Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach

Detalhes bibliográficos
Autor(a) principal: Li, Kai
Data de Publicação: 2024
Outros Autores: Zheng, Jingjing, Yuan, Xin, Ni, Wei, Akan, Ozgur B., Poor, H. Vincent
Tipo de documento: Artigo
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10400.22/24964
Resumo: This paper proposes a novel, data-agnostic, model poisoning attack on Federated Learning (FL), by designing a new adversarial graph autoencoder (GAE)-based framework. The attack requires no knowledge of FL training data and achieves both effectiveness and undetectability. By listening to the benign local models and the global model, the attacker extracts the graph structural correlations among the benign local models and the training data features substantiating the models. The attacker then adversarially regenerates the graph structural correlations while maximizing the FL training loss, and subsequently generates malicious local models using the adversarial graph structure and the training data features of the benign ones. A new algorithm is designed to iteratively train the malicious local models using GAE and sub-gradient descent. The convergence of FL under attack is rigorously proved, with a considerably large optimality gap. Experiments show that the FL accuracy drops gradually under the proposed attack and existing defense mechanisms fail to detect it. The attack can give rise to an infection across all benign devices, making it a serious threat to FL.
id RCAP_3bcbf7e3e012a3e21ed5ee4ce2556282
oai_identifier_str oai:recipp.ipp.pt:10400.22/24964
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach240201This paper proposes a novel, data-agnostic, model poisoning attack on Federated Learning (FL), by designing a new adversarial graph autoencoder (GAE)-based framework. The attack requires no knowledge of FL training data and achieves both effectiveness and undetectability. By listening to the benign local models and the global model, the attacker extracts the graph structural correlations among the benign local models and the training data features substantiating the models. The attacker then adversarially regenerates the graph structural correlations while maximizing the FL training loss, and subsequently generates malicious local models using the adversarial graph structure and the training data features of the benign ones. A new algorithm is designed to iteratively train the malicious local models using GAE and sub-gradient descent. The convergence of FL under attack is rigorously proved, with a considerably large optimality gap. Experiments show that the FL accuracy drops gradually under the proposed attack and existing defense mechanisms fail to detect it. The attack can give rise to an infection across all benign devices, making it a serious threat to FL.Repositório Científico do Instituto Politécnico do PortoLi, KaiZheng, JingjingYuan, XinNi, WeiAkan, Ozgur B.Poor, H. Vincent2024-02-07T08:22:49Z2024-02-012024-02-01T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articleapplication/pdfhttp://hdl.handle.net/10400.22/24964enginfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-02-14T01:46:20Zoai:recipp.ipp.pt:10400.22/24964Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T02:38:07.772565Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach
240201
title Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach
spellingShingle Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach
Li, Kai
title_short Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach
title_full Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach
title_fullStr Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach
title_full_unstemmed Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach
title_sort Data-Agnostic Model Poisoning against Federated Learning: A Graph Autoencoder Approach
author Li, Kai
author_facet Li, Kai
Zheng, Jingjing
Yuan, Xin
Ni, Wei
Akan, Ozgur B.
Poor, H. Vincent
author_role author
author2 Zheng, Jingjing
Yuan, Xin
Ni, Wei
Akan, Ozgur B.
Poor, H. Vincent
author2_role author
author
author
author
author
dc.contributor.none.fl_str_mv Repositório Científico do Instituto Politécnico do Porto
dc.contributor.author.fl_str_mv Li, Kai
Zheng, Jingjing
Yuan, Xin
Ni, Wei
Akan, Ozgur B.
Poor, H. Vincent
description This paper proposes a novel, data-agnostic, model poisoning attack on Federated Learning (FL), by designing a new adversarial graph autoencoder (GAE)-based framework. The attack requires no knowledge of FL training data and achieves both effectiveness and undetectability. By listening to the benign local models and the global model, the attacker extracts the graph structural correlations among the benign local models and the training data features substantiating the models. The attacker then adversarially regenerates the graph structural correlations while maximizing the FL training loss, and subsequently generates malicious local models using the adversarial graph structure and the training data features of the benign ones. A new algorithm is designed to iteratively train the malicious local models using GAE and sub-gradient descent. The convergence of FL under attack is rigorously proved, with a considerably large optimality gap. Experiments show that the FL accuracy drops gradually under the proposed attack and existing defense mechanisms fail to detect it. The attack can give rise to an infection across all benign devices, making it a serious threat to FL.
publishDate 2024
dc.date.none.fl_str_mv 2024-02-07T08:22:49Z
2024-02-01
2024-02-01T00:00:00Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/article
format article
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10400.22/24964
url http://hdl.handle.net/10400.22/24964
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799137431974313984

Registros relacionados