Logo: to the web site of Uppsala University

uu.sePublications from Uppsala University
12345671 of 22
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Robust Federated Learning: Defending Against Byzantine and Jailbreak Attacks
Uppsala University, Disciplinary Domain of Science and Technology, Mathematics and Computer Science, Department of Information Technology, Division of Computer Systems.ORCID iD: 0000-0003-0145-3127
2024 (English)Doctoral thesis, comprehensive summary (Other academic)
Description
Abstract [en]

Federated Learning (FL) has emerged as a promising paradigm for training collaborative machine learning models across multiple participants while preserving data privacy. It is particularly valuable in privacy-sensitive domains like healthcare and finance. Recently, FL has been explored to harness the power of pre-trained Foundation Models (FMs) for downstream task adaptation, enabling customization and personalization while maintaining data locality and privacy. However, FL's distributed nature makes it inherently vulnerable to adversarial attacks. Notable threats include Byzantine attacks, which inject malicious updates to degrade model performance, and jailbreak attacks, which exploit the fine-tuning process to undermine safety alignments of FMs, leading to harmful outputs. This dissertation centers on robust FL, aiming to mitigate these threats and ensure global models remain accurate and safe even under adversarial conditions. To mitigate Byzantine attacks, we propose several Robust Aggregation Schemes (RASs) that decrease the influence of malicious updates. Additionally, we introduce Blades, an open-source benchmarking tool to systematically study the interplay between attacks and defenses in FL, offering insights into the effects of data heterogeneity, differential privacy, and momentum on RAS robustness. Exploring the synergy between FL and FMs, we present a taxonomy of research along with adaptivity, efficiency, and trustworthiness. We uncover a novel attack, “PEFT-as-an-Attack” (PaaA), where malicious FL participants jailbreak FMs through Parameter-Efficient-Fine-Tuning (PEFT) with harmful data. We evaluate defenses against PaaA and highlight critical gaps, emphasizing the need for advanced strategies balancing safety and utility in FL-FM systems. In summary, this dissertation advances FL robustness by proposing novel defenses, tools, and insights while exposing emerging attack vectors. These contributions pave the way for attack-resilient distributed machine learning systems capable of withstanding both current and emerging threats.

Place, publisher, year, edition, pages
Uppsala: Acta Universitatis Upsaliensis, 2024. , p. 54
Series
Digital Comprehensive Summaries of Uppsala Dissertations from the Faculty of Science and Technology, ISSN 1651-6214 ; 2477
Keywords [en]
Federated learning, Jailbreak attack, Parameter-Efficient Fine-Tuning, Pre-trained Language Model, Robustness
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:uu:diva-540441ISBN: 978-91-513-2312-1 (print)OAI: oai:DiVA.org:uu-540441DiVA, id: diva2:1914990
Public defence
2025-01-16, 101121, Sonja Lyttkens, Ångström, Regementsvägen 1, Uppsala, 09:00 (English)
Opponent
Supervisors
Available from: 2024-12-17 Created: 2024-11-20 Last updated: 2024-12-17
List of papers
1. Auto-weighted Robust Federated Learning with Corrupted Data Sources
Open this publication in new window or tab >>Auto-weighted Robust Federated Learning with Corrupted Data Sources
2022 (English)In: ACM Transactions on Intelligent Systems and Technology, ISSN 2157-6904, E-ISSN 2157-6912, Vol. 13, no 5, p. 1-20Article in journal (Refereed) Published
Abstract [en]

