-
FreqFed: A Frequency Analysis-Based Approach for Mitigating Poisoning Attacks in Federated Learning
Authors:
Hossein Fereidooni,
Alessandro Pegoraro,
Phillip Rieger,
Alexandra Dmitrienko,
Ahmad-Reza Sadeghi
Abstract:
Federated learning (FL) is a collaborative learning paradigm allowing multiple clients to jointly train a model without sharing their training data. However, FL is susceptible to poisoning attacks, in which the adversary injects manipulated model updates into the federated model aggregation process to corrupt or destroy predictions (untargeted poisoning) or implant hidden functionalities (targeted…
▽ More
Federated learning (FL) is a collaborative learning paradigm allowing multiple clients to jointly train a model without sharing their training data. However, FL is susceptible to poisoning attacks, in which the adversary injects manipulated model updates into the federated model aggregation process to corrupt or destroy predictions (untargeted poisoning) or implant hidden functionalities (targeted poisoning or backdoors). Existing defenses against poisoning attacks in FL have several limitations, such as relying on specific assumptions about attack types and strategies or data distributions or not sufficiently robust against advanced injection techniques and strategies and simultaneously maintaining the utility of the aggregated model. To address the deficiencies of existing defenses, we take a generic and completely different approach to detect poisoning (targeted and untargeted) attacks. We present FreqFed, a novel aggregation mechanism that transforms the model updates (i.e., weights) into the frequency domain, where we can identify the core frequency components that inherit sufficient information about weights. This allows us to effectively filter out malicious updates during local training on the clients, regardless of attack types, strategies, and clients' data distributions. We extensively evaluate the efficiency and effectiveness of FreqFed in different application domains, including image classification, word prediction, IoT intrusion detection, and speech recognition. We demonstrate that FreqFed can mitigate poisoning attacks effectively with a negligible impact on the utility of the aggregated model.
△ Less
Submitted 16 January, 2024; v1 submitted 7 December, 2023;
originally announced December 2023.
-
FLEDGE: Ledger-based Federated Learning Resilient to Inference and Backdoor Attacks
Authors:
Jorge Castillo,
Phillip Rieger,
Hossein Fereidooni,
Qian Chen,
Ahmad Sadeghi
Abstract:
Federated learning (FL) is a distributed learning process that uses a trusted aggregation server to allow multiple parties (or clients) to collaboratively train a machine learning model without having them share their private data. Recent research, however, has demonstrated the effectiveness of inference and poisoning attacks on FL. Mitigating both attacks simultaneously is very challenging. State…
▽ More
Federated learning (FL) is a distributed learning process that uses a trusted aggregation server to allow multiple parties (or clients) to collaboratively train a machine learning model without having them share their private data. Recent research, however, has demonstrated the effectiveness of inference and poisoning attacks on FL. Mitigating both attacks simultaneously is very challenging. State-of-the-art solutions have proposed the use of poisoning defenses with Secure Multi-Party Computation (SMPC) and/or Differential Privacy (DP). However, these techniques are not efficient and fail to address the malicious intent behind the attacks, i.e., adversaries (curious servers and/or compromised clients) seek to exploit a system for monetization purposes. To overcome these limitations, we present a ledger-based FL framework known as FLEDGE that allows making parties accountable for their behavior and achieve reasonable efficiency for mitigating inference and poisoning attacks. Our solution leverages crypto-currency to increase party accountability by penalizing malicious behavior and rewarding benign conduct. We conduct an extensive evaluation on four public datasets: Reddit, MNIST, Fashion-MNIST, and CIFAR-10. Our experimental results demonstrate that (1) FLEDGE provides strong privacy guarantees for model updates without sacrificing model utility; (2) FLEDGE can successfully mitigate different poisoning attacks without degrading the performance of the global model; and (3) FLEDGE offers unique reward mechanisms to promote benign behavior during model training and/or model aggregation.
