the limitations of federated learning in sybil settings
play

The Limitations of Federated Learning in Sybil Settings Clement - PowerPoint PPT Presentation

Jul 31, 2023 •163 likes •723 views

The Limitations of Federated Learning in Sybil Settings Clement Fung*, Chris J.M. Yoon + , Ivan Beschastnikh + * Carnegie Mellon University + University of British Columbia The evolution of machine learning at scale Machine learning (ML) is a

  1. The Limitations of Federated Learning in Sybil Settings Clement Fung*, Chris J.M. Yoon + , Ivan Beschastnikh + * Carnegie Mellon University + University of British Columbia

  2. The evolution of machine learning at scale Machine learning (ML) is a data hungry application ● Large volumes of data ○ Diverse data ○ Time-sensitive data ○ 2

  3. The evolution of machine learning at scale 1. Centralized training of ML model Centralized Training Server Domain 3

  4. The evolution of machine learning at scale 1. Centralized training of ML model Centralized Training Server Domain 4

  5. The evolution of machine learning at scale 1. Centralized training of ML model Centralized Training Server Domain 5

  6. The evolution of machine learning at scale 1. Centralized training of ML model Centralized Training Server Domain 6

  7. The evolution of machine learning at scale 1. Centralized training of ML model 2. Distributed training over sharded dataset and workers Centralized Training Distributed Training Server Domain Server Domain 7

  8. The evolution of machine learning at scale 1. Centralized training of ML model 2. Distributed training over sharded dataset and workers Centralized Training Distributed Training Server Domain Server Domain 8

  9. The evolution of machine learning at scale 1. Centralized training of ML model 2. Distributed training over sharded dataset and workers Centralized Training Distributed Training Server Domain Server Domain 9

  10. Federated learning (FL) Train ML models over network ● Less network cost, no data transfer [1] ○ Server aggregates updates across clients ○ Enables privacy-preserving alternatives ● Differentially private federated learning [2] ○ Secure aggregation [3] ○ Server Domain Agg. [1] McMahan et al. Communication-Efficient Learning of Deep Networks from Decentralized Data. AISTATS 2017 10 [2] Geyer et al. Differentially Private Federated Learning: A Client Level Perspective. NIPS 2017 [3] Bonawitz et al. Practical Secure Aggregation for Privacy-Preserving Machine Learning. CCS 2017.

  11. Federated learning (FL) Train ML models over network ● Less network cost, no data transfer [1] ○ Server aggregates updates across clients ○ Enables privacy-preserving alternatives ● Differentially private federated learning [2] ○ Secure aggregation [3] ○ Server Domain Enables training over non i.i.d. data settings ● Users with disjoint data types ○ Agg. Mobile, internet of things, etc. ○ [1] McMahan et al. Communication-Efficient Learning of Deep Networks from Decentralized Data. AISTATS 2017 11 [2] Geyer et al. Differentially Private Federated Learning: A Client Level Perspective. NIPS 2017 [3] Bonawitz et al. Practical Secure Aggregation for Privacy-Preserving Machine Learning. CCS 2017.

  12. Federated learning: new threat model The role of the client has changed significantly! ● Previously: passive data providers ○ Now: perform arbitrary compute ○ Server Domain Agg. 12

  13. Federated learning: new threat model The role of the client has changed significantly! ● Previously: passive data providers ○ Now: perform arbitrary compute ○ Aggregator never sees client datasets, compute outside domain ● Difficult to validate clients in “diverse data” setting ○ Are these updates Server Domain genuine? Agg. 13

  14. Poisoning attacks Traditional poisoning attack: malicious training data ● Manipulate behavior of final trained model ○ 14

  15. Poisoning attacks Traditional poisoning attack: malicious training data ● Manipulate behavior of final trained model ○ Malicious poisoning data 15

  16. Poisoning attacks Traditional poisoning attack: malicious training data ● Manipulate behavior of final trained model ○ Old decision boundary New decision boundary Malicious poisoning data 16

  17. Poisoning attacks Traditional poisoning attack: malicious training data ● Manipulate behavior of final trained model ○ Old decision boundary New decision boundary Misclassified example Malicious poisoning data 17

