Clean-label poisoning attacks on federated learning for IoT

Jie Yang; Jun Zheng; Thar Baker; Shuai Tang; Yu an Tan; Quanxin Zhang

doi:10.1111/exsy.13161

Clean-label poisoning attacks on federated learning for IoT

Jie Yang, Jun Zheng, Thar Baker, Shuai Tang, Yu an Tan, Quanxin Zhang

School of Arch, Tech and Eng

Research output: Contribution to journal › Article › peer-review

Abstract

Federated Learning (FL) is suitable for the application scenarios of distributed edge collaboration of the Internet of Things (IoT). It can provide data security and privacy, which is why it is widely used in the IoT applications such as Industrial IoT (IIoT). Latest research shows that the federated learning framework is vulnerable to poisoning attacks in the case of an active attack by the adversary. However, the existing backdoor attack methods are easy to be detected by the defence methods. To address this challenge, we focus on edge-cloud synergistic FL clean-label attacks. Unlike common backdoor attack, to ensure the attack's concealment, we add a small perturbation to realize the clean label attack by judging the cosine similarity between the gradient of the adversarial loss and the gradient of the normal training loss. In order to improve the attack success rate and robustness, the attack is implemented when the global model is about to converge. The experimental results verified that 1% of poisoned data could make an attack successful with a high probability. Our method maintains stealth while performing model poisoning attacks, and the average Peak Signal-to-Noise Ratio (PSNR) of poisoning images reaches over 30 dB, and the average Structural SIMilarity (SSIM) is close to 0.93. Most importantly, our attack method can bypass the Byzantine aggregation defence.

Original language	English
Article number	e13161
Number of pages	15
Journal	Expert Systems
DOIs	https://doi.org/10.1111/exsy.13161
Publication status	Published - 12 Oct 2022

Bibliographical note

Funding Information:
National Key Research and Development Program of China, Grant/Award Number: 2020YFB1712101; National Natural Science Foundation of China, Grant/Award Numbers: 62072037, U1936218 Funding information

Funding Information:
This work was supported by the National Key Research and Development Program of China under Grant 2020YFB1712101, the National Natural Science Foundation of China (No. U1936218 and 62072037).

Publisher Copyright:
© 2022 John Wiley & Sons Ltd.

Keywords

clean label attack
edge-cloud collaboration
federated learning
IoT

Access to Document

10.1111/exsy.13161

Clean-label poisoning attacks on federated learning IoTAccepted author manuscript, 1.03 MBLicence: Other

Cite this

@article{e2a5b6bd995341a5950f8fb7aa2d14ae,

title = "Clean-label poisoning attacks on federated learning for IoT",

abstract = "Federated Learning (FL) is suitable for the application scenarios of distributed edge collaboration of the Internet of Things (IoT). It can provide data security and privacy, which is why it is widely used in the IoT applications such as Industrial IoT (IIoT). Latest research shows that the federated learning framework is vulnerable to poisoning attacks in the case of an active attack by the adversary. However, the existing backdoor attack methods are easy to be detected by the defence methods. To address this challenge, we focus on edge-cloud synergistic FL clean-label attacks. Unlike common backdoor attack, to ensure the attack's concealment, we add a small perturbation to realize the clean label attack by judging the cosine similarity between the gradient of the adversarial loss and the gradient of the normal training loss. In order to improve the attack success rate and robustness, the attack is implemented when the global model is about to converge. The experimental results verified that 1% of poisoned data could make an attack successful with a high probability. Our method maintains stealth while performing model poisoning attacks, and the average Peak Signal-to-Noise Ratio (PSNR) of poisoning images reaches over 30 dB, and the average Structural SIMilarity (SSIM) is close to 0.93. Most importantly, our attack method can bypass the Byzantine aggregation defence.",

keywords = "clean label attack, edge-cloud collaboration, federated learning, IoT",

author = "Jie Yang and Jun Zheng and Thar Baker and Shuai Tang and Tan, {Yu an} and Quanxin Zhang",

