Federated learning (FL) is widely used in edge-cloud collaborative training due to its distributed architecture and privacy-preserving properties without sharing local data. FLTrust, the most state-of-the-art FL defense method, is a federated learning defense system with trust guidance. However, we found that FLTrust is not very robust. Therefore, in the edge collaboration scenario, we mainly study the poisoning attack on the FLTrust defense system. Due to the aggregation rule, FLTrust, with trust guidance, the model updates of participants with a significant deviation from the root gradient direction will be eliminated, which makes the poisoning effect on the global model not obvious. To solve this problem, under the premise of not being deleted by the FLTrust aggregation rules, we construct malicious model updates that deviate from the trust gradient to the greatest extent to achieve model poisoning attacks. First, we utilize the rotation of high-dimensional vectors around axes to construct malicious vectors with fixed orientations. Second, the malicious vector is constructed by the gradient inversion method to achieve an efficient and fast attack. Finally, a method of optimizing random noise is used to construct a malicious vector with a fixed direction. Experimental results show that our attack method reduces the model accuracy by 20%, severely undermining the usability of the model. Attacks are also successful hundreds of times faster than the FLTrust adaptive attack method.
|Journal||Software - Practice and Experience|
|Publication status||Published - 10 Dec 2022|
Bibliographical noteFunding Information:
This work was supported by the National Key Research and Development Program of China under Grant 2020YFB1712101 and the National Natural Science Foundation of China (Nos. U1936218 and 62072037).
National Key Research and Development Program of China, Grant/Award Number: 2020YFB1712101; National Natural Science Foundation of China, Grant/Award Numbers: U1936218; 62072037 Funding information
- Byzantine-robust attack
- collaborative edge computing
- federated learning
- poisoning attacks