Beyond Data Poisoning in Federated Learning

Abstract

Federated learning (FL) has emerged as a promising privacy-preserving solution, which facilitates collaborative learning. However, FL is also vulnerable to poisoning attacks, as it has no control over the participant’s behavior. Machine learning (ML) models are heavily trained for low generalization errors. Generative models learn the patterns in the input data to discover out-of-distribution samples, which can be used to poison the model for degrading its performance. This paper proposes a novel approach to generate poisoned (adversarial) samples using hyperdimensional computing (HDC), projecting an input sample to a large HD space and perturbs it in the vicinity of the target class HDC model. This perturbation preserves semantics of the original samples and adds hidden backdoor/noise into it. It generates a large set of adversarial samples, equal to the HD space. It is observed that, 60-70% of the generated samples are successfully misclassified by a trained ML model. These samples are used by the adversary to frame data poisoning attacks, called hyperdimensional data poisoning attack (HDPA). HDPA increases the attack impact by 5-10× than existing poisoning attacks against the byzantine-robust defenses. Further, we propose a hyperdimension-based confidence metric (HDBC) to check the conformance of the model, which does neither requires access to an ML model nor any additional calibration.