Robust and Efficient Federated Learning Algorithms against Adaptive Model Poisoning Attacks

Federated learning~(FL) is a distributed machine learning paradigm, that offers efficiency and scalability as many clients execute the training in parallel over communication networks. FL also provides excellent privacy to clients as they can keep their training datasets locally rather than sharing them with other participants. Such a secure aggregation mechanism complies with the General Data Protection Regulation~(GDPR) and protects clients against privacy leakage attacks. However, FL systems are vulnerable to Byzantine failures due to the distributed operation. Byzantine failures include various types of failures in distributed systems such as poisoning attacks, malicious users, software bugs, communication delays, hacked machines etc. This thesis investigates one type of Byzantine failure, model poisoning attacks. Model poisoning attacks generally refer to attacking the training phase of machine learning. Model poisoning attacks consist of targeted attacks~(backdoor attacks) and untargeted attacks. Targeted attacks aim to insert a ``trigger" into the trained global model. ``Trigger" means poisoned training data with wrong labels, such as cat pictures with modified pixels marked as dogs in the image classification task. Once being inserted such trigger, the global model will misclassify a small group of test samples with chosen triggers into targeted labels, while keeping good accuracy on other groups of test samples. On the other hand, untargeted model poisoning attacks aim to minimize the accuracy of the global model on any test set. Such an attack is harmful in the real world as it can cause denial-of-service~(DOS) among a large population of FL end devices. Three main robust algorithms are presented to address the security issues caused by model poisoning attacks in FL. The key algorithms introduced by this thesis are: (1) I propose, FLSec, a defence system to detect malicious clients and defend against targeted model poisoning attacks. FLSec is equipped with a new metric, GradScore, to find out the potential malicious model updates. The GradScore value can quantify the contribution of a backdoored training sample to the decrease of backdoor training loss on other samples from the same minibatch. The GradScore value of the attacker with high backdoored training samples can be larger than the value of the benign participants. Therefore, by measuring the GradScore value, FLSec can effectively mitigate the malicious participants; (2) I investigate how to mitigate multi-round targeted model poisoning attacks. FL systems are more vulnerable to multi-round targeted model poisoning attacks than single-round attacks. FL systems can gradually correct the bad impact caused by single-round attacks. However, the negative impact of multi-round targeted model poisoning can accumulate with training. I conduct further research on the reliability of GradScore and propose DeMAC to eliminate multi-round targeted model poisoning attacks. Besides, the historical record in DeMAC for defending against malicious attacks can spontaneously detect malicious clients without manual settings; (3) Existing robust methods ignore the causes of model parameters' high dimensionality and data heterogeneity. They are unable to defend against adaptive untargeted model poisoning attacks. To tackle the problems, I propose FedDet, a novel robust aggregation method, that consists of two main steps: splitting and grouping local models by layers and normalizing the sliced parameters by the median of the norms. FedDet splits the local models into layers for robust aggregation. By doing so, FedDet can overcome the issue with high dimensionality and keep the functionality of layers.