LoDen: Making Every Client in Federated Learning a Defender Against the Poisoning Membership Inference Attacks

Ma, M; Zhang, Y; Arachchige, PCM; Zhang, LY; Chhetri, MB; Bai, G

LoDen: Making Every Client in Federated Learning a Defender Against the Poisoning Membership Inference Attacks

Ma, M Zhang, Y

Arachchige, PCM Zhang, LY Chhetri, MB Bai, G

Permalink

Publisher:: ASSOC COMPUTING MACHINERY
Publication Type:: Conference Proceeding
Citation:: Proceedings of the ACM Conference on Computer and Communications Security, 2023, pp. 122-135
Issue Date:: 2023-07-10

Closed Access

	Filename	Description	Size
	23‘ AsiaCCS LoDen.pdf	Accepted version	1.24 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Ma, M
dc.contributor.author	Zhang, Y https://orcid.org/0000-0001-5611-3483
dc.contributor.author	Arachchige, PCM
dc.contributor.author	Zhang, LY
dc.contributor.author	Chhetri, MB
dc.contributor.author	Bai, G
dc.date	2023-07-10
dc.date.accessioned	2024-02-01T00:44:58Z
dc.date.available	2024-02-01T00:44:58Z
dc.date.issued	2023-07-10
dc.identifier.citation	Proceedings of the ACM Conference on Computer and Communications Security, 2023, pp. 122-135
dc.identifier.isbn	9798400700989
dc.identifier.issn	1543-7221
dc.identifier.uri	http://hdl.handle.net/10453/175174
dc.description.abstract	Federated learning (FL) is a widely used distributed machine learning framework. However, recent studies have shown its susceptibility to poisoning membership inference attacks (MIA). In MIA, adversaries maliciously manipulate the local updates on selected samples and share the gradients with the server (i.e., poisoning). Since honest clients perform gradient descent on samples locally, an adversary can distinguish whether the attacked sample is a training sample based on observation of the change of the sample's prediction. This type of attack exacerbates traditional passive MIA, yet the defense mechanisms remain largely unexplored. In this work, we first investigate the effectiveness of the existing server-side robust aggregation algorithms (AGRs), designed to counter general poisoning attacks, in defending against poisoning MIA. We find that they are largely insufficient in mitigating poisoning MIA, as it targets specific victim samples and has minimal impact on model performance, unlike general poisoning. Thus, we propose a new client-side defense mechanism, called LoDen, which leverages the clients' unique ability to detect any suspicious privacy attacks. We theoretically quantify the membership information leaked to the poisoning MIA and provide a bound for this leakage in LoDen. We perform an extensive experimental evaluation on four benchmark datasets against poisoning MIA, comparing LoDen with six state-of-the-art server-side AGRs. LoDen consistently achieves missing rate in detecting poisoning MIA across all settings, and reduces the poisoning MIA success rate to in most cases. The code of LoDen is available at https://github.com/UQ-Trust-Lab/LoDen.
dc.language	en
dc.publisher	ASSOC COMPUTING MACHINERY
dc.relation.ispartof	Proceedings of the ACM Conference on Computer and Communications Security
dc.relation.ispartof	18th ACM ASIA Conference on Computer and Communications Security (ASIA CCS)
dc.relation.isbasedon	10.1145/3579856.3590334
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	LoDen: Making Every Client in Federated Learning a Defender Against the Poisoning Membership Inference Attacks
dc.type	Conference Proceeding
utslib.location.activity	AUSTRALIA, Melbourne
pubs.organisational-group	University of Technology Sydney
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	closed_access	*
dc.date.updated	2024-02-01T00:44:57Z
pubs.finish-date	2023-07-14
pubs.publication-status	Published
pubs.start-date	2023-07-10

Abstract:

Federated learning (FL) is a widely used distributed machine learning framework. However, recent studies have shown its susceptibility to poisoning membership inference attacks (MIA). In MIA, adversaries maliciously manipulate the local updates on selected samples and share the gradients with the server (i.e., poisoning). Since honest clients perform gradient descent on samples locally, an adversary can distinguish whether the attacked sample is a training sample based on observation of the change of the sample's prediction. This type of attack exacerbates traditional passive MIA, yet the defense mechanisms remain largely unexplored. In this work, we first investigate the effectiveness of the existing server-side robust aggregation algorithms (AGRs), designed to counter general poisoning attacks, in defending against poisoning MIA. We find that they are largely insufficient in mitigating poisoning MIA, as it targets specific victim samples and has minimal impact on model performance, unlike general poisoning. Thus, we propose a new client-side defense mechanism, called LoDen, which leverages the clients' unique ability to detect any suspicious privacy attacks. We theoretically quantify the membership information leaked to the poisoning MIA and provide a bound for this leakage in LoDen. We perform an extensive experimental evaluation on four benchmark datasets against poisoning MIA, comparing LoDen with six state-of-the-art server-side AGRs. LoDen consistently achieves missing rate in detecting poisoning MIA across all settings, and reduces the poisoning MIA success rate to in most cases. The code of LoDen is available at https://github.com/UQ-Trust-Lab/LoDen.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/175174