文章速览 | 联邦学习 x AAAI'2023 (下)
本文是由白小鱼博主整理的AAAI 2023会议中,与联邦学习相关的论文合集及摘要翻译,AAAI 2023会议上册的整理请见文章速览 | 联邦学习 x AAAI'2023 (上)。
Authors: Jinhyun So; Ramy E. Ali; Başak Güler; Jiantao Jiao; A. Salman Avestimehr
Journal: Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/26177
Abstract: Secure aggregation is a critical component in federated learning (FL), which enables the server to learn the aggregate model of the users without observing their local models. Conventionally, secure aggregation algorithms focus only on ensuring the privacy of individual users in a single training round. We contend that such designs can lead to significant privacy leakages over multiple training rounds, due to partial user selection/participation at each round of FL. In fact, we show that the conventional random user selection strategies in FL lead to leaking users' individual models within number of rounds that is linear in the number of users. To address this challenge, we introduce a secure aggregation framework, Multi-RoundSecAgg, with multi-round privacy guarantees. In particular, we introduce a new metric to quantify the privacy guarantees of FL over multiple training rounds, and develop a structured user selection strategy that guarantees the long-term privacy of each user (over any number of training rounds). Our framework also carefully accounts for the fairness and the average number of participating users at each round. Our experiments on MNIST, CIFAR-10 and CIFAR-100 datasets in the IID and the non-IID settings demonstrate the performance improvement over the baselines, both in terms of privacy protection and test accuracy.
abstractTranslation:
安全聚合是联邦学习(FL)的关键组成部分,它使服务器能够学习用户的聚合模型,而无需观察用户的本地模型。传统上,安全聚合算法仅关注在单轮训练中确保单个用户的隐私。我们认为,由于每轮 FL 的部分用户选择/参与,此类设计可能会导致多轮训练中出现严重的隐私泄露。事实上,我们表明,FL 中传统的随机用户选择策略会导致在与用户数量呈线性关系的轮数内泄漏用户的个人模型。为了应对这一挑战,我们引入了一种安全聚合框架 Multi-RoundSecAgg,具有多轮隐私保证。特别是,我们引入了一种新的指标来量化 FL 在多个训练轮次中的隐私保证,并开发了一种结构化的用户选择策略,以保证每个用户的长期隐私(在任意数量的训练轮次中)。我们的框架还仔细考虑了每轮的公平性和参与用户的平均数量。我们在 IID 和非 IID 设置中对 MNIST、CIFAR-10 和 CIFAR-100 数据集进行的实验表明,在隐私保护和测试准确性方面,性能均优于基线。
Notes:
[PDF](https://arxiv.org/abs/2106.03328)
[Video](https://slideslive.com/38960185/securing-secure-aggregation-mitigating-multiround-privacy-leakage-in-federated-learning)
[code](https://openreview.net/attachment?id=nVV6S2sb_UL&name=supplementary_material)
Authors: Zibin Pan; Shuyi Wang; Chi Li; Haijin Wang; Xiaoying Tang; Junhua Zhao
Journal: Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/26122
Abstract: Fairness has been considered as a critical problem in federated learning (FL). In this work, we analyze two direct causes of unfairness in FL - an unfair direction and an improper step size when updating the model. To solve these issues, we introduce an effective way to measure fairness of the model through the cosine similarity, and then propose a federated multiple gradient descent algorithm with fair guidance (FedMDFG) to drive the model fairer. We first convert FL into a multi-objective optimization problem (MOP) and design an advanced multiple gradient descent algorithm to calculate a fair descent direction by adding a fair-driven objective to MOP. A low-communication-cost line search strategy is then designed to find a better step size for the model update. We further show the theoretical analysis on how it can enhance fairness and guarantee the convergence. Finally, extensive experiments in several FL scenarios verify that FedMDFG is robust and outperforms the SOTA FL algorithms in convergence and fairness. The source code is available at https://github.com/zibinpan/FedMDFG.
