FedPerturb: Covert Poisoning Attack on Federated Learning via Partial Perturbation

Tongsai Jin; Zhihui Fu; Dan Meng; Jun Wang; Yue Qi; Guitao Cao

doi:10.3233/FAIA230393

FedPerturb: Covert Poisoning Attack on Federated Learning via Partial Perturbation

Tongsai Jin, Zhihui Fu, Dan Meng, Jun Wang, Yue Qi, Guitao Cao^*

^*Corresponding author for this work

Software Engineering Institute

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

Federated learning breaks through the barrier of data owners by allowing them to collaboratively train a federated machine learning model without compromising the privacy of their own data. However, Federation Learning also faces the threat of poisoning attacks, especially from the client model updates, which may impair the accuracy of the global model. To defend against the poisoning attacks, previous work aims to identify the malicious updates in high dimensional spaces. However, we find that the distances in high dimensional spaces cannot identify the changes in a small subset of dimensions, and the small changes may affect the global models severely. Based on this finding, we propose an untargeted poisoning attack under the federated learning setting via the partial perturbations on a small subset of the carefully selected model parameters, and present two attack object selection strategies. We experimentally demonstrate that the proposed attack scheme achieves high attack success rate on five state-of-the-art defense schemes. Furthermore, the proposed attack scheme remains effective at low malicious client ratios and still circumvents three defense schemes with a malicious client ratio as low as 2%.

Original language	English
Title of host publication	ECAI 2023 - 26th European Conference on Artificial Intelligence, including 12th Conference on Prestigious Applications of Intelligent Systems, PAIS 2023 - Proceedings
Editors	Kobi Gal, Kobi Gal, Ann Nowe, Grzegorz J. Nalepa, Roy Fairstein, Roxana Radulescu
Publisher	IOS Press BV
Pages	1172-1179
Number of pages	8
ISBN (Electronic)	9781643684369
DOIs	https://doi.org/10.3233/FAIA230393
State	Published - 28 Sep 2023
Event	26th European Conference on Artificial Intelligence, ECAI 2023 - Krakow, Poland Duration: 30 Sep 2023 → 4 Oct 2023

Publication series

Name	Frontiers in Artificial Intelligence and Applications
Volume	372
ISSN (Print)	0922-6389
ISSN (Electronic)	1879-8314

Conference

Conference	26th European Conference on Artificial Intelligence, ECAI 2023
Country/Territory	Poland
City	Krakow
Period	30/09/23 → 4/10/23

Access to Document

10.3233/FAIA230393

Cite this

Jin, T., Fu, Z., Meng, D., Wang, J., Qi, Y., & Cao, G. (2023). FedPerturb: Covert Poisoning Attack on Federated Learning via Partial Perturbation. In K. Gal, K. Gal, A. Nowe, G. J. Nalepa, R. Fairstein, & R. Radulescu (Eds.), ECAI 2023 - 26th European Conference on Artificial Intelligence, including 12th Conference on Prestigious Applications of Intelligent Systems, PAIS 2023 - Proceedings (pp. 1172-1179). (Frontiers in Artificial Intelligence and Applications; Vol. 372). IOS Press BV. https://doi.org/10.3233/FAIA230393

Jin, Tongsai ; Fu, Zhihui ; Meng, Dan et al. / FedPerturb : Covert Poisoning Attack on Federated Learning via Partial Perturbation. ECAI 2023 - 26th European Conference on Artificial Intelligence, including 12th Conference on Prestigious Applications of Intelligent Systems, PAIS 2023 - Proceedings. editor / Kobi Gal ; Kobi Gal ; Ann Nowe ; Grzegorz J. Nalepa ; Roy Fairstein ; Roxana Radulescu. IOS Press BV, 2023. pp. 1172-1179 (Frontiers in Artificial Intelligence and Applications).

@inproceedings{f0f3752c41cc45b7bbb93aed478ed106,

title = "FedPerturb: Covert Poisoning Attack on Federated Learning via Partial Perturbation",

abstract = "Federated learning breaks through the barrier of data owners by allowing them to collaboratively train a federated machine learning model without compromising the privacy of their own data. However, Federation Learning also faces the threat of poisoning attacks, especially from the client model updates, which may impair the accuracy of the global model. To defend against the poisoning attacks, previous work aims to identify the malicious updates in high dimensional spaces. However, we find that the distances in high dimensional spaces cannot identify the changes in a small subset of dimensions, and the small changes may affect the global models severely. Based on this finding, we propose an untargeted poisoning attack under the federated learning setting via the partial perturbations on a small subset of the carefully selected model parameters, and present two attack object selection strategies. We experimentally demonstrate that the proposed attack scheme achieves high attack success rate on five state-of-the-art defense schemes. Furthermore, the proposed attack scheme remains effective at low malicious client ratios and still circumvents three defense schemes with a malicious client ratio as low as 2\%.",

author = "Tongsai Jin and Zhihui Fu and Dan Meng and Jun Wang and Yue Qi and Guitao Cao",

note = "Publisher Copyright: {\textcopyright} 2023 The Authors.; 26th European Conference on Artificial Intelligence, ECAI 2023 ; Conference date: 30-09-2023 Through 04-10-2023",

