Attack and rebuild: greedy attackers in federated learning using gradient projection

Abstract

Federated learning, where multiple clients learn a common model by sharing only model update rather than sharing data, is increasingly used for collaboration between organizations or businesses because it can solve legal and ethical issues related to privacy. However, since it is impossible to check each other's data, there is a disadvantage that it is difficult to check whether some clients are attackers. In this regard, various attack methods that damage the global model have been proposed. We propose a concept of greedy attacker who wants to get a good model while harming other clients by attacking the global model in federated learning. Since the same global model is transmitted to all clients due to the principle of operation of federated learning, a new way is needed for the greedy attackers to circumvent the tainted global model to get his own good model in the federated learning environment. We propose an attack and rebuild method using gradient projection as a method that can be utilized by greedy attackers. Therefore, we propose an attack and rebuild method as a method for attackers to achieve these two goals in a federated learning environment. The greedy attacker not only conducts the existing poisoning attack, but also infers the contributions of other clients from the damaged model, and then transforms it through the gradient projection method, which is used to rebuild the undamaged model which performs better than both the damaged model and the model trained only by attackers. Through image classification experiments in various settings, the rebuilt model achieved the maximum performance of 94.4% of the Oracle model that can be created by cooperation of all participants, and up to 57.8% increased performance compared to the damaged model.