ACM Digital Library home
ACM home
Advanced Search
10.1007/978-3-030-58951-6_24guideproceedingsArticle/Chapter ViewAbstractPublication PagesConference Proceedingsacm-pubtype
Article

Data Poisoning Attacks Against Federated Learning Systems

Computer Security – ESORICS 2020: 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, UK, September 14–18, 2020, Proceedings, Part ISep 2020Pages 480–501https://doi.org/10.1007/978-3-030-58951-6_24
Published:14 September 2020Publication History
  • 20citation
  • 0
  • Downloads
Metrics
Total Citations20
Total Downloads0
Last 12 Months0
Last 6 weeks0

Abstract

Federated learning (FL) is an emerging paradigm for distributed training of large-scale deep neural networks in which participants’ data remains on their own devices with only model updates being shared with a central server. However, the distributed nature of FL gives rise to new threats caused by potentially malicious participants. In this paper, we study targeted data poisoning attacks against FL systems in which a malicious subset of the participants aim to poison the global model by sending model updates derived from mislabeled data. We first demonstrate that such data poisoning attacks can cause substantial drops in classification accuracy and recall, even with a small percentage of malicious participants. We additionally show that the attacks can be targeted, i.e., they have a large negative impact only on classes that are under attack. We also study attack longevity in early/late round training, the impact of malicious participant availability, and the relationships between the two. Finally, we propose a defense strategy that can help identify malicious participants in FL to circumvent poisoning attacks, and demonstrate its effectiveness.

