Logo: to the web site of Uppsala University

uu.sePublications from Uppsala University
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
An Experimental Study of Byzantine-Robust Aggregation Schemes in Federated Learning
Uppsala University, Disciplinary Domain of Science and Technology, Mathematics and Computer Science, Department of Information Technology, Computer Systems. Uppsala University, Disciplinary Domain of Science and Technology, Mathematics and Computer Science, Department of Information Technology, Division of Computer Systems.ORCID iD: 0000-0003-0145-3127
Department of Electrical and Electronic Engineering, The University of Hong Kong, Hong Kong, China.ORCID iD: 0000-0002-3454-8731
Uppsala University, Disciplinary Domain of Science and Technology, Technology, Department of Electrical Engineering, Networked Embedded Systems. RISE, the Research Institutes of Sweden, Stockholm, Sweden.ORCID iD: 0000-0002-2586-8573
2023 (English)In: IEEE Transactions on Big Data, E-ISSN 2332-7790Article in journal (Refereed) Epub ahead of print
Abstract [en]

Byzantine-robust federated learning aims at mitigating Byzantine failures during the federated training process, where malicious participants (known as Byzantine clients) may upload arbitrary local updates to the central server in order to degrade the performance of the global model. In recent years, several robust aggregation schemes have been proposed to defend against malicious updates from Byzantine clients and improve the robustness of federated learning. These solutions were claimed to be Byzantine-robust, under certain assumptions. Other than that, new attack strategies are emerging, striving to circumvent the defense schemes. However, there is a lack of systematical comparison and empirical study thereof. In this paper, we conduct an experimental study of Byzantine-robust aggregation schemes under different attacks using two popular algorithms in federated learning, FedSGD and FedAvg . We first survey existing Byzantine attack strategies, as well as Byzantine-robust aggregation schemes that aim to defend against Byzantine attacks. We also propose a new scheme, ClippedClustering, to enhance the robustness of a clustering-based scheme by automatically clipping the updates. Then we provide an experimental evaluation of eight aggregation schemes in the scenario of five different Byzantine attacks. Our experimental results show that these aggregation schemes sustain relatively high accuracy in some cases, but they are not effective in all cases. In particular, our proposed ClippedClustering successfully defends against most attacks under independent and identically distributed (IID) local datasets. However, when the local datasets are Non-IID, the performance of all the aggregation schemes significantly decreases. With Non-IID data, some of these aggregation schemes fail even in the complete absence of Byzantine clients. Based on our experimental study, we conclude that the robustness of all the aggregation schemes is limited, highlighting the need for new defense strategies, in particular for Non-IID datasets.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2023.
Keywords [en]
Byzantine attacks, distributed learning, federated learning, neural networks, robustness
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:uu:diva-494317DOI: 10.1109/tbdata.2023.3237397OAI: oai:DiVA.org:uu-494317DiVA, id: diva2:1727796
Funder
Swedish Research Council, 2017-04543EU, Horizon 2020, 101015922Available from: 2023-01-17 Created: 2023-01-17 Last updated: 2024-11-20Bibliographically approved
In thesis
1. Robust Federated Learning: Defending Against Byzantine and Jailbreak Attacks
Open this publication in new window or tab >>Robust Federated Learning: Defending Against Byzantine and Jailbreak Attacks
2024 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Federated Learning (FL) has emerged as a promising paradigm for training collaborative machine learning models across multiple participants while preserving data privacy. It is particularly valuable in privacy-sensitive domains like healthcare and finance. Recently, FL has been explored to harness the power of pre-trained Foundation Models (FMs) for downstream task adaptation, enabling customization and personalization while maintaining data locality and privacy. However, FL's distributed nature makes it inherently vulnerable to adversarial attacks. Notable threats include Byzantine attacks, which inject malicious updates to degrade model performance, and jailbreak attacks, which exploit the fine-tuning process to undermine safety alignments of FMs, leading to harmful outputs. This dissertation centers on robust FL, aiming to mitigate these threats and ensure global models remain accurate and safe even under adversarial conditions. To mitigate Byzantine attacks, we propose several Robust Aggregation Schemes (RASs) that decrease the influence of malicious updates. Additionally, we introduce Blades, an open-source benchmarking tool to systematically study the interplay between attacks and defenses in FL, offering insights into the effects of data heterogeneity, differential privacy, and momentum on RAS robustness. Exploring the synergy between FL and FMs, we present a taxonomy of research along with adaptivity, efficiency, and trustworthiness. We uncover a novel attack, “PEFT-as-an-Attack” (PaaA), where malicious FL participants jailbreak FMs through Parameter-Efficient-Fine-Tuning (PEFT) with harmful data. We evaluate defenses against PaaA and highlight critical gaps, emphasizing the need for advanced strategies balancing safety and utility in FL-FM systems. In summary, this dissertation advances FL robustness by proposing novel defenses, tools, and insights while exposing emerging attack vectors. These contributions pave the way for attack-resilient distributed machine learning systems capable of withstanding both current and emerging threats.

Place, publisher, year, edition, pages
Uppsala: Acta Universitatis Upsaliensis, 2024. p. 54
Series
Digital Comprehensive Summaries of Uppsala Dissertations from the Faculty of Science and Technology, ISSN 1651-6214 ; 2477
Keywords
Federated learning, Jailbreak attack, Parameter-Efficient Fine-Tuning, Pre-trained Language Model, Robustness
National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-540441 (URN)978-91-513-2312-1 (ISBN)
Public defence
2025-01-16, 101121, Sonja Lyttkens, Ångström, Regementsvägen 1, Uppsala, 09:00 (English)
Opponent
Supervisors
Available from: 2024-12-17 Created: 2024-11-20 Last updated: 2024-12-17

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full text

Authority records

Li, ShenghuiNgai, Edith C.-H.Voigt, Thiemo

Search in DiVA

By author/editor
Li, ShenghuiNgai, Edith C.-H.Voigt, Thiemo
By organisation
Computer SystemsDivision of Computer SystemsNetworked Embedded Systems
In the same journal
IEEE Transactions on Big Data
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 423 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf