TU Darmstadt / ULB / TUbiblio

BayBFed: Bayesian Backdoor Defense for Federated Learning

Kumari, Kavita ; Rieger, Phillip ; Fereidooni, Hossein ; Jadliwala, Murtuza ; Sadeghi, Ahmad-Reza (2023)
BayBFed: Bayesian Backdoor Defense for Federated Learning.
44th IEEE Symposium on Security and Privacy. San Francisco, USA (22.-25.05.2023)
doi: 10.1109/SP46215.2023.10179362
Conference or Workshop Item, Bibliographie

Abstract

Federated learning (FL) is an emerging technology that allows participants to jointly train a machine learning model without sharing their private data with others. However, FL is vulnerable to poisoning attacks such as backdoor attacks. Consequently, a variety of defenses have recently been proposed, which have primarily utilized intermediary states of the global model (i.e., logits) or distance of the local models (i.e., L2−norm) with respect to the global model to detect malicious backdoors in FL. However, as these approaches directly operate on client updates (or weights), their effectiveness depends on factors such as clients’ data distribution or the adversary’s attack strategies. In this paper, we introduce a novel and more generic backdoor defense framework, called BayBFed, which proposes to utilize probability distributions over client updates to detect malicious updates in FL: BayBFed computes a probabilistic measure over the clients’ updates to keep track of any adjustments made in the updates, and uses a novel detection algorithm that can leverage this probabilistic measure to efficiently detect and filter out malicious updates. Thus, it overcomes the shortcomings of previous approaches that arise due to the direct usage of client updates; nevertheless, our probabilistic measure will include all aspects of the local client training strategies. BayBFed utilizes two Bayesian Non-Parametric (BNP) extensions: (i) a Hierarchical Beta-Bernoulli process to draw a probabilistic measure given the clients’ updates, and (ii) an adaptation of the Chinese Restaurant Process (CRP), referred by us as CRP-Jensen, which leverages this probabilistic measure to detect and filter out malicious updates. We extensively evaluate our defense approach on five benchmark datasets: CIFAR10, Reddit, IoT intrusion detection, MNIST, and FMNIST, and show that it can effectively detect and eliminate malicious updates in FL without deteriorating the benign performance of the global model.

Item Type: Conference or Workshop Item
Erschienen: 2023
Creators: Kumari, Kavita ; Rieger, Phillip ; Fereidooni, Hossein ; Jadliwala, Murtuza ; Sadeghi, Ahmad-Reza
Type of entry: Bibliographie
Title: BayBFed: Bayesian Backdoor Defense for Federated Learning
Language: English
Date: 21 July 2023
Publisher: IEEE
Book Title: Proceedings: 44th IEEE Symposium on Security and Privacy - SP 2023
Event Title: 44th IEEE Symposium on Security and Privacy
Event Location: San Francisco, USA
Event Dates: 22.-25.05.2023
DOI: 10.1109/SP46215.2023.10179362
URL / URN: https://www.computer.org/csdl/proceedings-article/sp/2023/93...
Abstract:

Federated learning (FL) is an emerging technology that allows participants to jointly train a machine learning model without sharing their private data with others. However, FL is vulnerable to poisoning attacks such as backdoor attacks. Consequently, a variety of defenses have recently been proposed, which have primarily utilized intermediary states of the global model (i.e., logits) or distance of the local models (i.e., L2−norm) with respect to the global model to detect malicious backdoors in FL. However, as these approaches directly operate on client updates (or weights), their effectiveness depends on factors such as clients’ data distribution or the adversary’s attack strategies. In this paper, we introduce a novel and more generic backdoor defense framework, called BayBFed, which proposes to utilize probability distributions over client updates to detect malicious updates in FL: BayBFed computes a probabilistic measure over the clients’ updates to keep track of any adjustments made in the updates, and uses a novel detection algorithm that can leverage this probabilistic measure to efficiently detect and filter out malicious updates. Thus, it overcomes the shortcomings of previous approaches that arise due to the direct usage of client updates; nevertheless, our probabilistic measure will include all aspects of the local client training strategies. BayBFed utilizes two Bayesian Non-Parametric (BNP) extensions: (i) a Hierarchical Beta-Bernoulli process to draw a probabilistic measure given the clients’ updates, and (ii) an adaptation of the Chinese Restaurant Process (CRP), referred by us as CRP-Jensen, which leverages this probabilistic measure to detect and filter out malicious updates. We extensively evaluate our defense approach on five benchmark datasets: CIFAR10, Reddit, IoT intrusion detection, MNIST, and FMNIST, and show that it can effectively detect and eliminate malicious updates in FL without deteriorating the benign performance of the global model.

Divisions: 20 Department of Computer Science
20 Department of Computer Science > System Security Lab
Profile Areas
Profile Areas > Cybersecurity (CYSEC)
Date Deposited: 28 Feb 2023 13:28
Last Modified: 25 Jul 2023 12:07
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details