Professional Documents
Culture Documents
§ Introduction
§ Distributed Backdoor Attack
§ Experiments
§ Conclusion & Discussion
Federated learning
Image reference(CMU)
One Round of Federated Learning
Gt+1
&
𝜂
𝐺 !"# = 𝐺 ! + & 𝐿!"#
$ − 𝐺!
𝑛
$%#
federated learning aggregator
may facilitate data poisoning attacks on the shared § limited access to training data due to
model trained with FL privacy concerns
* McMahan et al., Communication Efficient Learning of Deep Networks from Decentralized Data, AISTATS 2017
Backdoor Attack
* Tianyu Gu, Kang Liu, Brendan Dolan-GaviM, and Siddharth Garg. Badnets: EvaluaOng backdooring aMacks on deep neural networks. IEEE Access, 2019
Backdoor Attack against Federated Learning
* Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., & Shmatikov, V. How to backdoor federated learning. AISTATS 2020
* Arjun Nitin Bhagoji, Supriyo Chakraborty, Prateek Mittal, and Seraphin Calo. Analyzing federated learning through an adversarial lens. ICML. 2019.
Outline
§ IntroducHon
§ Distributed Backdoor AIack
§ Experiments
§ Conclusion & Discussion
DBA: Distributed Backdoor Attack
centralized backdoor attack (current setting) DBA: distributed backdoor aKack (ours)
§ DBA attacker’s trigger: the local trigger; combined whole trigger: global trigger
same ultimate adversarial goal: using the SAME global trigger to attack the global model
§ same amount of total injected triggers (e.g., modified pixels) for fair comparison
DBA Examples
A>acker Ability in Federated Learning
𝑤!∗ = 𝑎𝑟𝑔 𝑚𝑎𝑥#, ∑$∈&, 𝑃 𝐺 '() 𝑅 𝑥$! , 𝜙 = 𝜏 + ∑$∈&, 𝑃 𝐺 '() 𝑥$! = 𝑦$!
-., /01
§ Poison ratio
§ a set Parameters of an attacker-chosen trigger pattern
§ Transform clean data in any class into backdoored data
§ target label
Trigger factors (size, gap and locaEon) in Trigger factor (feature importance ranking) in
backdoored images tabular data
in our implementaDon we use minimizing the cross-entropy loss as the training objecDve
Objective of Distributed Backdoor Attack
𝑤!∗ = 𝑎𝑟𝑔 𝑚𝑎𝑥#, ∑$∈&, 𝑃 𝐺 '() 𝑅 𝑥$! , 𝜙!∗ = 𝜏; 𝛾; 𝐼 + ∑$∈&, 𝑃 𝐺 '() 𝑥$! = 𝑦$! , ∀ 𝑖 ∈ [𝑀]
-., /01
in our implementation we use minimizing the cross-entropy loss as the training objective
Outline
§ Introduction
§ Distributed Backdoor Attack
§ Experiments
§ Conclusion & Discussion
Distributed V. S. Centralized Backdoor A>ack
Evaluation setup
• MNIST dataset
• Total of 100 agents, 10 agents are selected
each round
• Distributed attackers or centralized attacker
are consistently selected each round
• Test attack success rate in the global model
Distributed V. S. Centralized Backdoor A>ack
• DBA converges faster and even yields a higher attack success rate
than centralized backdoor attack
Distributed V. S. Centralized Backdoor A>ack
§ single-shot attack
DBA embed local triggers 1 to 4 centralized attacker implants
separately in round 12, 14, 16, 18 its global trigger in round 18
EvaluaEon setup
• MNIST dataset
• Total of 100 agents, 10 agents are selected
each round
• Every aSacker is only selected once
• ASacker performs scaling in their malicious
updates (scale factor = 100)
• Test aSack success rate in the global model
Distributed V. S. Centralized Backdoor A>ack
§ single-shot attack
Test the attack success rate
of global trigger in the global
model
Evaluation setup
• MNIST dataset
• Total of 100 agents, 10 agents are selected
each round
• Every attacker is only selected once
• Attacker performs scaling in their malicious
updates (scale factor = 100)
• Test attack success rate in the global model
• both reach a high attack success rate after performing a complete backdoor
with scaling malicious update
• distributed attack is more persistent than centralized attack
Distributed V. S. Centralized Backdoor A>ack
§ single-shot a/ack
Test the aBack success rate
of global & local triggers in
the global model
Evaluation setup
• MNIST dataset
• Total of 100 agents, 10 agents are selected
each round
• Every attacker is only selected once
• Attacker performs scaling in their malicious
updates (scale factor = 100)
• Test attack success rate in the global model
DBA
• performs data poisoning only using local triggers
• global trigger lasts longer than any local triggers
Centralized attack
• the attack success rate of centralized attack in local triggers and the global trigger
drops faster than that of DBA
Distributed V. S. Centralized Backdoor Attack
* Krishna Pillutla, Sham M. Kakade, and Zaid Harchaoui. * Clement Fung, Chris JM Yoon, and Ivan Beschastnikh.
