A0332
Title: Trusted aggregation (TAG): Model filtering backdoor defense in federated learning
Authors: Joseph Lavond - University of North Carolina at Chapel Hill (United States)
Yao Li - University of North Carolina at Chapel Hill (United States) [presenting]
Minhao Cheng - Hong Kong University of Science and Technology (Hong Kong)
Abstract: Federated learning is a framework for training machine learning models from multiple local data sets without access to the data in the aggregate. A shared model is jointly learned through an interactive process between the server and clients that combines locally known model gradients or weights. However, the lack of data transparency naturally raises concerns about model security. Recently, several state-of-the-art backdoor attacks have been proposed, which achieve high attack success rates while simultaneously being difficult to detect, leading to compromised federated learning models. Motivated by differences in the outputs of models trained with and without the presence of backdoor attacks, a defense method that can prevent backdoor attacks from influencing the model while maintaining the accuracy of the original classification task is proposed. TAG leverages a small validation data set to estimate the largest change a benign user's local training can make to the shared model, which can be used as a cutoff for returning user models. Experimental results on multiple data sets show that TAG defends against backdoor attacks even when 40\% of the user submissions to update the shared model are malicious.