△ Less
Submitted 3 October, 2023;
originally announced October 2023.
-
FLAIRS: FPGA-Accelerated Inference-Resistant & Secure Federated Learning
Authors:
Huimin Li,
Phillip Rieger,
Shaza Zeitouni,
Stjepan Picek,
Ahmad-Reza Sadeghi
Abstract:
Federated Learning (FL) has become very popular since it enables clients to train a joint model collaboratively without sharing their private data. However, FL has been shown to be susceptible to backdoor and inference attacks. While in the former, the adversary injects manipulated updates into the aggregation process; the latter leverages clients' local models to deduce their private data. Contem…
▽ More
Federated Learning (FL) has become very popular since it enables clients to train a joint model collaboratively without sharing their private data. However, FL has been shown to be susceptible to backdoor and inference attacks. While in the former, the adversary injects manipulated updates into the aggregation process; the latter leverages clients' local models to deduce their private data. Contemporary solutions to address the security concerns of FL are either impractical for real-world deployment due to high-performance overheads or are tailored towards addressing specific threats, for instance, privacy-preserving aggregation or backdoor defenses. Given these limitations, our research delves into the advantages of harnessing the FPGA-based computing paradigm to overcome performance bottlenecks of software-only solutions while mitigating backdoor and inference attacks. We utilize FPGA-based enclaves to address inference attacks during the aggregation process of FL. We adopt an advanced backdoor-aware aggregation algorithm on the FPGA to counter backdoor attacks. We implemented and evaluated our method on Xilinx VMK-180, yielding a significant speed-up of around 300 times on the IoT-Traffic dataset and more than 506 times on the CIFAR-10 dataset.
△ Less
Submitted 1 August, 2023;
originally announced August 2023.
-
Defect-enhanced diffusion of magnetic skyrmions
Authors:
Philipp Rieger,
Markus Weißenhofer,
Ulrich Nowak
Abstract:
Defects, i.e. inhomogeneities of the underlying lattice, are ubiquitous in magnetic materials and can have a crucial impact on their applicability in spintronic devices. For magnetic skyrmions, localized and topologically non-trivial spin textures, they give rise to a spatially inhomogeneous energy landscape and can lead to pinning, resulting in an exponentially increased dwell time at certain pos…
▽ More
Defects, i.e. inhomogeneities of the underlying lattice, are ubiquitous in magnetic materials and can have a crucial impact on their applicability in spintronic devices. For magnetic skyrmions, localized and topologically non-trivial spin textures, they give rise to a spatially inhomogeneous energy landscape and can lead to pinning, resulting in an exponentially increased dwell time at certain positions and typically a strongly reduced mobility. Using atomistic spin dynamics simulations, we reveal that under certain conditions defects can instead enhance thermal diffusion of ferromagnetic skyrmions. By comparing with results for the diffusion of antiferromagnetic skyrmions and using a quasi-particle description based on the Thiele equation, we demonstrate that this surprising finding can be traced back to the partial lifting of the impact of the topologigal gyrocoupling, which governs the dynamics of ferromagnetic skyrmions in the absence of defects.
△ Less
Submitted 25 April, 2023;
originally announced April 2023.
-
ARGUS: Context-Based Detection of Stealthy IoT Infiltration Attacks
Authors:
Phillip Rieger,
Marco Chilese,
Reham Mohamed,
Markus Miettinen,
Hossein Fereidooni,
Ahmad-Reza Sadeghi
Abstract:
IoT application domains, device diversity and connectivity are rapidly growing. IoT devices control various functions in smart homes and buildings, smart cities, and smart factories, making these devices an attractive target for attackers. On the other hand, the large variability of different application scenarios and inherent heterogeneity of devices make it very challenging to reliably detect ab…
▽ More
IoT application domains, device diversity and connectivity are rapidly growing. IoT devices control various functions in smart homes and buildings, smart cities, and smart factories, making these devices an attractive target for attackers. On the other hand, the large variability of different application scenarios and inherent heterogeneity of devices make it very challenging to reliably detect abnormal IoT device behaviors and distinguish these from benign behaviors. Existing approaches for detecting attacks are mostly limited to attacks directly compromising individual IoT devices, or, require predefined detection policies. They cannot detect attacks that utilize the control plane of the IoT system to trigger actions in an unintended/malicious context, e.g., opening a smart lock while the smart home residents are absent.
