Colloquium: Data-Free Attacks and Defenses for Distributed ML
SPEAKER: Stefanie Roos (University of Kaiserslautern-Landau, Germany, and TU Delft, Netherlands)
In this talk, I will describe security risks in two prominent distributed Machine Learning systems: Multi-Discriminator Generative Adversarial Networks (MD-GANs) and Federated Learning (FL). In particular, we explore how attacks can be executed by parties that do not have data that they can leverage for an attack.
In MD-GANs, we focus on free-riding behavior, i.e., nodes that want to benefit from the machine learning without contributing resources, and find that even a relatively low number of free-riders can reduce the performance by using random instead of properly trained models. Consequently, we define two defenses that detect free-riders by either clustering models, with free-riders corresponding to one cluster and honest peers to the other, or detecting free-riders as outliers.
Now, free-riders do not actively aim to degrade the trained model. In contrast, untargeted attacks have the goal of reducing model accuracy. Previous attacks require access to data or models of benign clients to perform a successful attack. We show on the example of FL that it is not necessary to have raw data. Rather, an attacker can generate synthetic data based on the global model updates everyone has access to and then manipulate the data such that it degrades the resulting model. Our experiments indicate that the attack can in many cases even be more severe than one that relies on real data, even in the presence of state-of-the-art defenses. However, our attack leads to local models that are biased or exhibit low prediction confidence. Consequently, we design REFD, a defense specifically crafted
to protect against data-free attacks. REFD leverages a reference dataset to detect updates that are biased or have a low confidence.
Stefanie Roos is a professor at University of Kaiserslautern-Landau since April 2023 and a visiting assistant professor at TU Delft. She focuses on security and privacy in decentralized systems, including topics such as anonymity, censorship resistance, blockchains, and distributed machine learning. She is one of the developers of SpeedyMurmurs, a local routing protocol for payment channel networks, and her work has led to improvements of Freenet, an anonymous and censorship-resistant publication system. Before April 2023, she was an assistant professor at TU Delft and a post-doctoral researcher at University of Waterloo. She obtained her PhD from TU Dresden in 2016.
Everybody is welcome, and attending this colloquium scores points to Ph.D. students for the course "Computer Science Colloquium" (7DAV001).