Probabilistic Byzantine Attack on Federated Learning

IF 4.6 2区工程技术 Q1 ENGINEERING, ELECTRICAL & ELECTRONIC

IEEE Transactions on Signal Processing Pub Date : 2025-04-28 DOI:10.1109/TSP.2025.3564842

Tsung-Hsuan Wang;Po-Ning Chen;Yu-Chih Huang

{"title":"Probabilistic Byzantine Attack on Federated Learning","authors":"Tsung-Hsuan Wang;Po-Ning Chen;Yu-Chih Huang","doi":"10.1109/TSP.2025.3564842","DOIUrl":null,"url":null,"abstract":"In this paper, motivated by the severe effects of black-box evasion attacks on machine learning, we investigate the vulnerability of Byzantine attacks to federated learning (FL) systems. Existing studies predominantly evaluate their defense strategies using monotonous Byzantine attacks in the training stage, which fail to consider the public dataset’s characteristics. This oversight may undermine the confidence in Byzantine defense strategies. In this work, we investigate the issue from the perspective of a Byzantine attacker instead of focusing on mitigate Byzantine attacks as a system designer. Adopting a specific learning task as example, we examine it using an optimal probabilistic Byzantine attack policy, which we extend from the research scope introduced in <xref>[12]</xref>. Specifically, we determine the minimum Byzantine effort required to manipulate the sample distribution in the testing stage to given Byzantine sample distributions. Then, we derived the optimal and near-optimal Byzantine sample distributions subject to a fixed compromising effort. Additionally, a closed-form expression of optimal weights for FL is obtained, via which a connection between the optimal weights and those obtained from the FL training can be established. Through numerical experiments, we confirm the effectiveness of the proposed probabilistic Byzantine attack, which can serve as a good test to anti-attack defense strategies.","PeriodicalId":13330,"journal":{"name":"IEEE Transactions on Signal Processing","volume":"73 ","pages":"1823-1838"},"PeriodicalIF":4.6000,"publicationDate":"2025-04-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Signal Processing","FirstCategoryId":"5","ListUrlMain":"https://ieeexplore.ieee.org/document/10979375/","RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

Abstract

In this paper, motivated by the severe effects of black-box evasion attacks on machine learning, we investigate the vulnerability of Byzantine attacks to federated learning (FL) systems. Existing studies predominantly evaluate their defense strategies using monotonous Byzantine attacks in the training stage, which fail to consider the public dataset’s characteristics. This oversight may undermine the confidence in Byzantine defense strategies. In this work, we investigate the issue from the perspective of a Byzantine attacker instead of focusing on mitigate Byzantine attacks as a system designer. Adopting a specific learning task as example, we examine it using an optimal probabilistic Byzantine attack policy, which we extend from the research scope introduced in [12]. Specifically, we determine the minimum Byzantine effort required to manipulate the sample distribution in the testing stage to given Byzantine sample distributions. Then, we derived the optimal and near-optimal Byzantine sample distributions subject to a fixed compromising effort. Additionally, a closed-form expression of optimal weights for FL is obtained, via which a connection between the optimal weights and those obtained from the FL training can be established. Through numerical experiments, we confirm the effectiveness of the proposed probabilistic Byzantine attack, which can serve as a good test to anti-attack defense strategies.

查看原文本刊更多论文

对联邦学习的概率拜占庭攻击

在本文中，由于黑盒逃避攻击对机器学习的严重影响，我们研究了拜占庭攻击对联邦学习（FL）系统的脆弱性。现有的研究主要是在训练阶段使用单调的拜占庭攻击来评估他们的防御策略，而没有考虑公共数据集的特征。这种疏忽可能会破坏对拜占庭式防御战略的信心。在这项工作中，我们从拜占庭攻击者的角度来研究这个问题，而不是作为系统设计师专注于减轻拜占庭攻击。以一个特定的学习任务为例，我们使用最优概率拜占庭攻击策略来检查它，我们从[12]中介绍的研究范围扩展。具体地说，我们确定了在给定拜占庭样本分布的测试阶段操纵样本分布所需的最小拜占庭工作量。然后，我们导出了最优和近最优拜占庭样本分布服从于一个固定的妥协努力。此外，还得到了FL最优权值的封闭表达式，通过该表达式可以建立最优权值与FL训练得到的最优权值之间的联系。通过数值实验，我们验证了所提出的概率拜占庭攻击的有效性，可以作为一个很好的测试防攻击防御策略。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Signal Processing 工程技术-工程：电子与电气

CiteScore

11.20

自引率

9.30%

发文量

310

审稿时长

3.0 months

期刊介绍： The IEEE Transactions on Signal Processing covers novel theory, algorithms, performance analyses and applications of techniques for the processing, understanding, learning, retrieval, mining, and extraction of information from signals. The term “signal” includes, among others, audio, video, speech, image, communication, geophysical, sonar, radar, medical and musical signals. Examples of topics of interest include, but are not limited to, information processing and the theory and application of filtering, coding, transmitting, estimating, detecting, analyzing, recognizing, synthesizing, recording, and reproducing signals.