In this paper, we tackle this problem and propose ARGUS, the first self-learning intrusion detection system for detecting contextual attacks on IoT environments, in which the attacker maliciously invokes IoT device actions to reach its goals. ARGUS monitors the contextual setting based on the state and actions of IoT devices in the environment. An unsupervised Deep Neural Network (DNN) is used for modeling the typical contextual device behavior and detecting actions taking place in abnormal contextual settings. This unsupervised approach ensures that ARGUS is not restricted to detecting previously known attacks but is also able to detect new attacks. We evaluated ARGUS on heterogeneous real-world smart-home settings and achieve at least an F1-Score of 99.64% for each setup, with a false positive rate (FPR) of at most 0.03%.
△ Less
Submitted 16 February, 2023; v1 submitted 15 February, 2023;
originally announced February 2023.
-
AuthentiSense: A Scalable Behavioral Biometrics Authentication Scheme using Few-Shot Learning for Mobile Platforms
Authors:
Hossein Fereidooni,
Jan König,
Phillip Rieger,
Marco Chilese,
Bora Gökbakan,
Moritz Finke,
Alexandra Dmitrienko,
Ahmad-Reza Sadeghi
Abstract:
Mobile applications are widely used for online services sharing a large amount of personal data online. One-time authentication techniques such as passwords and physiological biometrics (e.g., fingerprint, face, and iris) have their own advantages but also disadvantages since they can be stolen or emulated, and do not prevent access to the underlying device, once it is unlocked. To address these c…
▽ More
Mobile applications are widely used for online services sharing a large amount of personal data online. One-time authentication techniques such as passwords and physiological biometrics (e.g., fingerprint, face, and iris) have their own advantages but also disadvantages since they can be stolen or emulated, and do not prevent access to the underlying device, once it is unlocked. To address these challenges, complementary authentication systems based on behavioural biometrics have emerged. The goal is to continuously profile users based on their interaction with the mobile device. However, existing behavioural authentication schemes are not (i) user-agnostic meaning that they cannot dynamically handle changes in the user-base without model re-training, or (ii) do not scale well to authenticate millions of users.
In this paper, we present AuthentiSense, a user-agnostic, scalable, and efficient behavioural biometrics authentication system that enables continuous authentication and utilizes only motion patterns (i.e., accelerometer, gyroscope and magnetometer data) while users interact with mobile apps. Our approach requires neither manually engineered features nor a significant amount of data for model training. We leverage a few-shot learning technique, called Siamese network, to authenticate users at a large scale. We perform a systematic measurement study and report the impact of the parameters such as interaction time needed for authentication and n-shot verification (comparison with enrollment samples) at the recognition stage. Remarkably, AuthentiSense achieves high accuracy of up to 97% in terms of F1-score even when evaluated in a few-shot fashion that requires only a few behaviour samples per user (3 shots). Our approach accurately authenticates users only after 1 second of user interaction. For AuthentiSense, we report a FAR and FRR of 0.023 and 0.057, respectively.
△ Less
Submitted 6 February, 2023;
originally announced February 2023.
