Işık Polat, Ece
In federated learning (FL), collaborators train a global model collectively without sharing their local data. The local model parameters of the collaborators obtained from their local training process are collected on a trusted server to form the global model. In order to preserve privacy, the server has no authority over the local training procedure. Therefore, the global model is vulnerable to attacks such as data poisoning and model poisoning. Even though many defense strategies have been proposed against these attacks, they often make strong assumptions that are not compatible with the characteristics of FL. Moreover, these proposals have not been analyzed thoroughly. In this thesis, I propose an assumption-free defense mechanism called Byzantine Attack Robust Federated Learning (BARFED). BARFED does not make assumption about federated learning setting such as malicious collaborator ratio, the data distributions of the collaborators, and gradient update similarity. BARFED examines the distance between the global model and the local models of the collaborators on a layer basis and decides whether the collaborators will participate in the aggregation rule step phase based on the status of being an outlier. In other words, only the collaborators that are not labeled as outliers in any layer of the model architecture can participate in the aggregation step. I have shown that BARFED provides a robust defense against different attacks by performing comprehensive experiments that cover many aspects such as data distribution and whether attackers are organized or not.
Citation Formats
E. Işık Polat, “BYZANTINE ATTACK ROBUST FEDERATED LEARNING,” M.S. - Master of Science, Middle East Technical University, 2021.