  18. Sybil-based poisoning attacks In federated learning: provide malicious model updates ● Aggregator 18

  19. Sybil-based poisoning attacks In federated learning: provide malicious model updates ● With sybils : each account increases influence in system ● Made worse in non-i.i.d setting ○ Aggregator 19

  20. E.g. Sybil-based poisoning attacks A 10 client, non-i.i.d MNIST setting ● 20

  21. E.g. Sybil-based poisoning attacks A 10 client, non-i.i.d MNIST setting ● Sybil attackers with mislabeled “1-7” data ● Need at least 10 sybils? ○ 21

  22. E.g. Sybil-based poisoning attacks A 10 client, non-i.i.d MNIST setting ● Sybil attackers with mislabeled “1-7” data ● At only 2 sybils: ● 96.2% of 1s are misclassified as 7s ○ Minimal impact on accuracy of other digits ○ 22

  23. E.g. Sybil-based poisoning attacks A 10 client, non-i.i.d MNIST setting ● Sybil attackers with mislabeled “1-7” data ● At only 2 sybils: ● 96.2% of 1s are misclassified as 7s ○ Minimal impact on accuracy of other digits ○ 23

  24. E.g. Sybil-based poisoning attacks A 10 client, non-i.i.d MNIST setting ● Sybil attackers with mislabeled “1-7” data ● At only 2 sybils: ● 96.2% of 1s are misclassified as 7s ○ Minimal impact on accuracy of other digits ○ 24

  25. Our contributions Identify gap in existing FL defenses ● No prior work has studied sybils in FL ○ Categorize sybil attacks on FL along two dimensions: ● Sybil objectives/targets ○ Sybil capabilities ○ FoolsGold: a defense against sybil-based poisoning attacks on FL ● Addresses targeted poisoning attacks ○ Preserves benign FL performance ○ Prevents poisoning from 99% sybil adversary ○ 25

  26. Federated learning: sybil attacks, defenses and new opportunities 26

  27. Types of attacks on FL Model quality : modify the performance of the trained model ● Poisoning attacks [1], backdoor attacks [2] ○ Privacy : attack the datasets of honest clients ● Inference attacks [3] ○ Utility : receive an unfair payout from the system ● Free-riding attacks [4] ○ Training inflation : inflate the resources required (new!) ● Time taken, network bandwidth, GPU usage ○ [1] Fang et al. Local Model Poisoning Attacks to Byzantine-Robust Federated Learning. Usenix Security 2020. [2] Bagdasaryan et al. How To Backdoor Federated Learning. AISTATS 2020. 27 [3] Melis et al. Exploiting Unintended Feature Leakage in Collaborative Learning. S&P 2019. [4] Lin et al. Free-riders in Federated Learning: Attacks and Defenses. arXiv 2019.

  28. Existing defenses for FL are limited Existing defenses are aggregation statistics: ● Multi-Krum [1] ○ Bulyan [2] ○ Trimmed Mean/Median [3] ○ Require a bounded number of attackers ● Do not handle sybil attacks ○ Focus on poisoning attacks (model quality) ● Do not handle other attacks (e.g., training inflation) ○ [1] Blanchard et al. Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent. NIPS 2017 28 [2] El Mhamdi et al. The Hidden Vulnerability of Distributed Learning in Byzantium. ICML 2018. [3] Yin et al. Byzantine-robust distributed learning: Towards optimal statistical rates. ICML 2018.

  29. Existing defenses for FL Cannot defend against an increasing number of poisoners ● [1] Blanchard et al. Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent. NIPS 2017 29 [2] El Mhamdi et al. The Hidden Vulnerability of Distributed Learning in Byzantium. ICML 2018. [3] Yin et al. Byzantine-robust distributed learning: Towards optimal statistical rates. ICML 2018.

  30. Existing defenses for FL FoolsGold is robust to an increasing number of poisoners ● [1] Blanchard et al. Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent. NIPS 2017 30 [2] El Mhamdi et al. The Hidden Vulnerability of Distributed Learning in Byzantium. ICML 2018. [3] Yin et al. Byzantine-robust distributed learning: Towards optimal statistical rates. ICML 2018.

