracy by 20%, severely undermining the usability of the model. Attacks are also successful hundreds of times faster than the FLTrust adaptive attack method.
KW - Byzantine-robust attack
KW - collaborative edge computing
KW - federated learning
KW - poisoning attacks
UR - http://www.scopus.com/inward/record.url?scp=85144020607&partnerID=8YFLogxK
U2 - 10.1002/spe.3180
DO - 10.1002/spe.3180
M3 - Article
AN - SCOPUS:85144020607
SN - 0038-0644
JO - Software - Practice and Experience
JF - Software - Practice and Experience
ER -