STDLens: Model Hijacking-Resilient Federated Learning for Object Detection
This addresses security vulnerabilities in federated learning for object detection, which is critical for applications like autonomous vehicles, but it is an incremental improvement over prior mitigation mechanisms.
The paper tackles the problem of model hijacking attacks in federated learning for object detection, where attackers implant Trojaned gradients via compromised clients, and introduces STDLens, a forensic framework that identifies and expels these gradients, achieving significantly higher precision and lower false-positive rates than existing methods.
Federated Learning (FL) has been gaining popularity as a collaborative learning framework to train deep learning-based object detection models over a distributed population of clients. Despite its advantages, FL is vulnerable to model hijacking. The attacker can control how the object detection system should misbehave by implanting Trojaned gradients using only a small number of compromised clients in the collaborative learning process. This paper introduces STDLens, a principled approach to safeguarding FL against such attacks. We first investigate existing mitigation mechanisms and analyze their failures caused by the inherent errors in spatial clustering analysis on gradients. Based on the insights, we introduce a three-tier forensic framework to identify and expel Trojaned gradients and reclaim the performance over the course of FL. We consider three types of adaptive attacks and demonstrate the robustness of STDLens against advanced adversaries. Extensive experiments show that STDLens can protect FL against different model hijacking attacks and outperform existing methods in identifying and removing Trojaned gradients with significantly higher precision and much lower false-positive rates.