References

  1. 1.An Act: Health insurance portability and accountability act of 1996. Public Law 104-191 (1996) Google ScholarGoogle Scholar
  2. 2.Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., Shmatikov, V.: How to backdoor federated learning. arXiv preprint arXiv:1807.00459 (2018)Google ScholarGoogle Scholar
  3. 3.Baracaldo, N., Chen, B., Ludwig, H., Safavi, J.A.: Mitigating poisoning attacks on machine learning models: a data provenance based approach. In: 10th ACM Workshop on Artificial Intelligence and Security, pp. 103–110 (2017)Google ScholarGoogle Scholar
  4. 4.Bhagoji, A.N., Chakraborty, S., Mittal, P., Calo, S.: Analyzing federated learning through an adversarial lens. In: International Conference on Machine Learning, pp. 634–643 (2019)Google ScholarGoogle Scholar
  5. 5.Biggio, B., Nelson, B., Laskov, P.: Support vector machines under adversarial label noise. In: Asian Conference on Machine Learning, pp. 97–112 (2011)Google ScholarGoogle Scholar
  6. 6.Biggio, B., Nelson, B., Laskov, P.: Poisoning attacks against support vector machines. In: Proceedings of the 29th International Conference on International Conference on Machine Learning, pp. 1467–1474 (2012)Google ScholarGoogle Scholar
  7. 7.Biggio, B., Pillai, I., Rota Bulò, S., Ariu, D., Pelillo, M., Roli, F.: Is data clustering in adversarial settings secure? In: Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, pp. 87–98 (2013)Google ScholarGoogle Scholar
  8. 8.Blanchard, P., Guerraoui, R., Stainer, J., et al.: Machine learning with adversaries: byzantine tolerant gradient descent. In: NeurIPS, pp. 119–129 (2017)Google ScholarGoogle Scholar
  9. 9.Bonawitz, K., et al.: Towards federated learning at scale: System design. In: SysML 2019 (2019, to appear). https://arxiv.org/abs/1902.01046Google ScholarGoogle Scholar
  10. 10.Bursztein, E.: Attacks against machine learning - an overview (2018). https://elie.net/blog/ai/attacks-against-machine-learning-an-overview/Google ScholarGoogle Scholar
  11. 11.Chen Set al.Automated poisoning attacks and defenses in malware detection systems: an adversarial machine learning approachComput. Secur.20187332634410.1016/j.cose.2017.11.007Google ScholarGoogle ScholarCross RefCross Ref
  12. 12.Demontis, A., et al.: Why do adversarial attacks transfer? Explaining transferability of evasion and poisoning attacks. In: 28th USENIX Security Symposium, pp. 321–338 (2019)Google ScholarGoogle Scholar
  13. 13.Deng, J., Dong, W., Socher, R., Li, L.J., Li, K., Fei-Fei, L.: ImageNet: a large-scale hierarchical image database. In: 2009 IEEE Conference on Computer Vision and Pattern Recognition, pp. 248–255. IEEE (2009)Google ScholarGoogle Scholar
  14. 14.Fang, M., Cao, X., Jia, J., Gong, N.Z.: Local model poisoning attacks to byzantine-robust federated learning. In: USENIX Security Symposium (2020, to appear)Google ScholarGoogle Scholar
  15. 15.Fang, M., Yang, G., Gong, N.Z., Liu, J.: Poisoning attacks to graph-based recommender systems. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 381–392 (2018)Google ScholarGoogle Scholar
  16. 16.Fung, C., Yoon, C.J., Beschastnikh, I.: Mitigating sybils in federated learning poisoning. arXiv preprint arXiv:1808.04866 (2018)Google ScholarGoogle Scholar
  17. 17.Hard, A., et al.: Federated learning for mobile keyboard prediction. arXiv preprint arXiv:1811.03604 (2018)Google ScholarGoogle Scholar
  18. 18.Hitaj, B., Ateniese, G., Perez-Cruz, F.: Deep models under the GAN: information leakage from collaborative deep learning. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 603–618 (2017)Google ScholarGoogle Scholar
  19. 19.Jagielski, M., Oprea, A., Biggio, B., Liu, C., Nita-Rotaru, C., Li, B.: Manipulating machine learning: poisoning attacks and countermeasures for regression learning. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 19–35. IEEE (2018)Google ScholarGoogle Scholar
  20. 20.Kairouz, P., et al.: Advances and open problems in federated learning. arXiv preprint arXiv:1912.04977 (2019)Google ScholarGoogle Scholar
  21. 21.Khazbak, Y., Tan, T., Cao, G.: MLGuard: mitigating poisoning attacks in privacy preserving distributed collaborative learning (2020)Google ScholarGoogle Scholar
  22. 22.Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images (2009)Google ScholarGoogle Scholar
  23. 23.Liu, C., Li, B., Vorobeychik, Y., Oprea, A.: Robust linear regression against training data poisoning. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 91–102 (2017)Google ScholarGoogle Scholar
  24. 24.Maiorca DBiggio BGiacinto GTowards adversarial malware detection: lessons learned from pdf-based attacksACM Comput. Surv. (CSUR)201952413610.1145/3332184Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. 25.Marcel, S., Rodriguez, Y.: Torchvision the machine-vision package of torch. In: 18th ACM International Conference on Multimedia, pp. 1485–1488 (2010)Google ScholarGoogle Scholar
  26. 26.Mathews, K., Bowman, C.: The California consumer privacy act of 2018 (2018)Google ScholarGoogle Scholar
  27. 27.Melis, L., Song, C., De Cristofaro, E., Shmatikov, V.: Exploiting unintended feature leakage in collaborative learning. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 691–706. IEEE (2019)Google ScholarGoogle Scholar
  28. 28.Mhamdi, E.M.E., Guerraoui, R., Rouault, S.: The hidden vulnerability of distributed learning in byzantium. arXiv preprint arXiv:1802.07927 (2018)Google ScholarGoogle Scholar
  29. 29.Mozaffari-Kermani MSur-Kolay SRaghunathan AJha NKSystematic poisoning attacks on and defenses for machine learning in healthcareIEEE J. Biomed. Health Inform.20141961893190510.1109/JBHI.2014.2344095Google ScholarGoogle Scholar
  30. 30.Muñoz-González, L., et al.: Towards poisoning of deep learning algorithms with back-gradient optimization. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 27–38 (2017)Google ScholarGoogle Scholar
  31. 31.Nasr, M., Shokri, R., Houmansadr, A.: Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 739–753. IEEE (2019)Google ScholarGoogle Scholar