abstractTranslation: 公平性被认为是联邦学习(FL)中的一个关键问题。在这项工作中,我们分析了 FL 不公平的两个直接原因——更新模型时的不公平方向和不适当的步长。为了解决这些问题,我们引入了一种通过余弦相似度来衡量模型公平性的有效方法,然后提出了一种具有公平引导的联邦多重梯度下降算法(FedMDFG)来驱动模型更加公平。我们首先将 FL 转换为多目标优化问题(MOP),并设计一种先进的多重梯度下降算法,通过在 MOP 中添加公平驱动目标来计算公平下降方向。然后设计一种低通信成本的线搜索策略来寻找更好的模型更新步长。我们进一步展示了它如何增强公平性和保证收敛性的理论分析。最后,在多个 FL 场景中进行的大量实验验证了 FedMDFG 的鲁棒性,并且在收敛性和公平性方面优于 SOTA FL 算法。源代码可在 https://github.com/zibinpan/FedMDFG 获取。
Authors: Martijn Oldenhof; Gergely Ács; Balázs Pejó; Ansgar Schuffenhauer; Nicholas Holway; Noé Sturm; Arne Dieckmann; Oliver Fortmeier; Eric Boniface; Clément Mayer; Arnaud Gohier; Peter Schmidtke; Ritsuya Niwayama; Dieter Kopecky; Lewis Mervin; Prakash Chandra Rathi; Lukas Friedrich; András Formanek; Peter Antal; Jordon Rahaman; Adam Zalewski; Wouter Heyndrickx; Ezron Oluoch; Manuel Stößel; Michal Vančo; David Endico; Fabien Gelus; Thaïs de Boisfossé; Adrien Darbier; Ashley Nicollet; Matthieu Blottière; Maria Telenczuk; Van Tien Nguyen; Thibaud Martinez; Camille Boillet; Kelvin Moutet; Alexandre Picosson; Aurélien Gasser; Inal Djafar; Antoine Simon; Ádám Arany; Jaak Simm; Yves Moreau; Ola Engkvist; Hugo Ceulemans; Camille Marini; Mathieu Galtier
Journal: Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/26847
Abstract: To apply federated learning to drug discovery we developed a novel platform in the context of European Innovative Medicines Initiative (IMI) project MELLODDY (grant n°831472), which was comprised of 10 pharmaceutical companies, academic research labs, large industrial companies and startups. The MELLODDY platform was the first industry-scale platform to enable the creation of a global federated model for drug discovery without sharing the confidential data sets of the individual partners. The federated model was trained on the platform by aggregating the gradients of all contributing partners in a cryptographic, secure way following each training iteration. The platform was deployed on an Amazon Web Services (AWS) multi-account architecture running Kubernetes clusters in private subnets. Organisationally, the roles of the different partners were codified as different rights and permissions on the platform and administrated in a decentralized way. The MELLODDY platform generated new scientific discoveries which are described in a companion paper.
Notes:
[PDF](https://arxiv.org/abs/2210.08871)
[VIDEO](https://www.youtube.com/watch?v=J_RmZhKzBcA)
Authors: Xiaoting Lyu; Yufei Han; Wei Wang; Jingkai Liu; Bin Wang; Jiqiang Liu; Xiangliang Zhang
Journal: Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/26083
Abstract: Are Federated Learning (FL) systems free from backdoor poisoning with the arsenal of various defense strategies deployed? This is an intriguing problem with significant practical implications regarding the utility of FL services. Despite the recent flourish of poisoning-resilient FL methods, our study shows that carefully tuning the collusion between malicious participants can minimize the trigger-induced bias of the poisoned local model from the poison-free one, which plays the key role in delivering stealthy backdoor attacks and circumventing a wide spectrum of state-of-the-art defense methods in FL. In our work, we instantiate the attack strategy by proposing a distributed backdoor attack method, namely Cerberus Poisoning (CerP). It jointly tunes the backdoor trigger and controls the poisoned model changes on each malicious participant to achieve a stealthy yet successful backdoor attack against a wide spectrum of defensive mechanisms of federated learning techniques. Our extensive study on 3 large-scale benchmark datasets and 13 mainstream defensive mechanisms confirms that Cerberus Poisoning raises a significantly severe threat to the integrity and security of federated learning practices, regardless of the flourish of robust Federated Learning methods.