Federated learning provides a communication-efficient and privacy-preserving training process by enabling learning statistical models with massive participants without accessing their local data. Standard federated learning techniques that naively minimize an average loss function are vulnerable to data corruptions from outliers, systematic mislabeling, or even adversaries. In this paper, we address this challenge by proposing Auto-weighted Robust Federated Learning (ARFL), a novel approach that jointly learns the global model and the weights of local updates to provide robustness against corrupted data sources. We prove a learning bound on the expected loss with respect to the predictor and the weights of clients, which guides the definition of the objective for robust federated learning. We present an objective that minimizes the weighted sum of empirical risk of clients with a regularization term, where the weights can be allocated by comparing the empirical risk of each client with the average empirical risk of the best p clients. This method can downweight the clients with significantly higher losses, thereby lowering their contributions to the global model. We show that this approach achieves robustness when the data of corrupted clients is distributed differently from the benign ones. To optimize the objective function, we propose a communication-efficient algorithm based on the blockwise minimization paradigm. We conduct extensive experiments on multiple benchmark datasets, including CIFAR-10, FEMNIST, and Shakespeare, considering different neural network models. The results show that our solution is robust against different scenarios including label shuffling, label flipping, and noisy features, and outperforms the state-of-the-art methods in most scenarios.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM)Association for Computing Machinery (ACM), 2022
Keywords
Federated learning, robustness, auto-weighted, distributed learning, neural networks
National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-468353 (URN)10.1145/3517821 (DOI)000877952100005 ()
Funder
Swedish Research Council, 2017-0454EU, Horizon 2020, 101015922
Available from: 2022-02-24 Created: 2022-02-24 Last updated: 2024-11-20Bibliographically approved
2. Byzantine-Robust Aggregation in Federated Learning Empowered Industrial IoT
Open this publication in new window or tab >>Byzantine-Robust Aggregation in Federated Learning Empowered Industrial IoT
2023 (English)In: IEEE Transactions on Industrial Informatics, ISSN 1551-3203, E-ISSN 1941-0050, Vol. 19, no 2, p. 1165-1175Article in journal (Refereed) Published
Abstract [en]

Federated Learning (FL) is a promising paradigm to empower on-device intelligence in Industrial Internet of Things(IIoT) due to its capability of training machine learning models across multiple IIoT devices, while preserving the privacy of their local data. However, the distributed architecture of FL relies on aggregating the parameter list from the remote devices, which poses potential security risks caused by malicious devices. In this paper, we propose a flexible and robust aggregation rule, called Auto-weighted Geometric Median (AutoGM), and analyze the robustness against outliers in the inputs. To obtain the value of AutoGM, we design an algorithm based on alternating optimization strategy. Using AutoGM as aggregation rule, we propose two robust FL solutions, AutoGM_FL and AutoGM_PFL. AutoGM_FL learns a shared global model using the standard FL paradigm, and AutoGM_PFL learns a personalized model for each device. We conduct extensive experiments on the FEMNIST and Bosch IIoT datasets. The experimental results show that our solutions are robust against both model poisoning and data poisoning attacks. In particular, our solutions sustain high performance even when 30% of the nodes perform model or 50% of the nodes perform data poisoning attacks.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2023
Keywords
Electrical and Electronic Engineering, Computer Science Applications, Information Systems, Control and Systems Engineering
National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-458900 (URN)10.1109/tii.2021.3128164 (DOI)000926964700005 ()
Funder
Swedish Research Council, 2017-04543EU, Horizon 2020, 101015922
Available from: 2021-11-17 Created: 2021-11-17 Last updated: 2024-11-20Bibliographically approved
3. An Experimental Study of Byzantine-Robust Aggregation Schemes in Federated Learning
Open this publication in new window or tab >>An Experimental Study of Byzantine-Robust Aggregation Schemes in Federated Learning
2023 (English)In: IEEE Transactions on Big Data, E-ISSN 2332-7790Article in journal (Refereed) Epub ahead of print
Abstract [en]