-
BayBFed: Bayesian Backdoor Defense for Federated Learning
Authors:
Kavita Kumari,
Phillip Rieger,
Hossein Fereidooni,
Murtuza Jadliwala,
Ahmad-Reza Sadeghi
Abstract:
Federated learning (FL) allows participants to jointly train a machine learning model without sharing their private data with others. However, FL is vulnerable to poisoning attacks such as backdoor attacks. Consequently, a variety of defenses have recently been proposed, which have primarily utilized intermediary states of the global model (i.e., logits) or distance of the local models (i.e., L2-n…
▽ More
Federated learning (FL) allows participants to jointly train a machine learning model without sharing their private data with others. However, FL is vulnerable to poisoning attacks such as backdoor attacks. Consequently, a variety of defenses have recently been proposed, which have primarily utilized intermediary states of the global model (i.e., logits) or distance of the local models (i.e., L2-norm) from the global model to detect malicious backdoors. However, as these approaches directly operate on client updates, their effectiveness depends on factors such as clients' data distribution or the adversary's attack strategies. In this paper, we introduce a novel and more generic backdoor defense framework, called BayBFed, which proposes to utilize probability distributions over client updates to detect malicious updates in FL: it computes a probabilistic measure over the clients' updates to keep track of any adjustments made in the updates, and uses a novel detection algorithm that can leverage this probabilistic measure to efficiently detect and filter out malicious updates. Thus, it overcomes the shortcomings of previous approaches that arise due to the direct usage of client updates; as our probabilistic measure will include all aspects of the local client training strategies. BayBFed utilizes two Bayesian Non-Parametric extensions: (i) a Hierarchical Beta-Bernoulli process to draw a probabilistic measure given the clients' updates, and (ii) an adaptation of the Chinese Restaurant Process (CRP), referred by us as CRP-Jensen, which leverages this probabilistic measure to detect and filter out malicious updates. We extensively evaluate our defense approach on five benchmark datasets: CIFAR10, Reddit, IoT intrusion detection, MNIST, and FMNIST, and show that it can effectively detect and eliminate malicious updates in FL without deteriorating the benign performance of the global model.
△ Less
Submitted 23 January, 2023;
originally announced January 2023.
-
CrowdGuard: Federated Backdoor Detection in Federated Learning
Authors:
Phillip Rieger,
Torsten Krauß,
Markus Miettinen,
Alexandra Dmitrienko,
Ahmad-Reza Sadeghi
Abstract:
Federated Learning (FL) is a promising approach enabling multiple clients to train Deep Neural Networks (DNNs) collaboratively without sharing their local training data. However, FL is susceptible to backdoor (or targeted poisoning) attacks. These attacks are initiated by malicious clients who seek to compromise the learning process by introducing specific behaviors into the learned model that can…
▽ More
Federated Learning (FL) is a promising approach enabling multiple clients to train Deep Neural Networks (DNNs) collaboratively without sharing their local training data. However, FL is susceptible to backdoor (or targeted poisoning) attacks. These attacks are initiated by malicious clients who seek to compromise the learning process by introducing specific behaviors into the learned model that can be triggered by carefully crafted inputs. Existing FL safeguards have various limitations: They are restricted to specific data distributions or reduce the global model accuracy due to excluding benign models or adding noise, are vulnerable to adaptive defense-aware adversaries, or require the server to access local models, allowing data inference attacks.
This paper presents a novel defense mechanism, CrowdGuard, that effectively mitigates backdoor attacks in FL and overcomes the deficiencies of existing techniques. It leverages clients' feedback on individual models, analyzes the behavior of neurons in hidden layers, and eliminates poisoned models through an iterative pruning scheme. CrowdGuard employs a server-located stacked clustering scheme to enhance its resilience to rogue client feedback. The evaluation results demonstrate that CrowdGuard achieves a 100% True-Positive-Rate and True-Negative-Rate across various scenarios, including IID and non-IID data distributions. Additionally, CrowdGuard withstands adaptive adversaries while preserving the original performance of protected models. To ensure confidentiality, CrowdGuard uses a secure and privacy-preserving architecture leveraging Trusted Execution Environments (TEEs) on both client and server sides.
△ Less
Submitted 22 August, 2023; v1 submitted 14 October, 2022;
originally announced October 2022.
