Robust Adversarial Defenses in Federated Learning: Exploring the Impact of Data Heterogeneity

Federated Learning (FL) enables geographically distributed clients to collaboratively train machine learning models by exchanging local model parameters while preserving data privacy. In practice, FL faces two critical challenges. First, it is vulnerable to security issues as malicious clients would artificially harm the functionality of FL by launching poisoning attacks. Second, the inherent data heterogeneity among clients (termed Non-IID data in FL) naturally arises from distributed data ownership and significantly degrades model convergence and accuracy. However, with studies separately devoted to these two research lines, the interplay between data heterogeneity and security remains poorly understood. In this paper, we systematically investigate the relationship between data heterogeneity and adversarial robustness in FL. Specifically, we propose novel data partitioning algorithms that simulate Label-Conditional Non-IID and Feature-Conditional Non-IID with quantifiable heterogeneity levels. Further, we conduct extensive experiments to evaluate classical defense methods in the practical FL environment under state-of-the-art untargeted attacks. With results in various settings, we separately analyze the connection between Non-IID to defenses and attacks. Regarding attacks, with similar effects on models, Non-IID impacts the training in a different way compared with attacks. The interaction between attacks and Non-IID provides an opportunity to cause severe damage to FL. Regarding defenses, Non-IID induces heterogeneity in model distribution among clients which raises the difficulty of maintaining fidelity and robustness for defense methods.