Kolloquium WiSe 2022/23

In this talk, I will describe security risks in two prominent distributed Machine Learning systems: Multi-Discriminator Generative Adversarial Networks (MD-GANs) and Federated Learning (FL). In particular, we explore how attacks can be executed by parties that do not have data that they can leverage for an attack.

In MD-GANs, we focus on free-riding behavior, i.e., nodes that want to benefit from the machine learning without contributing resources, and find that even a relatively low number of free-riders can reduce the performance by using random instead of properly trained models. Consequently, we define two defenses that detect free-riders by either clustering models, with free-riders corresponding to one cluster and honest peers to the other, or detecting free-riders as outliers.

Now, free-riders do not actively aim to degrade the trained model. In contrast, untargeted attacks have the goal of reducing model accuracy. Previous attacks require access to data or models of benign clients to perform a successful attack. We show on the example of FL that it is not necessary to have raw data. Rather, an attacker can generate synthetic data based on the global model updates everyone has access to and then manipulate the data such that it degrades the resulting model. Our experiments indicate that the attack can in many cases even be more severe than one that relies on real data, even in the presence of state-of-the-art defenses. However, our attack leads to local models that are biased or exhibit low prediction confidence. Consequently, we design REFD, a defense specifically crafted to protect against data-free attacks. REFD leverages a reference dataset to detect updates that are biased or have a low confidence..