MPAF: Model Poisoning Attacks to Federated Learning based on Fake Clients
This addresses security vulnerabilities in federated learning systems, particularly for applications involving millions of clients, though it is incremental as it builds on prior poisoning attacks.
The authors tackled the problem of model poisoning in federated learning by proposing MPAF, an attack that injects fake clients to send crafted updates, significantly reducing the global model's test accuracy even with existing defenses.
Existing model poisoning attacks to federated learning assume that an attacker has access to a large fraction of compromised genuine clients. However, such assumption is not realistic in production federated learning systems that involve millions of clients. In this work, we propose the first Model Poisoning Attack based on Fake clients called MPAF. Specifically, we assume the attacker injects fake clients to a federated learning system and sends carefully crafted fake local model updates to the cloud server during training, such that the learnt global model has low accuracy for many indiscriminate test inputs. Towards this goal, our attack drags the global model towards an attacker-chosen base model that has low accuracy. Specifically, in each round of federated learning, the fake clients craft fake local model updates that point to the base model and scale them up to amplify their impact before sending them to the cloud server. Our experiments show that MPAF can significantly decrease the test accuracy of the global model, even if classical defenses and norm clipping are adopted, highlighting the need for more advanced defenses.