AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning

Zhang, Y; Bai, G; Chamikara, MAP; Ma, M; Shen, L; Wang, J; Nepal, S; Xue, M; Wang, L; Liu, J

AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning

Zhang, Y

Bai, G Chamikara, MAP Ma, M Shen, L Wang, J Nepal, S Xue, M Wang, L Liu, J

Permalink

Publisher:: Association for Computing Machinery (ACM)
Publication Type:: Conference Proceeding
Citation:: ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023, 2023, pp. 2371-2382
Issue Date:: 2023-04-30

Closed Access

	Filename	Description	Size
	23‘ WWW AgrEvader.pdf	Accepted version	1.06 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Zhang, Y https://orcid.org/0000-0001-5611-3483
dc.contributor.author	Bai, G
dc.contributor.author	Chamikara, MAP
dc.contributor.author	Ma, M
dc.contributor.author	Shen, L
dc.contributor.author	Wang, J
dc.contributor.author	Nepal, S
dc.contributor.author	Xue, M
dc.contributor.author	Wang, L
dc.contributor.author	Liu, J
dc.date.accessioned	2024-02-01T00:50:03Z
dc.date.available	2024-02-01T00:50:03Z
dc.date.issued	2023-04-30
dc.identifier.citation	ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023, 2023, pp. 2371-2382
dc.identifier.isbn	9781450394161
dc.identifier.uri	http://hdl.handle.net/10453/175180
dc.description.abstract	The Poisoning Membership Inference Attack (PMIA) is a newly emerging privacy attack that poses a significant threat to federated learning (FL). An adversary conducts data poisoning (i.e., performing adversarial manipulations on training examples) to extract membership information by exploiting the changes in loss resulting from data poisoning. The PMIA significantly exacerbates the traditional poisoning attack that is primarily focused on model corruption. However, there has been a lack of a comprehensive systematic study that thoroughly investigates this topic. In this work, we conduct a benchmark evaluation to assess the performance of PMIA against the Byzantine-robust FL setting that is specifically designed to mitigate poisoning attacks. We find that all existing coordinate-wise averaging mechanisms fail to defend against the PMIA, while the detect-then-drop strategy was proven to be effective in most cases, implying that the poison injection is memorized and the poisonous effect rarely dissipates. Inspired by this observation, we propose AgrEvader, a PMIA that maximizes the adversarial impact on the victim samples while circumventing the detection by Byzantine-robust mechanisms. AgrEvader significantly outperforms existing PMIAs. For instance, AgrEvader achieved a high attack accuracy of between 72.78% (on CIFAR-10) to 97.80% (on Texas100), which is an average accuracy increase of 13.89% compared to the strongest PMIA reported in the literature. We evaluated AgrEvader on five datasets across different domains, against a comprehensive list of threat models, which included black-box, gray-box and white-box models for targeted and non-targeted scenarios. AgrEvader demonstrated consistent high accuracy across all settings tested. The code is available at: https://github.com/PrivSecML/AgrEvader.
dc.language	en
dc.publisher	Association for Computing Machinery (ACM)
dc.relation.ispartof	ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023
dc.relation.ispartof	Proceedings of the ACM Web Conference 2023
dc.relation.isbasedon	10.1145/3543507.3583542
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning
dc.type	Conference Proceeding
pubs.organisational-group	University of Technology Sydney
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	closed_access	*
dc.date.updated	2024-02-01T00:50:02Z
pubs.publication-status	Published

Abstract:

The Poisoning Membership Inference Attack (PMIA) is a newly emerging privacy attack that poses a significant threat to federated learning (FL). An adversary conducts data poisoning (i.e., performing adversarial manipulations on training examples) to extract membership information by exploiting the changes in loss resulting from data poisoning. The PMIA significantly exacerbates the traditional poisoning attack that is primarily focused on model corruption. However, there has been a lack of a comprehensive systematic study that thoroughly investigates this topic. In this work, we conduct a benchmark evaluation to assess the performance of PMIA against the Byzantine-robust FL setting that is specifically designed to mitigate poisoning attacks. We find that all existing coordinate-wise averaging mechanisms fail to defend against the PMIA, while the detect-then-drop strategy was proven to be effective in most cases, implying that the poison injection is memorized and the poisonous effect rarely dissipates. Inspired by this observation, we propose AgrEvader, a PMIA that maximizes the adversarial impact on the victim samples while circumventing the detection by Byzantine-robust mechanisms. AgrEvader significantly outperforms existing PMIAs. For instance, AgrEvader achieved a high attack accuracy of between 72.78% (on CIFAR-10) to 97.80% (on Texas100), which is an average accuracy increase of 13.89% compared to the strongest PMIA reported in the literature. We evaluated AgrEvader on five datasets across different domains, against a comprehensive list of threat models, which included black-box, gray-box and white-box models for targeted and non-targeted scenarios. AgrEvader demonstrated consistent high accuracy across all settings tested. The code is available at: https://github.com/PrivSecML/AgrEvader.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/175180