Rieger, Phillip ; Krauß, Torsten ; Miettinen, Mark ; Dmitrienko, Alexandra ; Sadeghi, Ahmad-Reza (2024)
CrowdGuard: Federated Backdoor Detection in Federated Learning.
Network and Distributed Systems Security (NDSS) Symposium 2024. San Diego, USA (26.02.24-01.03.24)
doi: 10.14722/ndss.2024.23233
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
Federated Learning (FL) is a promising approach enabling multiple clients to train Deep Neural Networks (DNNs) collaboratively without sharing their local training data. However, FL is susceptible to backdoor (or targeted poisoning) attacks. These attacks are initiated by malicious clients who seek to compromise the learning process by introducing specific behaviors into the learned model that can be triggered by carefully crafted inputs. Existing FL safeguards have various limitations: They are restricted to specific data distributions or reduce the global model accuracy due to excluding benign models or adding noise, are vulnerable to adaptive defense-aware adversaries, or require the server to access local models, allowing data inference attacks.
This paper presents a novel defense mechanism, CrowdGuard, that effectively mitigates backdoor attacks in FL and overcomes the deficiencies of existing techniques. It leverages clients' feedback on individual models, analyzes the behavior of neurons in hidden layers, and eliminates poisoned models through an iterative pruning scheme. CrowdGuard employs a server-located stacked clustering scheme to enhance its resilience to rogue client feedback. The evaluation results demonstrate that CrowdGuard achieves a 100% True-Positive-Rate and True-Negative-Rate across various scenarios, including IID and non-IID data distributions. Additionally, CrowdGuard withstands adaptive adversaries while preserving the original performance of protected models. To ensure confidentiality, CrowdGuard uses a secure and privacy-preserving architecture leveraging Trusted Execution Environments (TEEs) on both client and server sides.
Typ des Eintrags: | Konferenzveröffentlichung |
---|---|
Erschienen: | 2024 |
Autor(en): | Rieger, Phillip ; Krauß, Torsten ; Miettinen, Mark ; Dmitrienko, Alexandra ; Sadeghi, Ahmad-Reza |
Art des Eintrags: | Bibliographie |
Titel: | CrowdGuard: Federated Backdoor Detection in Federated Learning |
Sprache: | Englisch |
Publikationsjahr: | 26 Februar 2024 |
Ort: | San Diego, USA |
Buchtitel: | Network and Distributed Systems Security (NDSS) Symposium 2024 |
Veranstaltungstitel: | Network and Distributed Systems Security (NDSS) Symposium 2024 |
Veranstaltungsort: | San Diego, USA |
Veranstaltungsdatum: | 26.02.24-01.03.24 |
DOI: | 10.14722/ndss.2024.23233 |
URL / URN: | https://www.ndss-symposium.org/ndss-paper/crowdguard-federat... |
Kurzbeschreibung (Abstract): | Federated Learning (FL) is a promising approach enabling multiple clients to train Deep Neural Networks (DNNs) collaboratively without sharing their local training data. However, FL is susceptible to backdoor (or targeted poisoning) attacks. These attacks are initiated by malicious clients who seek to compromise the learning process by introducing specific behaviors into the learned model that can be triggered by carefully crafted inputs. Existing FL safeguards have various limitations: They are restricted to specific data distributions or reduce the global model accuracy due to excluding benign models or adding noise, are vulnerable to adaptive defense-aware adversaries, or require the server to access local models, allowing data inference attacks. This paper presents a novel defense mechanism, CrowdGuard, that effectively mitigates backdoor attacks in FL and overcomes the deficiencies of existing techniques. It leverages clients' feedback on individual models, analyzes the behavior of neurons in hidden layers, and eliminates poisoned models through an iterative pruning scheme. CrowdGuard employs a server-located stacked clustering scheme to enhance its resilience to rogue client feedback. The evaluation results demonstrate that CrowdGuard achieves a 100% True-Positive-Rate and True-Negative-Rate across various scenarios, including IID and non-IID data distributions. Additionally, CrowdGuard withstands adaptive adversaries while preserving the original performance of protected models. To ensure confidentiality, CrowdGuard uses a secure and privacy-preserving architecture leveraging Trusted Execution Environments (TEEs) on both client and server sides. |
Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Systemsicherheit Profilbereiche Profilbereiche > Cybersicherheit (CYSEC) |
Hinterlegungsdatum: | 18 Jun 2024 07:21 |
Letzte Änderung: | 18 Jun 2024 07:48 |
PPN: | 519210689 |
Export: | |
Suche nach Titel in: | TUfind oder in Google |
Frage zum Eintrag |
Optionen (nur für Redakteure)
Redaktionelle Details anzeigen |