Attack Resilient Federated Learning Framework
摘要
Federated learning (FL) stands out as a promising paradigm for collaborative training of machine learning models where a server supervises the learning process while keeping sensitive data on the user devices. Here, training is decentralized and conducted on edge devices beyond the control of a server. This increases the potential for malicious clients to tamper with the learning process and compromise the global model, resulting in a significant security risk. The majority of existing solutions are designed for scenarios where data exhibits independent and identically distributed (IID) characteristics across devices. A notable performance degradation is observed when the data distribution deviates from the independent and identically distributed (non-IID) scenario. In this paper, we first evaluate the performance of existing Byzantine robust aggregation schemes in non-IID settings within an adversarial scenario. Then, we introduce a novel attack-resilient aggregation scheme named FedResil with the objective of enhancing performance in the same adversarial environment. It leverages non-private data, which is collectively agreed upon by the participating clients before the training process begins, to delineate clusters of clients. Subsequently, the server applies existing Byzantine robust aggregation rules to each cluster independently, generating model updates within each cluster. The model update from each cluster is then aggregated to construct the final global model. Through extensive experimentation, we demonstrate that FedResil in malicious settings achieves performance similar to that in scenarios where there is no malicious client.