Cluster-based scoring for malicious model detection in federated learning

Abstract

Federated learning is a distributed machine learning technique aggregating every client model on a server to obtain a global model. However, some clients may harm the system by poisoning their model or data to make the global model irrelevant to its objective. This thesis introduces an approach for the server to detect adversarial models by coordinate-based statistical comparison and eliminate them from the system prior to aggregation. A new attack type, layer poisoning, where the malicious nodes prefer poisoning selected small size layers of the model to deceive the detection system, is also introduced. Adaptive thresholding is adopted for preserving the robustness of the detection mechanism for various network against different attack types. A simulation framework is developed to benchmark and realize tests as a distributed system. Experiments that use random sampling of independent and identically distributed (iid) datasets with different batch sizes have been carried out to show that the proposed method can identify the malicious nodes successfully even if some of the clients learn slower than others or send quantized model weights due to energy limitations. The proposed approach is extensively tested with malicious-benign client ratios, model types, and datasets to present its versatility. The results show that the proposed system successfully eliminates the malicious models when their generating clients constitute at most 45% of the network. Comparison with the approaches from the literature shows that the proposed method performs the same as or better than the state of art solutions.