Robust Aggregation for Federated Learning. Mitigating sybils in federated learning poisoning.
arXiv preprint, 2019. arXiv preprint arXiv:1808.04866, 2018.
Robustness of Distributed A>ack
FoolsGold RFA
centralized attack centralized attack
2.91% totally fail
• the a;ack success rate of DBA is much higher and the convergence speed is
much faster under RFA and FoolsGold
• DBA is more insidious as it can be;er evade the robust FL aggrega1ons
Explanation for DBA via Feature Visualization
• Each locally triggered image alone is a weak a;ack as none of them can change the predic1on
• when assembled together as a global trigger, the backdoored image is classified as the target label
• the stealthy nature of DBA
* Ramprasaath R Selvaraju, Michael Cogswell, Abhishek Das, Ramakrishna Vedantam, Devi Parikh, and Dhruv Batra.
Grad-cam: Visual explanations from deep networks via gradient-based localization. CVPR. 2017.
ExplanaAon for DBA via Feature Importance
§ Soft Decision Tree distills a trained neural network by training with data
and their soft targets
trigger area after poisoning indeed
becomes much more significant for
decision making
* Nicholas Frosst and Geoffrey Hinton. DisOlling a neural network into a sob decision tree.
arXiv preprint arXiv:1711.09784, 2017.
ExplanaAon for DBA via Feature Importance
§ Introduction
§ Distributed Backdoor Attack
§ Experiments
§ Conclusion & Discussion
In summary
§ Our results suggest DBA is a more powerful and stealthy aNack, which sheds lights on
characterizing the robustness of Federated Learning.
Discussion: Possible Defenses for Backdoor Attacks
In a single model setting(in contrast to federated learning)
§ Attack types:
§ Defenses background
§ Many empirical defenses have been “broken” by new aNacks
§ A Cer;fied defense( in 𝑙! norm) is a classifier which returns both a predic>on
and a cer>ficate that the predic>on is constant within an 𝑙! ball around the
input
x
Discussion: Possible Defenses for Backdoor A>acks
In a single model seOng
Randomized Smoothing
§ First, given a neural net 𝑓 (the base classifier) and the input 𝑥
§ Then, smooth 𝑓 into a new classifier 𝑔 (the smoothed classifier). 𝑔 returns the most probable
predic1on by 𝑓 of random Gaussian corrup1ons of 𝑥
* Cohen, Jeremy, Elan Rosenfeld, and Zico Kolter. "Certified Adversarial Robustness via Randomized Smoothing." ICML. 2019.
Discussion: Possible Defenses for Backdoor A>acks
In a single model seOng
Randomized Smoothing
§ 𝑔 returns the most probable predicEon by 𝑓 of random Gaussian corrupEons of 𝑥
Then 𝑔 𝑥 = 🐼
* Cohen, Jeremy, Elan Rosenfeld, and Zico Kolter. "Certified Adversarial Robustness via Randomized Smoothing." ICML. 2019.
Discussion: Possible Defenses for Backdoor A>acks
In a single model seOng
Certified Robustness
* Cohen, Jeremy, Elan Rosenfeld, and Zico Kolter. "Certified Adversarial Robustness via Randomized Smoothing." ICML. 2019.
Discussion: Possible Defenses for Backdoor A>acks
In a single model seOng
Randomized Smoothing for test-time attack Randomized Smoothing for training-.me aKack
* Rosenfeld, Elan, Ezra Winston, Pradeep Ravikumar, and J. Zico Kolter. “Certified Robustness to Label-Flipping Attacks via Randomized Smoothing.” ICML. 2020.
* Weber, Maurice, Xiaojun Xu, Bojan Karlas, Ce Zhang, and Bo Li. "RAB: Provable Robustness Against Backdoor Attacks." arXiv preprint arXiv:2003.08904 (2020).
Discussion: Possible Defenses for Backdoor Attacks
In a single model setting
* Weber, Maurice, Xiaojun Xu, Bojan Karlas, Ce Zhang, and Bo Li. "RAB: Provable Robustness Against Backdoor AMacks." arXiv preprint arXiv:2003.08904 (2020).
Discussion: Possible Defenses for Backdoor Attacks
In a single model setting
* Weber, Maurice, Xiaojun Xu, Bojan Karlas, Ce Zhang, and Bo Li. "RAB: Provable Robustness Against Backdoor AMacks." arXiv preprint arXiv:2003.08904 (2020).
Discussion: Possible Defenses for Backdoor Attacks
In Federated Learning setting
Local
Local
Model
Data Update
… …
Local
Local Global
Model Inference
Data Update Model
… … Test Phase
Local Local
Model
Data Update
Training Phase