  31. Existing defenses for FL FoolsGold is robust to an increasing number of poisoners ● Once the number of sybils exceeds defense threshold, defenses are ineffective! [1] Blanchard et al. Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent. NIPS 2017 31 [2] El Mhamdi et al. The Hidden Vulnerability of Distributed Learning in Byzantium. ICML 2018. [3] Yin et al. Byzantine-robust distributed learning: Towards optimal statistical rates. ICML 2018.

  32. Training inflation on FL Manipulate ML stopping criteria to ensure maximum time/usage : ● Validation error, size of gradient norm ○ Coordinated attacks can be direct, ○ 32

  33. Training inflation on FL Manipulate ML stopping criteria to ensure maximum time/usage : ● Validation error, size of gradient norm ○ Coordinated attacks can be direct, timed, ○ 33

  34. Training inflation on FL Manipulate ML stopping criteria to ensure maximum time/usage : ● Validation error, size of gradient norm ○ Coordinated attacks can be direct, timed, or stealthy ○ 34

  35. Training inflation on FL Manipulate ML stopping criteria to ensure maximum time/usage : ● Validation error, size of gradient norm ○ Coordinated attacks can be direct, timed, or stealthy ○ Coordinated adversary can arbitrarily manipulate the length of federated learning process! 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Federated Learning Min Du Postdoc, UC Berkeley Outline q Preliminary: deep learning and SGD q

Federated Learning Min Du Postdoc, UC Berkeley Outline q Preliminary: deep learning and SGD q

Federated Learning Min Du Postdoc, UC Berkeley Outline q Preliminary: deep learning and SGD q Federated learning: FedSGD and FedAvg q Related research in federated learning q Open problems Outline q Preliminary: deep learning and SGD q Federated

616 views • 50 slides
Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo

Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo

Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo Chakraborty 2 , Prateek Mittal 1 and Seraphin Calo 2 1 Princeton University 2 IBM Research ICML 2019 Federated learning (with a malicious agent) Federated

1.46k views • 59 slides
Federated Machine Learning via Over-the-Air Computation Yuanming Shi ShanghaiTech University 1

Federated Machine Learning via Over-the-Air Computation Yuanming Shi ShanghaiTech University 1

Federated Machine Learning via Over-the-Air Computation Yuanming Shi ShanghaiTech University 1 Outline Motivations Big data, IoT,AI Three vignettes: Federated machine learning Federated model aggregation Over-the-air

1.02k views • 56 slides
Fair Resource Allocation in Federated Learning Tian Li (CMU) , Maziar Sanjabi (Facebook AI), Ahmad

Fair Resource Allocation in Federated Learning Tian Li (CMU) , Maziar Sanjabi (Facebook AI), Ahmad

Fair Resource Allocation in Federated Learning Tian Li (CMU) , Maziar Sanjabi (Facebook AI), Ahmad Beirami (Facebook AI), Virginia Smith (CMU) tianli@cmu.edu 1 Federated Learning 2 2 Federated Learning Privacy-preserving training in

1.19k views • 55 slides
Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual

Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual

Differentially- Private Federated Linear Bandits Dubey and Pentland June 2020 Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual Bandits Summary Background Abhimanyu Dubey and Alex Pentland

437 views • 20 slides
BIT Maintaining Training Efficiency and Accuracy for Edge-assisted Online Federated

BIT Maintaining Training Efficiency and Accuracy for Edge-assisted Online Federated

BIT Maintaining Training Efficiency and Accuracy for Edge-assisted Online Federated Learning with ABS Jiayu Wang, Zehua Guo, Sen Liu, Yuanqing Xia Beijing Institute Of Technology, Fudan University 1 Federated Learning User devices

612 views • 12 slides
IRODS AND FEDERATED IDENTITY AUTHENTICATION CURRENT LIMITATIONS AND PERSPECTIVE Claudio

IRODS AND FEDERATED IDENTITY AUTHENTICATION CURRENT LIMITATIONS AND PERSPECTIVE Claudio

IRODS AND FEDERATED IDENTITY AUTHENTICATION CURRENT LIMITATIONS AND PERSPECTIVE Claudio Cacciari, claudio.cacciari@surfsara.nl SURF UGM 2020, June 10 th 2020 IRODS and SURF SURF is the collaborative organisation for ICT in Dutch education

