FLAME: Taming Backdoors in Federated Learning

Thien Duc Nguyen; Phillip Rieger; Huili Chen; Hossein Yalame; Helen Möllering; Hossein Fereidooni; Samuel Marchal; Markus Miettinen; Azalia Mirhoseini; Shaza Zeitouni; Farinaz Koushanfar; Ahmad Reza Sadeghi; Thomas Schneider

FLAME: Taming Backdoors in Federated Learning

Thien Duc Nguyen^*, Phillip Rieger, Huili Chen, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Shaza Zeitouni, Farinaz Koushanfar, Ahmad Reza Sadeghi, Thomas Schneider

^*Tämän työn vastaava kirjoittaja

Tutkimustuotos: Artikkeli kirjassa/konferenssijulkaisussa › Conference contribution › Scientific › vertaisarvioitu

13 Sitaatiot (Scopus)

13 Lataukset (Pure)

Abstrakti

Federated Learning (FL) is a collaborative machine learning approach allowing participants to jointly train a model without having to share their private, potentially sensitive local datasets with others. Despite its benefits, FL is vulnerable to so-called backdoor attacks, in which an adversary injects manipulated model updates into the federated model aggregation process so that the resulting model will provide targeted false predictions for specific adversary-chosen inputs. Proposed defenses against backdoor attacks based on detecting and filtering out malicious model updates consider only very specific and limited attacker models, whereas defenses based on differential privacy-inspired noise injection significantly deteriorate the benign performance of the aggregated model. To address these deficiencies, we introduce FLAME, a defense framework that estimates the sufficient amount of noise to be injected to ensure the elimination of backdoors. To minimize the required amount of noise, FLAME uses a model clustering and weight clipping approach. This ensures that FLAME can maintain the benign performance of the aggregated model while effectively eliminating adversarial backdoors. Our evaluation of FLAME on several datasets stemming from application areas including image classification, word prediction, and IoT intrusion detection demonstrates that FLAME removes backdoors effectively with a negligible impact on the benign performance of the models.

Alkuperäiskieli	Englanti
Otsikko	Proceedings of the 31st USENIX Security Symposium, Security 2022
Kustantaja	USENIX - THE ADVANCED COMPUTING SYSTEMS ASSOCIATION
Sivut	1415-1432
Sivumäärä	18
ISBN (elektroninen)	9781939133311
Tila	Julkaistu - 2022
OKM-julkaisutyyppi	A4 Artikkeli konferenssijulkaisuussa
Tapahtuma	USENIX Security Symposium - Boston, Yhdysvallat Kesto: 10 elok. 2022 → 12 elok. 2022 Konferenssinumero: 31

Conference

Conference	USENIX Security Symposium
Maa/Alue	Yhdysvallat
Kaupunki	Boston
Ajanjakso	10/08/2022 → 12/08/2022

Pääsy asiakirjaan

FLAME_Taming Backdoors in Federated LearningFinal published version, 5,77 MB

https://www.usenix.org/conference/usenixsecurity22/presentation/nguyen

OpenUrl-saatavuus

Koko teksti

Muut tiedostot ja linkit

Linkki julkaisuun Scopuksessa

Siteeraa tätä

Nguyen, T. D., Rieger, P., Chen, H., Yalame, H., Möllering, H., Fereidooni, H., Marchal, S., Miettinen, M., Mirhoseini, A., Zeitouni, S., Koushanfar, F., Sadeghi, A. R., & Schneider, T. (2022). FLAME: Taming Backdoors in Federated Learning. teoksessa Proceedings of the 31st USENIX Security Symposium, Security 2022 (Sivut 1415-1432). USENIX - THE ADVANCED COMPUTING SYSTEMS ASSOCIATION. https://www.usenix.org/conference/usenixsecurity22/presentation/nguyen

@inproceedings{222ce18eee3e4ebd9e4ee0460bd3e0c4,

title = "FLAME: Taming Backdoors in Federated Learning",

abstract = "Federated Learning (FL) is a collaborative machine learning approach allowing participants to jointly train a model without having to share their private, potentially sensitive local datasets with others. Despite its benefits, FL is vulnerable to so-called backdoor attacks, in which an adversary injects manipulated model updates into the federated model aggregation process so that the resulting model will provide targeted false predictions for specific adversary-chosen inputs. Proposed defenses against backdoor attacks based on detecting and filtering out malicious model updates consider only very specific and limited attacker models, whereas defenses based on differential privacy-inspired noise injection significantly deteriorate the benign performance of the aggregated model. To address these deficiencies, we introduce FLAME, a defense framework that estimates the sufficient amount of noise to be injected to ensure the elimination of backdoors. To minimize the required amount of noise, FLAME uses a model clustering and weight clipping approach. This ensures that FLAME can maintain the benign performance of the aggregated model while effectively eliminating adversarial backdoors. Our evaluation of FLAME on several datasets stemming from application areas including image classification, word prediction, and IoT intrusion detection demonstrates that FLAME removes backdoors effectively with a negligible impact on the benign performance of the models.",

author = "Nguyen, {Thien Duc} and Phillip Rieger and Huili Chen and Hossein Yalame and Helen M{\"o}llering and Hossein Fereidooni and Samuel Marchal and Markus Miettinen and Azalia Mirhoseini and Shaza Zeitouni and Farinaz Koushanfar and Sadeghi, {Ahmad Reza} and Thomas Schneider",

