LoMar: A Local Defense Against Poisoning Attack on Federated Learning

Abstract

Federated learning (FL) provides a high efficient decentralized machine learning framework, where the training data remains distributed at remote clients in a network. Though FL enables a privacy-preserving mobile edge computing framework using IoT devices, recent studies have shown that this approach is susceptible to poisoning attacks from the side of remote clients. To address the poisoning attacks on FL, we provide a <i>two-phase</i> defense algorithm called <inline-formula><tex-math notation="LaTeX">${\underline{Lo}cal\ \underline{Ma}licious\ Facto\underline{r}}$</tex-math></inline-formula> (LoMar). In phase I, LoMar scores model updates from each remote client by measuring the relative distribution over their neighbors using a kernel density estimation method. In phase II, an optimal threshold is approximated to distinguish malicious and clean updates from a statistical perspective. Comprehensive experiments on four real-world datasets have been conducted, and the experimental results show that our defense strategy can effectively protect the FL system. Specifically, the defense performance on Amazon dataset under a label-flipping attack indicates that, compared with FG+Krum, LoMar increases the target label testing accuracy from <inline-formula><tex-math notation="LaTeX">$96.0\%$</tex-math></inline-formula> to <inline-formula><tex-math notation="LaTeX">$98.8\%$</tex-math></inline-formula> , and the overall averaged testing accuracy from <inline-formula><tex-math notation="LaTeX">$90.1\%$</tex-math></inline-formula> to <inline-formula><tex-math notation="LaTeX">$97.0\%$</tex-math></inline-formula> .