note = "Funding Information: National Key Research and Development Program of China, Grant/Award Number: 2020YFB1712101; National Natural Science Foundation of China, Grant/Award Numbers: 62072037, U1936218 Funding information Funding Information: This work was supported by the National Key Research and Development Program of China under Grant 2020YFB1712101, the National Natural Science Foundation of China (No. U1936218 and 62072037). Publisher Copyright: {\textcopyright} 2022 John Wiley & Sons Ltd.",

year = "2022",

month = oct,

day = "12",

doi = "10.1111/exsy.13161",

language = "English",

journal = "Expert Systems",

issn = "0266-4720",

publisher = "Wiley",

}

TY - JOUR

T1 - Clean-label poisoning attacks on federated learning for IoT

AU - Yang, Jie

AU - Zheng, Jun

AU - Baker, Thar

AU - Tang, Shuai

AU - Tan, Yu an

AU - Zhang, Quanxin

N1 - Funding Information: National Key Research and Development Program of China, Grant/Award Number: 2020YFB1712101; National Natural Science Foundation of China, Grant/Award Numbers: 62072037, U1936218 Funding information Funding Information: This work was supported by the National Key Research and Development Program of China under Grant 2020YFB1712101, the National Natural Science Foundation of China (No. U1936218 and 62072037). Publisher Copyright: © 2022 John Wiley & Sons Ltd.

PY - 2022/10/12

Y1 - 2022/10/12

N2 - Federated Learning (FL) is suitable for the application scenarios of distributed edge collaboration of the Internet of Things (IoT). It can provide data security and privacy, which is why it is widely used in the IoT applications such as Industrial IoT (IIoT). Latest research shows that the federated learning framework is vulnerable to poisoning attacks in the case of an active attack by the adversary. However, the existing backdoor attack methods are easy to be detected by the defence methods. To address this challenge, we focus on edge-cloud synergistic FL clean-label attacks. Unlike common backdoor attack, to ensure the attack's concealment, we add a small perturbation to realize the clean label attack by judging the cosine similarity between the gradient of the adversarial loss and the gradient of the normal training loss. In order to improve the attack success rate and robustness, the attack is implemented when the global model is about to converge. The experimental results verified that 1% of poisoned data could make an attack successful with a high probability. Our method maintains stealth while performing model poisoning attacks, and the average Peak Signal-to-Noise Ratio (PSNR) of poisoning images reaches over 30 dB, and the average Structural SIMilarity (SSIM) is close to 0.93. Most importantly, our attack method can bypass the Byzantine aggregation defence.

AB - Federated Learning (FL) is suitable for the application scenarios of distributed edge collaboration of the Internet of Things (IoT). It can provide data security and privacy, which is why it is widely used in the IoT applications such as Industrial IoT (IIoT). Latest research shows that the federated learning framework is vulnerable to poisoning attacks in the case of an active attack by the adversary. However, the existing backdoor attack methods are easy to be detected by the defence methods. To address this challenge, we focus on edge-cloud synergistic FL clean-label attacks. Unlike common backdoor attack, to ensure the attack's concealment, we add a small perturbation to realize the clean label attack by judging the cosine similarity between the gradient of the adversarial loss and the gradient of the normal training loss. In order to improve the attack success rate and robustness, the attack is implemented when the global model is about to converge. The experimental results verified that 1% of poisoned data could make an attack successful with a high probability. Our method maintains stealth while performing model poisoning attacks, and the average Peak Signal-to-Noise Ratio (PSNR) of poisoning images reaches over 30 dB, and the average Structural SIMilarity (SSIM) is close to 0.93. Most importantly, our attack method can bypass the Byzantine aggregation defence.

KW - clean label attack

KW - edge-cloud collaboration

KW - federated learning

KW - IoT

UR - http://www.scopus.com/inward/record.url?scp=85139652135&partnerID=8YFLogxK

U2 - 10.1111/exsy.13161

DO - 10.1111/exsy.13161

M3 - Article

SN - 0266-4720

JO - Expert Systems

JF - Expert Systems

M1 - e13161

ER -

Clean-label poisoning attacks on federated learning for IoT

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this