Defending against Poisoning Backdoor Attacks on Federated Meta-learning

ACM Transactions on Intelligent Systems and Technology (TIST) Pub Date : 2022-09-23 DOI:10.1145/3523062

Chien-Lun Chen, Sara Babakniya, Marco Paolieri, L. Golubchik

{"title":"Defending against Poisoning Backdoor Attacks on Federated Meta-learning","authors":"Chien-Lun Chen, Sara Babakniya, Marco Paolieri, L. Golubchik","doi":"10.1145/3523062","DOIUrl":null,"url":null,"abstract":"Federated learning allows multiple users to collaboratively train a shared classification model while preserving data privacy. This approach, where model updates are aggregated by a central server, was shown to be vulnerable to poisoning backdoor attacks: a malicious user can alter the shared model to arbitrarily classify specific inputs from a given class. In this article, we analyze the effects of backdoor attacks on federated meta-learning, where users train a model that can be adapted to different sets of output classes using only a few examples. While the ability to adapt could, in principle, make federated learning frameworks more robust to backdoor attacks (when new training examples are benign), we find that even one-shot attacks can be very successful and persist after additional training. To address these vulnerabilities, we propose a defense mechanism inspired by matching networks, where the class of an input is predicted from the similarity of its features with a support set of labeled examples. By removing the decision logic from the model shared with the federation, the success and persistence of backdoor attacks are greatly reduced.","PeriodicalId":123526,"journal":{"name":"ACM Transactions on Intelligent Systems and Technology (TIST)","volume":"39 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-09-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Intelligent Systems and Technology (TIST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3523062","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Federated learning allows multiple users to collaboratively train a shared classification model while preserving data privacy. This approach, where model updates are aggregated by a central server, was shown to be vulnerable to poisoning backdoor attacks: a malicious user can alter the shared model to arbitrarily classify specific inputs from a given class. In this article, we analyze the effects of backdoor attacks on federated meta-learning, where users train a model that can be adapted to different sets of output classes using only a few examples. While the ability to adapt could, in principle, make federated learning frameworks more robust to backdoor attacks (when new training examples are benign), we find that even one-shot attacks can be very successful and persist after additional training. To address these vulnerabilities, we propose a defense mechanism inspired by matching networks, where the class of an input is predicted from the similarity of its features with a support set of labeled examples. By removing the decision logic from the model shared with the federation, the success and persistence of backdoor attacks are greatly reduced.

查看原文本刊更多论文

防范联邦元学习的毒化后门攻击

联邦学习允许多个用户协作训练共享分类模型，同时保护数据隐私。在这种方法中，模型更新是由中央服务器聚合的，这种方法很容易受到恶意后门攻击的攻击:恶意用户可以更改共享模型，对给定类的特定输入进行任意分类。在本文中，我们分析了后门攻击对联邦元学习的影响，在联邦元学习中，用户只使用几个示例训练一个模型，该模型可以适应不同的输出类集。虽然适应能力原则上可以使联邦学习框架对后门攻击(当新的训练示例是良性的)更加健壮，但我们发现即使是一次性攻击也可以非常成功，并且在额外的训练之后仍然存在。为了解决这些漏洞，我们提出了一种受匹配网络启发的防御机制，其中输入的类别是根据其特征与标记示例的支持集的相似性来预测的。通过从与联邦共享的模型中删除决策逻辑，后门攻击的成功率和持久性大大降低。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Intelligent Systems and Technology (TIST)

自引率

0.00%

发文量