669 views • 34 slides
Agnostic federated learning Mehryar Mohri 1 , 2 , Gary Sivek 1 , Ananda Theertha Suresh 1 1 Google

Agnostic federated learning Mehryar Mohri 1 , 2 , Gary Sivek 1 , Ananda Theertha Suresh 1 1 Google

Agnostic federated learning Mehryar Mohri 1 , 2 , Gary Sivek 1 , Ananda Theertha Suresh 1 1 Google Research, 2 Courant Institute June 11, 2019 1/8 Federated learning scenario [McMahan et al., 17] centralized model client A client

418 views • 8 slides
Optimizing Federated Learning on Non-IID Data with Reinforcement Learning Hao Wang *, Zakhary

Optimizing Federated Learning on Non-IID Data with Reinforcement Learning Hao Wang *, Zakhary

INFOCOM20 Optimizing Federated Learning on Non-IID Data with Reinforcement Learning Hao Wang *, Zakhary Kaplan*, Di Niu^, Baochun Li* *University of Toronto, ^University of Alberta < < > > Alexa Siri 2 Machine

541 views • 53 slides
SybilGuard: Defending Against Sybil Attacks SybilGuard: Defending Against Sybil Attacks via

SybilGuard: Defending Against Sybil Attacks SybilGuard: Defending Against Sybil Attacks via

SybilGuard: Defending Against Sybil Attacks SybilGuard: Defending Against Sybil Attacks via Social Networks via Social Networks Intel Research Pittsburgh / CMU Haifeng Yu National University of Singapore Michael Kaminsky Intel Research

501 views • 22 slides
Federated Zero-Shot Learning: A Proposal Francesco Odierna CS PhD student @ University of Pisa

Federated Zero-Shot Learning: A Proposal Francesco Odierna CS PhD student @ University of Pisa

Federated Zero-Shot Learning: A Proposal Francesco Odierna CS PhD student @ University of Pisa francesco.odierna@phd.unipi.it 1 Outline Introduction Federated Learning Zero-Shot Learning The Proposal Motivation Road

349 views • 19 slides
MOCHA: Federated Multi-Task Learning NIPS 17 Virginia Smith Stanford / CMU Chao-Kai

MOCHA: Federated Multi-Task Learning NIPS 17 Virginia Smith Stanford / CMU Chao-Kai

MOCHA: Federated Multi-Task Learning NIPS 17 Virginia Smith Stanford / CMU Chao-Kai Chiang USC Maziar Sanjabi USC Ameet Talwalkar CMU MACHINE LEARNING WORKFLOW data & problem machine learning model n optimization

1.71k views • 35 slides
MAB Learning in IoT Networks Learning helps even in non-stationary settings! Rmi Bonnefoi

MAB Learning in IoT Networks Learning helps even in non-stationary settings! Rmi Bonnefoi

MAB Learning in IoT Networks Learning helps even in non-stationary settings! Rmi Bonnefoi Lilian Besson milie Kaufmann Christophe Moy Jacques Palicot PhD Student in France Team SCEE, IETR, CentraleSuplec, Rennes & Team SequeL,

507 views • 25 slides
FedSel: Federated SGD under Local Differential Privacy with Top-k Dimension Selection Ruixuan

FedSel: Federated SGD under Local Differential Privacy with Top-k Dimension Selection Ruixuan

FedSel: Federated SGD under Local Differential Privacy with Top-k Dimension Selection Ruixuan Liu 1 , Yang Cao 2 , Masatoshi Yoshikawa 2 , Hong Chen 1 1 Renmin University of China, 2 Kyoto University DASFAA, 2020 Federated Learning Overview

370 views • 35 slides
An analysis of Social Network-based Sybil defenses Bimal Viswanath Ansley Post Krishna

An analysis of Social Network-based Sybil defenses Bimal Viswanath Ansley Post Krishna