Byzantine-robust federated learning aims at mitigating Byzantine failures during the federated training process, where malicious participants (known as Byzantine clients) may upload arbitrary local updates to the central server in order to degrade the performance of the global model. In recent years, several robust aggregation schemes have been proposed to defend against malicious updates from Byzantine clients and improve the robustness of federated learning. These solutions were claimed to be Byzantine-robust, under certain assumptions. Other than that, new attack strategies are emerging, striving to circumvent the defense schemes. However, there is a lack of systematical comparison and empirical study thereof. In this paper, we conduct an experimental study of Byzantine-robust aggregation schemes under different attacks using two popular algorithms in federated learning, FedSGD and FedAvg . We first survey existing Byzantine attack strategies, as well as Byzantine-robust aggregation schemes that aim to defend against Byzantine attacks. We also propose a new scheme, ClippedClustering, to enhance the robustness of a clustering-based scheme by automatically clipping the updates. Then we provide an experimental evaluation of eight aggregation schemes in the scenario of five different Byzantine attacks. Our experimental results show that these aggregation schemes sustain relatively high accuracy in some cases, but they are not effective in all cases. In particular, our proposed ClippedClustering successfully defends against most attacks under independent and identically distributed (IID) local datasets. However, when the local datasets are Non-IID, the performance of all the aggregation schemes significantly decreases. With Non-IID data, some of these aggregation schemes fail even in the complete absence of Byzantine clients. Based on our experimental study, we conclude that the robustness of all the aggregation schemes is limited, highlighting the need for new defense strategies, in particular for Non-IID datasets.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2023
Keywords
Byzantine attacks, distributed learning, federated learning, neural networks, robustness
National Category
Computer and Information Sciences
Identifiers
urn:nbn:se:uu:diva-494317 (URN)10.1109/tbdata.2023.3237397 (DOI)
Funder
Swedish Research Council, 2017-04543EU, Horizon 2020, 101015922
Available from: 2023-01-17 Created: 2023-01-17 Last updated: 2024-11-20Bibliographically approved
4. Blades: A Unified Benchmark Suite for Byzantine Attacks and Defenses in Federated Learning
Open this publication in new window or tab >>Blades: A Unified Benchmark Suite for Byzantine Attacks and Defenses in Federated Learning
Show others...
2024 (English)In: 9TH ACM/IEEE CONFERENCE ON INTERNET OF THINGS DESIGN AND IMPLEMENTATION, IOTDI 2024, IEEE, 2024, p. 158-169Conference paper, Published paper (Refereed)
Abstract [en]

Federated learning (FL) facilitates distributed training across different IoT and edge devices, safeguarding the privacy of their data. The inherent distributed structure of FL introduces vulnerabilities, especially from adversarial devices aiming to skew local updates to their advantage. Despite the plethora of research focusing on Byzantine-resilient FL, the academic community has yet to establish a comprehensive benchmark suite, pivotal for impartial assessment and comparison of different techniques. This paper presents Blades, a scalable, extensible, and easily configurable benchmark suite that supports researchers and developers in efficiently implementing and validating novel strategies against baseline algorithms in Byzantine-resilient FL. Blades contains built-in implementations of representative attack and defense strategies and offers a user-friendly interface that seamlessly integrates new ideas. Using Blades, we re-evaluate representative attacks and defenses on wide-ranging experimental configurations (approximately 1,500 trials in total). Through our extensive experiments, we gained new insights into FL robustness and highlighted previously overlooked limitations due to the absence of thorough evaluations and comparisons of baselines under various attack settings. We maintain the source code and documents at https://github.com/lishenghui/blades.

Place, publisher, year, edition, pages
IEEE, 2024
Keywords
Byzantine attacks, distributed learning, federated learning, IoT, neural networks, robustness
National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-537577 (URN)10.1109/IoTDI61053.2024.00018 (DOI)001261370500014 ()979-8-3503-7025-6 (ISBN)979-8-3503-7026-3 (ISBN)
Conference
9th ACM/IEEE Conference on Internet of Things Design and Implementation (IoTDI), MAY 13-16, 2024, Hong Kong, PEOPLES R CHINA
Funder
Swedish Research Council, 2017-04543
Available from: 2024-09-05 Created: 2024-09-05 Last updated: 2024-11-20Bibliographically approved
5. Synergizing Foundation Models And Federated Learning: A Survey
Open this publication in new window or tab >>Synergizing Foundation Models And Federated Learning: A Survey
Show others...
(English)Manuscript (preprint) (Other academic)
Abstract [en]

