Adversarial training in communication constrained federated learning
This addresses the vulnerability of federated learning models to adversarial attacks, which is critical for privacy-preserving distributed AI systems, though it appears incremental as it adapts existing adversarial training methods to a federated setting.
The paper tackled the problem of adversarial training in federated learning with communication constraints and non-iid data, showing that standard adversarial training causes significant drops in natural and adversarial accuracies. It proposed FedDynAT, which improved natural and adversarial accuracies and reduced convergence time by mitigating model drift.
Federated learning enables model training over a distributed corpus of agent data. However, the trained model is vulnerable to adversarial examples, designed to elicit misclassification. We study the feasibility of using adversarial training (AT) in the federated learning setting. Furthermore, we do so assuming a fixed communication budget and non-iid data distribution between participating agents. We observe a significant drop in both natural and adversarial accuracies when AT is used in the federated setting as opposed to centralized training. We attribute this to the number of epochs of AT performed locally at the agents, which in turn effects (i) drift between local models; and (ii) convergence time (measured in number of communication rounds). Towards this end, we propose FedDynAT, a novel algorithm for performing AT in federated setting. Through extensive experimentation we show that FedDynAT significantly improves both natural and adversarial accuracy, as well as model convergence time by reducing the model drift.