An analysis of Social Network-based Sybil defenses Bimal Viswanath Ansley Post Krishna Gummadi Alan Mislove MPI-SWS Northeastern University SIGCOMM 2010 1 Sybil attack Fundamental problem in distributed systems Attacker

519 views • 40 slides
Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc Nguyen, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi Typical IoT Devices 2 IoT The S stands for Security 3 Mirai: Largest Disruptive

508 views • 33 slides
A THEORETICAL LOOKS AT ADVERSARIAL EXAMPLES Tom Goldstein and also Ali Shafahi, Ronny

A THEORETICAL LOOKS AT ADVERSARIAL EXAMPLES Tom Goldstein and also Ali Shafahi, Ronny

A THEORETICAL LOOKS AT ADVERSARIAL EXAMPLES Tom Goldstein and also Ali Shafahi, Ronny Huang, Mahyar Najibi, Octavian Suciu, Christoph Studer, Soheil Feizi, Tudor Dumitras OVERVIEW Why is optimization so easy on neural nets? What are

860 views • 84 slides
The Tobacco Industry, Tobacco Control & Media 2.0: Same Poison, New Bottle Stan Shatenstein

The Tobacco Industry, Tobacco Control & Media 2.0: Same Poison, New Bottle Stan Shatenstein

The Tobacco Industry, Tobacco Control & Media 2.0: Same Poison, New Bottle Stan Shatenstein Editor & Publisher, STAN Bulletin Smoking & Tobacco Abstracts & News shatensteins@sympatico.ca TI Marketing: Media 1.0 TI Marketing:

789 views • 30 slides
T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz <at> signal11.eu www.signal11.eu Motivation Are we able to counteratack ? Different possibilities: Traditional network scan and attack

1.02k views • 52 slides
METAPOISON: LEARNING TO CRAFT POISON W. Ronny Huang,* Jonas Geiping,* Liam Fowl,^ Tom Goldstein

METAPOISON: LEARNING TO CRAFT POISON W. Ronny Huang,* Jonas Geiping,* Liam Fowl,^ Tom Goldstein

METAPOISON: LEARNING TO CRAFT POISON W. Ronny Huang,* Jonas Geiping,* Liam Fowl,^ Tom Goldstein *Equal Contribution ^Speaker University of Maryland NeurIPS MetaLearn 2019 DATA POISONING Training data Testing example Plane Frog Base

251 views • 11 slides
CS7038 - Malware Analysis - Wk02.2 Attack Introduction Coleman Kane kaneca@mail.uc.edu January

CS7038 - Malware Analysis - Wk02.2 Attack Introduction Coleman Kane kaneca@mail.uc.edu January

CS7038 - Malware Analysis - Wk02.2 Attack Introduction Coleman Kane kaneca@mail.uc.edu January 18, 2018 Content This lecture covers the following concepts: Demo setting up specific lab environments in VirtualBox Utilizing

393 views • 11 slides
Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel Computers Dynamic Scheduling (Section 3.4, 3.5) Dynamic Branch Prediction (Section 3.3, 3.9, and Appendix C) Hardware Speculation and Precise Interrupts

733 views • 24 slides
KernelAddressSanitizer (KASan) a fast memory error detector for the Linux kernel Andrey Konovalov

KernelAddressSanitizer (KASan) a fast memory error detector for the Linux kernel Andrey Konovalov

KernelAddressSanitizer (KASan) a fast memory error detector for the Linux kernel Andrey Konovalov <andreyknvl@google.com>, Google Dmitry Vyukov <dvyukov@google.com>, Google LinuxCon North America 2015 July 18th 2015 Agenda

1.1k views • 49 slides
5/3/16 May 2, 2016 Channel Ecology Assignment for Weds, May 4 (Mon lab)/11 (Tues Lab) Pen your

5/3/16 May 2, 2016 Channel Ecology Assignment for Weds, May 4 (Mon lab)/11 (Tues Lab) Pen your

5/3/16 May 2, 2016 Channel Ecology Assignment for Weds, May 4 (Mon lab)/11 (Tues Lab) Pen your poison: http://www.amnh.org/exhibitions/current-exhibitions/the- power-of-poison Power of Poison: an enchanted book- Interactive botanical book

190 views • 5 slides

More recommend