  32. 32.Nelson Bet al.Exploiting machine learning to subvert your spam filterLEET2008819Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. 33.Nguyen, T.D., Rieger, P., Miettinen, M., Sadeghi, A.R.: Poisoning attacks on federated learning-based IoT intrusion detection system (2020)Google ScholarGoogle Scholar
  34. 34.Papernot, N., McDaniel, P., Sinha, A., Wellman, M.P.: SoK: security and privacy in machine learning. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 399–414. IEEE (2018)Google ScholarGoogle Scholar
  35. 35.Paszke, A., et al.: PyTorch: an imperative style, high-performance deep learning library. In: NeurIPS, pp. 8024–8035 (2019)Google ScholarGoogle Scholar
  36. 36.Paudice, A., Muñoz-González, L., Gyorgy, A., Lupu, E.C.: Detection of adversarial training examples in poisoning attacks through anomaly detection. arXiv preprint arXiv:1802.03041 (2018)Google ScholarGoogle Scholar
  37. 37.Paudice AMuñoz-González LLupu ECet al.Alzate Cet al.Label sanitization against label flipping poisoning attacksECML PKDD 2018 Workshops2019ChamSpringer515Google ScholarGoogle ScholarCross RefCross Ref
  38. 38.General Data Protection Regulation: Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46. Off. J. Eur. Union (OJ) 59(1–88), 294 (2016)Google ScholarGoogle Scholar
  39. 39.Rubinstein, B.I., et al.: Antidote: understanding and defending against poisoning of anomaly detectors. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement, pp. 1–14 (2009)Google ScholarGoogle Scholar
  40. 40.Ryffel, T., et al.: A generic framework for privacy preserving deep learning. arXiv preprint arXiv:1811.04017 (2018)Google ScholarGoogle Scholar
  41. 41.Schlesinger, A., O’Hara, K.P., Taylor, A.S.: Let’s talk about race: identity, chatbots, and AI. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, pp. 1–14 (2018)Google ScholarGoogle Scholar
  42. 42.Shafahi, A., et al.: Poison frogs! Targeted clean-label poisoning attacks on neural networks. In: Advances in Neural Information Processing Systems, pp. 6103–6113 (2018)Google ScholarGoogle Scholar
  43. 43.Shen, S., Tople, S., Saxena, P.: Auror: Defending against poisoning attacks in collaborative deep learning systems. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 508–519 (2016)Google ScholarGoogle Scholar
  44. 44.Steinhardt, J., Koh, P.W.W., Liang, P.S.: Certified defenses for data poisoning attacks. In: NeurIPS, pp. 3517–3529 (2017)Google ScholarGoogle Scholar
  45. 45.Suciu, O., Marginean, R., Kaya, Y., Daume III, H., Dumitras, T.: When does machine learning fail? Generalized transferability for evasion and poisoning attacks. In: 27th USENIX Security Symposium, pp. 1299–1316 (2018)Google ScholarGoogle Scholar
  46. 46.Sun, Z., Kairouz, P., Suresh, A.T., McMahan, H.B.: Can you really backdoor federated learning? arXiv preprint arXiv:1911.07963 (2019)Google ScholarGoogle Scholar
  47. 47.Truex, S., Liu, L., Gursoy, M.E., Yu, L., Wei, W.: Towards demystifying membership inference attacks. arXiv preprint arXiv:1807.09173 (2018)Google ScholarGoogle Scholar
  48. 48.Truex, S., Liu, L., Gursoy, M.E., Yu, L., Wei, W.: Demystifying membership inference attacks in machine learning as a service. IEEE Trans. Serv. Comput. (2019) Google ScholarGoogle Scholar
  49. 49.Xiao, H., Rasul, K., Vollgraf, R.: Fashion-MNIST: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017)Google ScholarGoogle Scholar
  50. 50.Xiao, H., Xiao, H., Eckert, C.: Adversarial label flips attack on support vector machines. In: ECAI, pp. 870–875 (2012)Google ScholarGoogle Scholar
  51. 51.Xiao, H., Biggio, B., Brown, G., Fumera, G., Eckert, C., Roli, F.: Is feature selection secure against training data poisoning? In: International Conference on Machine Learning, pp. 1689–1698 (2015)Google ScholarGoogle Scholar
  52. 52.Xiao HBiggio BNelson BXiao HEckert CRoli FSupport vector machines under adversarial label contaminationNeurocomputing2015160536210.1016/j.neucom.2014.08.081Google ScholarGoogle ScholarCross RefCross Ref
  53. 53.Yang, C., Wu, Q., Li, H., Chen, Y.: Generative poisoning attack method against neural networks. arXiv preprint arXiv:1703.01340 (2017)Google ScholarGoogle Scholar
  54. 54.Yang, G., Gong, N.Z., Cai, Y.: Fake co-visitation injection attacks to recommender systems. In: NDSS (2017)Google ScholarGoogle Scholar
  55. 55.Yin, D., Chen, Y., Kannan, R., Bartlett, P.: Byzantine-robust distributed learning: towards optimal statistical rates. In: International Conference on Machine Learning, pp. 5650–5659 (2018)Google ScholarGoogle Scholar
  56. 56.Zhao, L., et al.: Shielding collaborative learning: mitigating poisoning attacks through client-side detection. IEEE Trans. Dependable Secure Comput. (2020)Google ScholarGoogle Scholar
  57. 57.Zhao, M., An, B., Gao, W., Zhang, T.: Efficient label contamination attacks against black-box learning models. In: IJCAI, pp. 3945–3951 (2017)Google ScholarGoogle Scholar
  58. 58.Zhu, C., Huang, W.R., Li, H., Taylor, G., Studer, C., Goldstein, T.: Transferable clean-label poisoning attacks on deep neural nets. In: International Conference on Machine Learning, pp. 7614–7623 (2019)Google ScholarGoogle Scholar
  59. 59.Zhu, L., Liu, Z., Han, S.: Deep leakage from gradients. In: Advances in Neural Information Processing Systems, pp. 14747–14756 (2019)Google ScholarGoogle Scholar

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in

Full Access

Get this Publication

  • Published in

    cover image Guide Proceedings
    Computer Security – ESORICS 2020: 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, UK, September 14–18, 2020, Proceedings, Part I
    Sep 2020
    773 pages
    ISBN:978-3-030-58950-9
    DOI:10.1007/978-3-030-58951-6

    © Springer Nature Switzerland AG 2020

    Publisher

    Springer-Verlag

    Berlin, Heidelberg

    Publication History

    • Published: 14 September 2020

    Author Tags

    Qualifiers

    • Article
View Table of Contents
About Cookies On This Site

We use cookies to ensure that we give you the best experience on our website.

Learn more

Got it!