abstractTranslation: 联邦学习 (FL) 系统在部署各种防御策略的情况下是否不会受到后门中毒?这是一个有趣的问题,对于 FL 服务的实用性具有重大的实际意义。尽管最近出现了抗中毒的 FL 方法,但我们的研究表明,仔细调整恶意参与者之间的共谋可以最大限度地减少中毒本地模型与无毒本地模型之间的触发器引起的偏差,这在提供隐形后门方面发挥着关键作用攻击并规避 FL 中各种最先进的防御方法。在我们的工作中,我们通过提出一种分布式后门攻击方法来实例化攻击策略,即Cerberus Poisoning(CerP)。它共同调整后门触发器并控制每个恶意参与者的中毒模型变化,以针对联邦学习技术的广泛防御机制实现隐秘而成功的后门攻击。我们对 3 个大型基准数据集和 13 个主流防御机制的广泛研究证实,无论强大的联邦学习方法如何蓬勃发展,Cerberus 中毒都会对联邦学习实践的完整性和安全性造成严重威胁。
Authors: Yixuan Liu; Suyun Zhao; Li Xiong; Yuhan Liu; Hong Chen
Journal: Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/26400
Abstract: Federated Learning, as a popular paradigm for collaborative training, is vulnerable against privacy attacks. Different privacy levels regarding users' attitudes need to be satisfied locally, while a strict privacy guarantee for the global model is also required centrally. Personalized Local Differential Privacy (PLDP) is suitable for preserving users' varying local privacy, yet only provides a central privacy guarantee equivalent to the worst-case local privacy level. Thus, achieving strong central privacy as well as personalized local privacy with a utility-promising model is a challenging problem. In this work, a general framework (APES) is built up to strengthen model privacy under personalized local privacy by leveraging the privacy amplification effect of the shuffle model. To tighten the privacy bound, we quantify the heterogeneous contributions to the central privacy user by user. The contributions are characterized by the ability of generating “echos” from the perturbation of each user, which is carefully measured by proposed methods Neighbor Divergence and Clip-Laplace Mechanism. Furthermore, we propose a refined framework (S-APES) with the post-sparsification technique to reduce privacy loss in high-dimension scenarios. To the best of our knowledge, the impact of shuffling on personalized local privacy is considered for the first time. We provide a strong privacy amplification effect, and the bound is tighter than the baseline result based on existing methods for uniform local privacy. Experiments demonstrate that our frameworks ensure comparable or higher accuracy for the global model.
abstractTranslation: 联邦学习作为一种流行的协作培训范例,很容易受到隐私攻击。本地需要满足关于用户态度的不同隐私级别,同时也需要集中满足全局模型的严格隐私保障。个性化本地差分隐私(PLDP)适合保护用户不同的本地隐私,但仅提供相当于最坏情况本地隐私级别的中央隐私保证。因此,通过实用的模型实现强大的中央隐私以及个性化的本地隐私是一个具有挑战性的问题。在这项工作中,建立了一个通用框架(APES),利用shuffle模型的隐私放大效应来增强个性化本地隐私下的模型隐私。为了收紧隐私界限,我们按用户量化了对中央隐私用户的异构贡献。这些贡献的特点是从每个用户的扰动中生成“回声”的能力,这是通过提出的方法“邻居发散”和“剪辑拉普拉斯机制”仔细测量的。此外,我们提出了一种采用后稀疏技术的细化框架(S-APES),以减少高维场景中的隐私损失。据我们所知,这是首次考虑洗牌对个性化本地隐私的影响。我们提供了强大的隐私放大效应,并且边界比基于现有统一局部隐私方法的基线结果更紧。实验表明,我们的框架可确保全局模型具有可比性或更高的准确性。
Authors: Sunwoo Lee; Tuo Zhang; A. Salman Avestimehr
Journal : Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/26023
Abstract: In Federated Learning (FL), a common approach for aggregating local solutions across clients is periodic full model averaging. It is, however, known that different layers of neural networks can have a different degree of model discrepancy across the clients. The conventional full aggregation scheme does not consider such a difference and synchronizes the whole model parameters at once, resulting in inefficient network bandwidth consumption. Aggregating the parameters that are similar across the clients does not make meaningful training progress while increasing the communication cost. We propose FedLAMA, a layer-wise adaptive model aggregation scheme for scalable FL. FedLAMA adjusts the aggregation interval in a layer-wise manner, jointly considering the model discrepancy and the communication cost. This fine-grained aggregation strategy enables to reduce the communication cost without significantly harming the model accuracy. Our extensive empirical study shows that, as the aggregation interval increases, FedLAMA shows a remarkably smaller accuracy drop than the periodic full aggregation, while achieving comparable communication efficiency.