The recent development of Foundation Models (FMs), represented by large language models, vision transformers, and multimodal models, has been making a significant impact on both academia and industry. Compared with small-scale models, FMs have a much stronger demand for high-volume data during the pre-training phase. Although general FMs can be pre-trained on data collected from open sources such as the Internet, domain-specific FMs need proprietary data, posing a practical challenge regarding the amount of data available due to privacy concerns. Federated Learning (FL) is a collaborative learning paradigm that breaks the barrier of data availability from different participants. Therefore, it provides a promising solution to customize and adapt FMs to a wide range of domain-specific tasks using distributed datasets whilst preserving privacy. This survey paper discusses the potentials and challenges of synergizing FL and FMs and summarizes core techniques, future directions, and applications. 

National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-543419 (URN)
Available from: 2024-11-20 Created: 2024-11-20 Last updated: 2024-11-20
6. PEFT-as-an-Attack! Jailbreaking Language Models during Federated Parameter-Efficient Fine-Tuning
Open this publication in new window or tab >>PEFT-as-an-Attack! Jailbreaking Language Models during Federated Parameter-Efficient Fine-Tuning
(English)Manuscript (preprint) (Other academic)
Abstract [en]

Federated Parameter-Efficient Fine-Tuning (FedPEFT) has emerged as a promising paradigm for privacy-preserving and efficient adaptation of Pre-trained Language Models (PLMs) in Federated Learning (FL) settings. It preserves data privacy by keeping the data decentralized and training the model on local devices, ensuring that raw data never leaves the user's device. Moreover, the integration of PEFT methods such as LoRA significantly reduces the number of trainable parameters compared to fine-tuning the entire model, thereby minimizing communication costs and computational overhead. Despite its potential, the security implications of FedPEFT remain underexplored. This paper introduces a novel security threat to FedPEFT, termed PEFT-as-an-Attack (PaaA), which exposes how PEFT methods can be exploited as an attack vector to circumvent PLMs' safety alignment and generate harmful content in response to malicious prompts. Our evaluation of PaaA reveals that with less than 1% of the model's parameters set as trainable, and a small subset of clients acting maliciously, the attack achieves an approximate 80% attack success rate using representative PEFT methods such as LoRA. To mitigate this threat, we further investigate potential defense strategies, including Robust Aggregation Schemes (RASs) and Post-PEFT Safety Alignment (PPSA). However, our empirical analysis highlights the limitations of these defenses, i.e., even the most advanced RASs, such as DnC and ClippedClustering, struggle to defend against PaaA in scenarios with highly heterogeneous data distributions. Similarly, while PPSA can reduce attack success rates to below 10%, it severely degrades the model's accuracy on the target task. Our results underscore the urgent need for more effective defense mechanisms that simultaneously ensure security and maintain the performance advantages of the FedPEFT paradigm.

National Category
Computer Sciences
Identifiers
urn:nbn:se:uu:diva-543432 (URN)
Available from: 2024-11-20 Created: 2024-11-20 Last updated: 2024-11-28

Open Access in DiVA

UUThesis_S-Li-2024(849 kB)69 downloads
File information
File name FULLTEXT01.pdfFile size 849 kBChecksum SHA-512
405d694473dd7da4f4e5b7a82bdaeb3166f0d31bde81aa86e3c0f3561e1eef7be626e46ab76b98e6cc4e21b87e6cfb5e51024a1fe400d32dd523f9ebc5fe15fd
Type fulltextMimetype application/pdf

Authority records

Li, Shenghui

Search in DiVA

By author/editor
Li, Shenghui
By organisation
Division of Computer Systems
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 69 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 580 hits
12345671 of 22
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf