FedGuard: A Diverse-Byzantine-Robust Mechanism for Federated Learning with Major Malicious Clients

Federated learning is a distributed training framework vulnerable to Byzantine attacks, particularly when over 50% of clients are malicious or when datasets are highly non-independent and identically distributed (non-IID). Additionally, most existing defense mechanisms are designed for specific attack types (e.g., gradient similarity-based schemes can only defend against outlier model poisoning), limiting their effectiveness. In response, we propose FedGuard, a novel federated learning mechanism. FedGuard cleverly addresses the aforementioned issues by leveraging the high sensitivity of membership inference to model bias. By requiring clients to include an additional mini-batch of server-specified data in their training, FedGuard can identify and exclude poisoned models, as their confidence in the mini-batch will drop significantly. Our comprehensive evaluation unequivocally shows that, under three highly non-IID datasets, with 90% of clients being Byzantine and seven different types of Byzantine attacks occurring in each round, FedGuard significantly outperforms existing robust federated learning schemes in mitigating various types of Byzantine attacks.

Key Contributions

• FedGuard leverages high sensitivity of membership inference to model bias — poisoned models lose confidence on server-specified mini-batches, enabling detection without relying on gradient similarity
• Demonstrated robustness against 7 concurrent Byzantine attack types with up to 90% malicious clients under highly non-IID data distributions
• Overcomes limitations of gradient similarity-based defenses (which fail against stealthy similarity attacks) and trusted-data defenses (which degrade above ~60% malicious clients)

🛡️ Threat Analysis

Details

Similar Papers