abstractTranslation: 在联邦学习 (FL) 中,跨客户端聚合本地解决方案的常见方法是定期全模型平均。然而,众所周知,不同层的神经网络在客户端之间可能存在不同程度的模型差异。传统的全聚合方案没有考虑这种差异,并且一次性同步整个模型参数,导致网络带宽消耗效率低下。聚合客户端之间相似的参数不会取得有意义的训练进展,同时还会增加沟通成本。我们提出了 FedLAMA,一种用于可扩展 FL 的分层自适应模型聚合方案。FedLAMA以分层的方式调整聚合间隔,综合考虑模型差异和通信成本。这种细粒度的聚合策略可以降低通信成本,而不会显着损害模型的准确性。我们广泛的实证研究表明,随着聚合间隔的增加,FedLAMA 的准确性下降明显小于定期完全聚合,同时实现了可比的通信效率。
Authors: Srinivas Reddy Kota; P. N. Karthik; Vincent Y. F. Tan
Journal : Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/26010
Abstract: We study the problem of best arm identification in a federated learning multi-armed bandit setup with a central server and multiple clients. Each client is associated with a multi-armed bandit in which each arm yields i.i.d. rewards following a Gaussian distribution with an unknown mean and known variance. The set of arms is assumed to be the same at all the clients. We define two notions of best arm local and global. The local best arm at a client is the arm with the largest mean among the arms local to the client, whereas the global best arm is the arm with the largest average mean across all the clients. We assume that each client can only observe the rewards from its local arms and thereby estimate its local best arm. The clients communicate with a central server on uplinks that entail a cost of C>=0 units per usage per uplink. The global best arm is estimated at the server. The goal is to identify the local best arms and the global best arm with minimal total cost, defined as the sum of the total number of arm selections at all the clients and the total communication cost, subject to an upper bound on the error probability. We propose a novel algorithm FedElim that is based on successive elimination and communicates only in exponential time steps and obtain a high probability instance-dependent upper bound on its total cost. The key takeaway from our paper is that for any C>=0 and error probabilities sufficiently small, the total number of arm selections (resp. the total cost) under FedElim is at most 2 (resp. 3) times the maximum total number of arm selections under its variant that communicates in every time step. Additionally, we show that the latter is optimal in expectation up to a constant factor, thereby demonstrating that communication is almost cost-free in FedElim. We numerically validate the efficacy of FedElim on two synthetic datasets and the MovieLens dataset.
abstractTranslation: 我们研究了具有中央服务器和多个客户端的联邦学习多臂老虎机设置中的最佳臂识别问题。每个客户端都与一个多臂老虎机相关联,其中每个臂都产生独立同分布。奖励遵循均值未知、方差已知的高斯分布。假设所有客户端的手臂组都是相同的。我们定义了最佳臂本地和全局的两个概念。客户端的局部最佳臂是该客户端本地的臂中具有最大平均值的臂,而全局最佳臂是所有客户端中具有最大平均平均值的臂。我们假设每个客户只能观察其本地分支的奖励,从而估计其本地最佳分支。客户端在上行链路上与中央服务器通信,每个上行链路每次使用的成本为 C>=0 单位。全局最佳臂是在服务器上估计的。目标是确定具有最小总成本的局部最佳臂和全局最佳臂,总成本定义为所有客户端的臂选择总数和总通信成本之和,受错误概率上限的影响。我们提出了一种新颖的算法 FedElim,它基于连续消除,仅以指数时间步长进行通信,并获得其总成本的高概率实例相关上限。我们论文的关键要点是,对于任何 C>=0 且错误概率足够小,FedElim 下的臂选择总数(分别是总成本)至多是最大总数的 2(分别是 3)倍。其变体下的手臂选择在每个时间步骤中进行通信。此外,我们表明后者在常数因子的期望中是最优的,从而证明 FedElim 中的通信几乎是免费的。我们在两个合成数据集和 MovieLens 数据集上对 FedElim 的功效进行了数值验证。
Notes:
[PDF](https://arxiv.org/abs/2208.09215)
Authors: Xiangping Kang; Guoxian Yu; Jun Wang; Wei Guo; Carlotta Domeniconi; Jinglin Zhang
Journal : Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/25744
Abstract:
Crowdsourcing is a favorable computing paradigm for processing computer-hard tasks by harnessing human intelligence. However, generic crowdsourcing systems may lead to privacy-leakage through the sharing of worker data. To tackle this problem, we propose a novel approach, called iFedCrowd (incentive-boosted Federated Crowdsourcing), to manage the privacy and quality of crowdsourcing projects. iFedCrowd allows participants to locally process sensitive data and only upload encrypted training models, and then aggregates the model parameters to build a shared server model to protect data privacy. To motivate workers to build a high-quality global model in an efficacy way, we introduce an incentive mechanism that encourages workers to constantly collect fresh data to train accurate client models and boosts the global model training. We model the incentive-based interaction between the crowdsourcing platform and participating workers as a Stackelberg game, in which each side maximizes its own profit. We derive the Nash Equilibrium of the game to find the optimal solutions for the two sides. Experimental results confirm that iFedCrowd can complete secure crowdsourcing projects with high quality and efficiency.