note = "Funding Information: This research was funded by the Deutsche Forschungsgemeinschaft (DFG) SFB-1119 CROSSING/236615297, the European Research Council (ERC, grant No. 850990 PSOTI), the EU H2020 project SPATIAL (grant No. 101021808), GRK 2050 Privacy & Trust/251805230, HMWK within ATHENE project, NSF-TrustHub (grant No. 1649423), SRC-Auto (2019-AU-2899), Huawei OpenS3 Lab, and Intel Private AI Collaborative Research Center. We thank the anonymous reviewers and the shepherd, Neil Gong, for constructive reviews and comments. Publisher Copyright: {\textcopyright} USENIX Security Symposium, Security 2022.All rights reserved.; USENIX Security Symposium ; Conference date: 10-08-2022 Through 12-08-2022",

year = "2022",

language = "English",

pages = "1415--1432",

booktitle = "Proceedings of the 31st USENIX Security Symposium, Security 2022",

publisher = "USENIX - THE ADVANCED COMPUTING SYSTEMS ASSOCIATION",

address = "United States",

}

Nguyen, TD, Rieger, P, Chen, H, Yalame, H, Möllering, H, Fereidooni, H, Marchal, S, Miettinen, M, Mirhoseini, A, Zeitouni, S, Koushanfar, F, Sadeghi, AR & Schneider, T 2022, FLAME: Taming Backdoors in Federated Learning. julkaisussa Proceedings of the 31st USENIX Security Symposium, Security 2022. USENIX - THE ADVANCED COMPUTING SYSTEMS ASSOCIATION, Sivut 1415-1432, USENIX Security Symposium, Boston, Massachusetts, Yhdysvallat, 10/08/2022. <https://www.usenix.org/conference/usenixsecurity22/presentation/nguyen>

TY - GEN

T1 - FLAME: Taming Backdoors in Federated Learning

AU - Nguyen, Thien Duc

AU - Rieger, Phillip

AU - Chen, Huili

AU - Yalame, Hossein

AU - Möllering, Helen

AU - Fereidooni, Hossein

AU - Marchal, Samuel

AU - Miettinen, Markus

AU - Mirhoseini, Azalia

AU - Zeitouni, Shaza

AU - Koushanfar, Farinaz

AU - Sadeghi, Ahmad Reza

AU - Schneider, Thomas

N1 - Conference code: 31

PY - 2022

Y1 - 2022

N2 - Federated Learning (FL) is a collaborative machine learning approach allowing participants to jointly train a model without having to share their private, potentially sensitive local datasets with others. Despite its benefits, FL is vulnerable to so-called backdoor attacks, in which an adversary injects manipulated model updates into the federated model aggregation process so that the resulting model will provide targeted false predictions for specific adversary-chosen inputs. Proposed defenses against backdoor attacks based on detecting and filtering out malicious model updates consider only very specific and limited attacker models, whereas defenses based on differential privacy-inspired noise injection significantly deteriorate the benign performance of the aggregated model. To address these deficiencies, we introduce FLAME, a defense framework that estimates the sufficient amount of noise to be injected to ensure the elimination of backdoors. To minimize the required amount of noise, FLAME uses a model clustering and weight clipping approach. This ensures that FLAME can maintain the benign performance of the aggregated model while effectively eliminating adversarial backdoors. Our evaluation of FLAME on several datasets stemming from application areas including image classification, word prediction, and IoT intrusion detection demonstrates that FLAME removes backdoors effectively with a negligible impact on the benign performance of the models.

AB - Federated Learning (FL) is a collaborative machine learning approach allowing participants to jointly train a model without having to share their private, potentially sensitive local datasets with others. Despite its benefits, FL is vulnerable to so-called backdoor attacks, in which an adversary injects manipulated model updates into the federated model aggregation process so that the resulting model will provide targeted false predictions for specific adversary-chosen inputs. Proposed defenses against backdoor attacks based on detecting and filtering out malicious model updates consider only very specific and limited attacker models, whereas defenses based on differential privacy-inspired noise injection significantly deteriorate the benign performance of the aggregated model. To address these deficiencies, we introduce FLAME, a defense framework that estimates the sufficient amount of noise to be injected to ensure the elimination of backdoors. To minimize the required amount of noise, FLAME uses a model clustering and weight clipping approach. This ensures that FLAME can maintain the benign performance of the aggregated model while effectively eliminating adversarial backdoors. Our evaluation of FLAME on several datasets stemming from application areas including image classification, word prediction, and IoT intrusion detection demonstrates that FLAME removes backdoors effectively with a negligible impact on the benign performance of the models.

UR - http://www.scopus.com/inward/record.url?scp=85133365471&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85133365471

SP - 1415

EP - 1432

BT - Proceedings of the 31st USENIX Security Symposium, Security 2022

PB - USENIX - THE ADVANCED COMPUTING SYSTEMS ASSOCIATION

T2 - USENIX Security Symposium

Y2 - 10 August 2022 through 12 August 2022

ER -

FLAME: Taming Backdoors in Federated Learning

Abstrakti

Conference

Pääsy asiakirjaan

OpenUrl-saatavuus

Muut tiedostot ja linkit

Sormenjälki

Siteeraa tätä