year = "2023",

month = sep,

day = "28",

doi = "10.3233/FAIA230393",

language = "英语",

series = "Frontiers in Artificial Intelligence and Applications",

publisher = "IOS Press BV",

pages = "1172--1179",

editor = "Kobi Gal and Kobi Gal and Ann Nowe and Nalepa, \{Grzegorz J.\} and Roy Fairstein and Roxana Radulescu",

booktitle = "ECAI 2023 - 26th European Conference on Artificial Intelligence, including 12th Conference on Prestigious Applications of Intelligent Systems, PAIS 2023 - Proceedings",

address = "荷兰",

}

Jin, T, Fu, Z, Meng, D, Wang, J, Qi, Y & Cao, G 2023, FedPerturb: Covert Poisoning Attack on Federated Learning via Partial Perturbation. in K Gal, K Gal, A Nowe, GJ Nalepa, R Fairstein & R Radulescu (eds), ECAI 2023 - 26th European Conference on Artificial Intelligence, including 12th Conference on Prestigious Applications of Intelligent Systems, PAIS 2023 - Proceedings. Frontiers in Artificial Intelligence and Applications, vol. 372, IOS Press BV, pp. 1172-1179, 26th European Conference on Artificial Intelligence, ECAI 2023, Krakow, Poland, 30/09/23. https://doi.org/10.3233/FAIA230393

FedPerturb: Covert Poisoning Attack on Federated Learning via Partial Perturbation. / Jin, Tongsai; Fu, Zhihui; Meng, Dan et al.
ECAI 2023 - 26th European Conference on Artificial Intelligence, including 12th Conference on Prestigious Applications of Intelligent Systems, PAIS 2023 - Proceedings. ed. / Kobi Gal; Kobi Gal; Ann Nowe; Grzegorz J. Nalepa; Roy Fairstein; Roxana Radulescu. IOS Press BV, 2023. p. 1172-1179 (Frontiers in Artificial Intelligence and Applications; Vol. 372).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - FedPerturb

T2 - 26th European Conference on Artificial Intelligence, ECAI 2023

AU - Jin, Tongsai

AU - Fu, Zhihui

AU - Meng, Dan

AU - Wang, Jun

AU - Qi, Yue

AU - Cao, Guitao

PY - 2023/9/28

Y1 - 2023/9/28

N2 - Federated learning breaks through the barrier of data owners by allowing them to collaboratively train a federated machine learning model without compromising the privacy of their own data. However, Federation Learning also faces the threat of poisoning attacks, especially from the client model updates, which may impair the accuracy of the global model. To defend against the poisoning attacks, previous work aims to identify the malicious updates in high dimensional spaces. However, we find that the distances in high dimensional spaces cannot identify the changes in a small subset of dimensions, and the small changes may affect the global models severely. Based on this finding, we propose an untargeted poisoning attack under the federated learning setting via the partial perturbations on a small subset of the carefully selected model parameters, and present two attack object selection strategies. We experimentally demonstrate that the proposed attack scheme achieves high attack success rate on five state-of-the-art defense schemes. Furthermore, the proposed attack scheme remains effective at low malicious client ratios and still circumvents three defense schemes with a malicious client ratio as low as 2%.

AB - Federated learning breaks through the barrier of data owners by allowing them to collaboratively train a federated machine learning model without compromising the privacy of their own data. However, Federation Learning also faces the threat of poisoning attacks, especially from the client model updates, which may impair the accuracy of the global model. To defend against the poisoning attacks, previous work aims to identify the malicious updates in high dimensional spaces. However, we find that the distances in high dimensional spaces cannot identify the changes in a small subset of dimensions, and the small changes may affect the global models severely. Based on this finding, we propose an untargeted poisoning attack under the federated learning setting via the partial perturbations on a small subset of the carefully selected model parameters, and present two attack object selection strategies. We experimentally demonstrate that the proposed attack scheme achieves high attack success rate on five state-of-the-art defense schemes. Furthermore, the proposed attack scheme remains effective at low malicious client ratios and still circumvents three defense schemes with a malicious client ratio as low as 2%.

UR - https://www.scopus.com/pages/publications/85175835959

U2 - 10.3233/FAIA230393

DO - 10.3233/FAIA230393

M3 - 会议稿件

AN - SCOPUS:85175835959

T3 - Frontiers in Artificial Intelligence and Applications

SP - 1172

EP - 1179

BT - ECAI 2023 - 26th European Conference on Artificial Intelligence, including 12th Conference on Prestigious Applications of Intelligent Systems, PAIS 2023 - Proceedings

A2 - Gal, Kobi

A2 - Nowe, Ann

A2 - Nalepa, Grzegorz J.

A2 - Fairstein, Roy

A2 - Radulescu, Roxana

PB - IOS Press BV

Y2 - 30 September 2023 through 4 October 2023

ER -

Jin T, Fu Z, Meng D, Wang J, Qi Y, Cao G. FedPerturb: Covert Poisoning Attack on Federated Learning via Partial Perturbation. In Gal K, Gal K, Nowe A, Nalepa GJ, Fairstein R, Radulescu R, editors, ECAI 2023 - 26th European Conference on Artificial Intelligence, including 12th Conference on Prestigious Applications of Intelligent Systems, PAIS 2023 - Proceedings. IOS Press BV. 2023. p. 1172-1179. (Frontiers in Artificial Intelligence and Applications). doi: 10.3233/FAIA230393

FedPerturb: Covert Poisoning Attack on Federated Learning via Partial Perturbation

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this