abstractTranslation: 众包是一种有利的计算范式,用于通过利用人类智能来处理计算机难题。然而,通用的众包系统可能会因共享员工数据而导致隐私泄露。为了解决这个问题,我们提出了一种称为 iFedCrowd(激励促进联邦众包)的新颖方法来管理众包项目的隐私和质量。iFedCrowd允许参与者在本地处理敏感数据并且仅上传加密的训练模型,然后聚合模型参数以构建共享服务器模型以保护数据隐私。为了激励工作人员有效地构建高质量的全局模型,我们引入了激励机制,鼓励工作人员不断收集新数据来训练准确的客户模型,促进全局模型的训练。我们将众包平台和参与工人之间基于激励的互动建模为 Stackelberg 博弈,其中各方都最大化自己的利润。我们推导出博弈的纳什均衡来寻找双方的最优解。实验结果证实iFedCrowd能够高质量、高效率地完成安全众包项目。
Authors: Xiaopeng Jiang; Cristian Borcea
Journal : Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/25977
Abstract: Federated Learning (FL) is a privacy-preserving distributed deep learning paradigm that involves substantial communication and computation effort, which is a problem for resource-constrained mobile and IoT devices. Model pruning/sparsification develops sparse models that could solve this problem, but existing sparsification solutions cannot satisfy at the same time the requirements for low bidirectional communication overhead between the server and the clients, low computation overhead at the clients, and good model accuracy, under the FL assumption that the server does not have access to raw data to fine-tune the pruned models. We propose Complement Sparsification (CS), a pruning mechanism that satisfies all these requirements through a complementary and collaborative pruning done at the server and the clients. At each round, CS creates a global sparse model that contains the weights that capture the general data distribution of all clients, while the clients create local sparse models with the weights pruned from the global model to capture the local trends. For improved model performance, these two types of complementary sparse models are aggregated into a dense model in each round, which is subsequently pruned in an iterative process. CS requires little computation overhead on the top of vanilla FL for both the server and the clients. We demonstrate that CS is an approximation of vanilla FL and, thus, its models perform well. We evaluate CS experimentally with two popular FL benchmark datasets. CS achieves substantial reduction in bidirectional communication, while achieving performance comparable with vanilla FL. In addition, CS outperforms baseline pruning mechanisms for FL.
abstractTranslation: 联邦学习(FL)是一种保护隐私的分布式深度学习范例,涉及大量的通信和计算工作,这对于资源受限的移动和物联网设备来说是一个问题。模型剪枝/稀疏化开发的稀疏模型可以解决这个问题,但现有的稀疏化解决方案无法同时满足服务器和客户端之间的低双向通信开销、客户端计算开销低和良好的模型精度的要求,在FL 假设服务器无法访问原始数据来微调修剪后的模型。我们提出了补充稀疏化(CS),这是一种通过在服务器和客户端进行补充和协作修剪来满足所有这些要求的修剪机制。在每一轮中,CS 创建一个全局稀疏模型,其中包含捕获所有客户端的一般数据分布的权重,而客户端则使用从全局模型中修剪的权重创建局部稀疏模型以捕获局部趋势。为了提高模型性能,这两种互补的稀疏模型在每一轮中聚合成密集模型,随后在迭代过程中进行剪枝。对于服务器和客户端来说,CS 在 vanilla FL 上只需要很少的计算开销。我们证明 CS 是普通 FL 的近似,因此它的模型表现良好。我们使用两个流行的 FL 基准数据集对 CS 进行实验评估。CS 大幅减少了双向通信,同时实现了与普通 FL 相当的性能。此外,CS 的性能优于 FL 的基线修剪机制。
Authors: Junyuan Hong; Haotao Wang; Zhangyang Wang; Jiayu Zhou
Journal : Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/25955
Abstract: Federated learning (FL) emerges as a popular distributed learning schema that learns a model from a set of participating users without sharing raw data. One major challenge of FL comes with heterogeneous users, who may have distributionally different (or non-iid) data and varying computation resources. As federated users would use the model for prediction, they often demand the trained model to be robust against malicious attackers at test time. Whereas adversarial training (AT) provides a sound solution for centralized learning, extending its usage for federated users has imposed significant challenges, as many users may have very limited training data and tight computational budgets, to afford the data-hungry and costly AT. In this paper, we study a novel FL strategy: propagating adversarial robustness from rich-resource users that can afford AT, to those with poor resources that cannot afford it, during federated learning. We show that existing FL techniques cannot be effectively integrated with the strategy to propagate robustness among non-iid users and propose an efficient propagation approach by the proper use of batch-normalization. We demonstrate the rationality and effectiveness of our method through extensive experiments. Especially, the proposed method is shown to grant federated models remarkable robustness even when only a small portion of users afford AT during learning. Source code can be accessed at https://github.com/illidanlab/FedRBN.
