Investigating adversarial attacks and defences in federated learning.

研究联邦学习中的对抗性攻击和防御。

• 批准号: 2554063
• 金额: --
• 依托单位: King's College London
• 依托单位国家: 英国
• 项目类别: Studentship
• 财政年份: 2021
• 资助国家: 英国
• 起止时间: 2021 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=studentship-2554063
• 关键词: Investigating; adversarial; attacks; defences; federated

My research focuses on adversarial attacks and defences in federated learning and how they compare to those in the general ML domain.As for adversarial attacks, federated learning introduces new attack surfaces such as allowing whitebox access to local models on clients, thus facilitating various attacks such as poisoning at training time and evasion at inference time. Of particular interest in federated learning settings is "model poisoning" which is a bigger threat than the traditional "data poisoning" attacks since an adversary can submit arbitrary updates to directly influence the global model. Another category of attacks targets the privacy/confidentiality of models, participants, or training data in FL settings.Several defences have been proposed to defend against the various types of attacks. Example defences include robust aggregation methods, anomaly detection techniques, and differential privacy. Many of these methods were shown to be ineffective or easily circumventable, and some were shown to provide some mitigation but at the expense of model performance.The research focus is to investigate ways to improve FL robustness to adversarial attacks (primarily poisoning) without harming model performance and while taking into account the non-IID nature of data and participants.

我的研究重点是联邦学习中的对抗性攻击和防御，以及它们与一般ML领域中的对抗性攻击的比较。至于对抗性攻击，联邦学习引入了新的攻击面，例如允许白盒访问客户端上的本地模型，从而促进了各种攻击，例如在训练时中毒和在推理时逃避。在联邦学习环境中特别感兴趣的是“模型中毒”，这是一个比传统的“数据中毒”攻击更大的威胁，因为对手可以提交任意更新来直接影响全局模型。另一类攻击针对FL设置中模型、参与者或训练数据的隐私/机密性。已经提出了几种防御措施来防御各种类型的攻击。示例防御包括鲁棒聚合方法、异常检测技术和差异隐私。这些方法中的许多被证明是无效的或容易规避的，有些被证明可以提供一些缓解，但以牺牲模型性能为代价。研究的重点是研究如何提高FL对对抗性攻击（主要是中毒）的鲁棒性，而不会损害模型性能，同时考虑到数据和参与者的非IID性质。