abstractTranslation: 联邦学习 (FL) 作为一种流行的分布式学习模式出现,它从一组参与用户中学习模型,而无需共享原始数据。FL 的一项主要挑战来自异构用户,他们可能拥有分布不同(或非独立同分布)的数据和不同的计算资源。由于联邦用户会使用该模型进行预测,因此他们通常要求经过训练的模型在测试时能够抵御恶意攻击者。虽然对抗性训练 (AT) 为集中式学习提供了良好的解决方案,但扩展其对联邦用户的使用却带来了重大挑战,因为许多用户可能拥有非常有限的训练数据和紧张的计算预算,无法承担数据密集且成本高昂的 AT。在本文中,我们研究了一种新颖的 FL 策略:在联邦学习期间,将对抗鲁棒性从能够负担得起 AT 的资源丰富的用户传播到那些资源匮乏而无力承担的用户。我们表明,现有的 FL 技术无法与在非独立同分布用户之间传播鲁棒性的策略有效地集成,并通过正确使用批量归一化提出了一种有效的传播方法。我们通过大量的实验证明了我们方法的合理性和有效性。特别是,即使只有一小部分用户在学习期间负担 AT,所提出的方法也能赋予联邦模型显着的鲁棒性。源代码可以在 https://github.com/illidanlab/FedRBN 访问。
Authors: Pei Fang; Jinghui Chen
Journal : Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/26393
Abstract: Federated learning (FL) is a popular distributed machine learning paradigm which enables jointly training a global model without sharing clients' data. However, its repetitive server-client communication gives room for possible backdoor attacks which aims to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. In response to such backdoor threats on federated learning, various defense measures have been proposed. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning in a practical setting by proposing a new federated backdoor attack framework for possible countermeasures. Different from traditional training (on triggered data) and rescaling (the malicious client model) based backdoor injection, the proposed backdoor attack framework (1) directly modifies (a small proportion of) local model weights to inject the backdoor trigger via sign flips; (2) jointly optimize the trigger pattern with the client model, thus is more persistent and stealthy for circumventing existing defenses. In a case study, we examine the strength and weaknesses of several recent federated backdoor defenses from three major categories and provide suggestions to the practitioners when training federated models in practice.
abstractTranslation: 联邦学习(FL)是一种流行的分布式机器学习范例,它可以在不共享客户数据的情况下联邦训练全局模型。然而,其重复的服务器-客户端通信为可能的后门攻击提供了空间,后门攻击的目的是在出现特定触发模式时误导全局模型进行有针对性的错误预测。针对联邦学习的此类后门威胁,人们提出了各种防御措施。在本文中,我们通过提出一种新的联邦后门攻击框架作为可能的对策,研究当前的防御机制是否能够在实际环境中真正消除联邦学习的后门威胁。与基于后门注入的传统训练(触发数据)和重新缩放(恶意客户端模型)不同,所提出的后门攻击框架(1)直接修改(一小部分)本地模型权重,以通过符号翻转注入后门触发器;(2)与客户端模型联邦优化触发模式,对于规避现有防御更加持久、隐蔽。在案例研究中,我们从三个主要类别检查了最近几种联邦后门防御的优点和缺点,并为实践者在实践中训练联邦模型时提供建议。
Notes:
[PDF](https://arxiv.org/abs/2301.08170)
[code](https://github.com/jinghuichen/focused-flip-federated-backdoor-attack)
Authors: Yahya H. Ezzeldin; Shen Yan; Chaoyang He; Emilio Ferrara; A. Salman Avestimehr
Journal : Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/25911
Abstract: Training ML models which are fair across different demographic groups is of critical importance due to the increased integration of ML in crucial decision-making scenarios such as healthcare and recruitment. Federated learning has been viewed as a promising solution for collaboratively training machine learning models among multiple parties while maintaining their local data privacy. However, federated learning also poses new challenges in mitigating the potential bias against certain populations (e.g., demographic groups), as this typically requires centralized access to the sensitive information (e.g., race, gender) of each datapoint. Motivated by the importance and challenges of group fairness in federated learning, in this work, we propose FairFed, a novel algorithm for fairness-aware aggregation to enhance group fairness in federated learning. Our proposed approach is server-side and agnostic to the applied local debiasing thus allowing for flexible use of different local debiasing methods across clients. We evaluate FairFed empirically versus common baselines for fair ML and federated learning and demonstrate that it provides fairer models, particularly under highly heterogeneous data distributions across clients. We also demonstrate the benefits of FairFed in scenarios involving naturally distributed real-life data collected from different geographical locations or departments within an organization.
abstractTranslation: 由于机器学习在医疗保健和招聘等关键决策场景中的集成度不断提高,训练在不同人口群体中公平的机器学习模型至关重要。联邦学习被视为一种有前途的解决方案,可以在多方之间协作训练机器学习模型,同时维护本地数据隐私。然而,联邦学习在减轻针对某些人群(例如人口群体)的潜在偏见方面也带来了新的挑战,因为这通常需要集中访问每个数据点的敏感信息(例如种族、性别)。出于联邦学习中群体公平性的重要性和挑战的动机,在这项工作中,我们提出了 FairFed,一种用于公平感知聚合的新颖算法,以增强联邦学习中的群体公平性。我们提出的方法是服务器端的,并且与所应用的本地去偏置无关,因此允许跨客户端灵活使用不同的本地去偏置方法。我们根据经验评估 FairFed 与公平机器学习和联邦学习的通用基线,并证明它提供了更公平的模型,特别是在客户之间高度异构的数据分布下。我们还在涉及从组织内不同地理位置或部门收集的自然分布的现实生活数据的场景中展示了 FairFed 的优势。
Notes:
[PDF](https://arxiv.org/abs/2110.00857)
[解读](https://zhuanlan.zhihu.com/p/613201113)
Authors: Yutong Dai; Zeyuan Chen; Junnan Li; Shelby Heinecke; Lichao Sun; Ran Xu
Journal : Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/25891
Abstract: Data heterogeneity across clients in federated learning (FL) settings is a widely acknowledged challenge. In response, personalized federated learning (PFL) emerged as a framework to curate local models for clients' tasks. In PFL, a common strategy is to develop local and global models jointly - the global model (for generalization) informs the local models, and the local models (for personalization) are aggregated to update the global model. A key observation is that if we can improve the generalization ability of local models, then we can improve the generalization of global models, which in turn builds better personalized models. In this work, we consider class imbalance, an overlooked type of data heterogeneity, in the classification setting. We propose FedNH, a novel method that improves the local models' performance for both personalization and generalization by combining the uniformity and semantics of class prototypes. FedNH initially distributes class prototypes uniformly in the latent space and smoothly infuses the class semantics into class prototypes. We show that imposing uniformity helps to combat prototype collapse while infusing class semantics improves local models. Extensive experiments were conducted on popular classification datasets under the cross-device setting. Our results demonstrate the effectiveness and stability of our method over recent works.
abstractTranslation: 联邦学习 (FL) 设置中客户端之间的数据异构性是一个广泛公认的挑战。作为回应,个性化联邦学习(PFL)作为一个框架应运而生,为客户的任务策划本地模型。在 PFL 中,一个常见的策略是联邦开发本地和全局模型 - 全局模型(用于泛化)通知本地模型,本地模型(用于个性化)被聚合以更新全局模型。一个关键的观察是,如果我们能够提高局部模型的泛化能力,那么我们就可以提高全局模型的泛化能力,从而构建更好的个性化模型。在这项工作中,我们在分类设置中考虑类不平衡,这是一种被忽视的数据异质性类型。我们提出了 FedNH,这是一种通过结合类原型的一致性和语义来提高局部模型的个性化和泛化性能的新方法。FedNH 最初将类原型均匀地分布在潜在空间中,并将类语义平滑地注入到类原型中。我们表明,强加一致性有助于防止原型崩溃,同时注入类语义可以改善局部模型。在跨设备设置下对流行的分类数据集进行了广泛的实验。我们的结果证明了我们的方法在最近的工作中的有效性和稳定性。
Notes:
[PDF](https://arxiv.org/abs/2212.02758)
[code](https://github.com/yutong-dai/fednh)
Authors: Yuanyuan Chen; Zichen Chen; Sheng Guo; Yansong Zhao; Zelei Liu; Pengcheng Wu; Chengyi Yang; Zengxiang Li; Han Yu
Journal : Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/26836
Abstract: Artificial intelligence (AI)-empowered industrial fault diagnostics is important in ensuring the safe operation of industrial applications. Since complex industrial systems often involve multiple industrial plants (possibly belonging to different companies or subsidiaries) with sensitive data collected and stored in a distributed manner, collaborative fault diagnostic model training often needs to leverage federated learning (FL). As the scale of the industrial fault diagnostic models are often large and communication channels in such systems are often not exclusively used for FL model training, existing deployed FL model training frameworks cannot train such models efficiently across multiple institutions. In this paper, we report our experience developing and deploying the Federated Opportunistic Block Dropout (FedOBD) approach for industrial fault diagnostic model training. By decomposing large-scale models into semantic blocks and enabling FL participants to opportunistically upload selected important blocks in a quantized manner, it significantly reduces the communication overhead while maintaining model performance. Since its deployment in ENN Group in February 2022, FedOBD has served two coal chemical plants across two cities in China to build industrial fault prediction models. It helped the company reduce the training communication overhead by over 70% compared to its previous AI Engine, while maintaining model performance at over 85% test F1 score. To our knowledge, it is the first successfully deployed dropout-based FL approach.
abstractTranslation: 人工智能(AI)赋能的工业故障诊断对于确保工业应用的安全运行非常重要。由于复杂的工业系统通常涉及多个工厂(可能属于不同的公司或子公司),敏感数据以分布式方式收集和存储,因此协作故障诊断模型训练通常需要利用联邦学习(FL)。由于工业故障诊断模型的规模通常很大,并且此类系统中的通信通道通常不仅仅用于FL模型训练,现有部署的FL模型训练框架无法跨多个机构有效地训练此类模型。在本文中,我们报告了我们开发和部署用于工业故障诊断模型训练的联邦机会块退出 (FedOBD) 方法的经验。通过将大规模模型分解为语义块,并使 FL 参与者能够以量化的方式适时上传选定的重要块,可以在保持模型性能的同时显着降低通信开销。自2022年2月在新奥集团部署以来,FedOBD已为中国两个城市的两家煤化工厂提供服务,建立工业故障预测模型。与之前的 AI Engine 相比,它帮助该公司减少了 70% 以上的训练通信开销,同时将模型性能保持在 85% 以上的测试 F1 分数。据我们所知,这是第一个成功部署的基于 dropout 的 FL 方法。
Notes:
[PDF](https://arxiv.org/abs/2302.11485)
Win-Win: A Privacy-Preserving Federated Framework for Dual-Target Cross-Domain Recommendation
Authors: Gaode Chen; Xinghua Zhang; Yijun Su; Yantong Lai; Ji Xiang; Junbo Zhang; Yu Zheng
Journal : Proceedings of the AAAI Conference on Artificial Intelligence
Url: https://ojs.aaai.org/index.php/AAAI/article/view/25531
Abstract: Cross-domain recommendation (CDR) aims to alleviate the data sparsity by transferring knowledge from an informative source domain to the target domain, which inevitably proposes stern challenges to data privacy and transferability during the transfer process. A small amount of recent CDR works have investigated privacy protection, while they still suffer from satisfying practical requirements (e.g., limited privacy-preserving ability) and preventing the potential risk of negative transfer. To address the above challenging problems, we propose a novel and unified privacy-preserving federated framework for dual-target CDR, namely P2FCDR. We design P2FCDR as peer-to-peer federated network architecture to ensure the local data storage and privacy protection of business partners. Specifically, for the special knowledge transfer process in CDR under federated settings, we initialize an optimizable orthogonal mapping matrix to learn the embedding transformation across domains and adopt the local differential privacy technique on the transformed embedding before exchanging across domains, which provides more reliable privacy protection. Furthermore, we exploit the similarity between in-domain and cross-domain embedding, and develop a gated selecting vector to refine the information fusion for more accurate dual transfer. Extensive experiments on three real-world datasets demonstrate that P2FCDR significantly outperforms the state-of-the-art methods and effectively protects data privacy.
abstractTranslation: 跨域推荐(CDR)旨在通过将知识从信息丰富的源域转移到目标域来缓解数据稀疏性,这不可避免地对转移过程中的数据隐私和可转移性提出了严峻的挑战。近期的少量CDR工作对隐私保护进行了研究,但仍存在满足实际需求(例如有限的隐私保护能力)和防止潜在的负转移风险的问题。为了解决上述具有挑战性的问题,我们提出了一种新颖且统一的双目标 CDR 隐私保护联邦框架,即 P2FCDR。我们将P2FCDR设计为点对点联盟网络架构,以确保业务合作伙伴的本地数据存储和隐私保护。具体来说,针对联邦环境下CDR中的特殊知识转移过程,我们初始化一个可优化的正交映射矩阵来学习跨域的嵌入变换,并在跨域交换之前对变换后的嵌入采用局部差分隐私技术,从而提供更可靠的隐私保护。此外,我们利用域内嵌入和跨域嵌入之间的相似性,并开发门控选择向量来细化信息融合,以实现更准确的双重传输。对三个真实世界数据集的大量实验表明,P2FCDR 显着优于最先进的方法,并有效保护数据隐私。
项目链接: https://github.com/youngfish42/Awesome-FL
作者: 白小鱼(上海交通大学计算机系博士生)
往期推荐
2.文章速览 | 联邦学习 x AAAI'2023 (上)论文分享 | 基于全同态加密的跨边缘区块链网络隐私保护方案4.文章速览 | 联邦学习 x CVPR'2023 (下)