-
DeepSight: Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection
Authors:
Phillip Rieger,
Thien Duc Nguyen,
Markus Miettinen,
Ahmad-Reza Sadeghi
Abstract:
Federated Learning (FL) allows multiple clients to collaboratively train a Neural Network (NN) model on their private data without revealing the data. Recently, several targeted poisoning attacks against FL have been introduced. These attacks inject a backdoor into the resulting model that allows adversary-controlled inputs to be misclassified. Existing countermeasures against backdoor attacks are…
▽ More
Federated Learning (FL) allows multiple clients to collaboratively train a Neural Network (NN) model on their private data without revealing the data. Recently, several targeted poisoning attacks against FL have been introduced. These attacks inject a backdoor into the resulting model that allows adversary-controlled inputs to be misclassified. Existing countermeasures against backdoor attacks are inefficient and often merely aim to exclude deviating models from the aggregation. However, this approach also removes benign models of clients with deviating data distributions, causing the aggregated model to perform poorly for such clients.
To address this problem, we propose DeepSight, a novel model filtering approach for mitigating backdoor attacks. It is based on three novel techniques that allow to characterize the distribution of data used to train model updates and seek to measure fine-grained differences in the internal structure and outputs of NNs. Using these techniques, DeepSight can identify suspicious model updates. We also develop a scheme that can accurately cluster model updates. Combining the results of both components, DeepSight is able to identify and eliminate model clusters containing poisoned models with high attack impact. We also show that the backdoor contributions of possibly undetected poisoned models can be effectively mitigated with existing weight clip**-based defenses. We evaluate the performance and effectiveness of DeepSight and show that it can mitigate state-of-the-art backdoor attacks with a negligible impact on the model's performance on benign data.
△ Less
Submitted 3 January, 2022;
originally announced January 2022.
-
FLAME: Taming Backdoors in Federated Learning (Extended Version 1)
Authors:
Thien Duc Nguyen,
Phillip Rieger,
Huili Chen,
Hossein Yalame,
Helen Möllering,
Hossein Fereidooni,
Samuel Marchal,
Markus Miettinen,
Azalia Mirhoseini,
Shaza Zeitouni,
Farinaz Koushanfar,
Ahmad-Reza Sadeghi,
Thomas Schneider
Abstract:
Federated Learning (FL) is a collaborative machine learning approach allowing participants to jointly train a model without having to share their private, potentially sensitive local datasets with others. Despite its benefits, FL is vulnerable to backdoor attacks, in which an adversary injects manipulated model updates into the model aggregation process so that the resulting model will provide tar…
▽ More
Federated Learning (FL) is a collaborative machine learning approach allowing participants to jointly train a model without having to share their private, potentially sensitive local datasets with others. Despite its benefits, FL is vulnerable to backdoor attacks, in which an adversary injects manipulated model updates into the model aggregation process so that the resulting model will provide targeted false predictions for specific adversary-chosen inputs. Proposed defenses against backdoor attacks based on detecting and filtering out malicious model updates consider only very specific and limited attacker models, whereas defenses based on differential privacy-inspired noise injection significantly deteriorate the benign performance of the aggregated model. To address these deficiencies, we introduce FLAME, a defense framework that estimates the sufficient amount of noise to be injected to ensure the elimination of backdoors while maintaining the model performance. To minimize the required amount of noise, FLAME uses a model clustering and weight clip** approach. Our evaluation of FLAME on several datasets stemming from application areas including image classification, word prediction, and IoT intrusion detection demonstrates that FLAME removes backdoors effectively with a negligible impact on the benign performance of the models. Furthermore, following the considerable attention that our research has received after its presentation at USENIX SEC 2022, FLAME has become the subject of numerous investigations proposing diverse attack methodologies in an attempt to circumvent it. As a response to these endeavors, we provide a comprehensive analysis of these attempts. Our findings show that these papers (e.g., 3DFed [36]) have not fully comprehended nor correctly employed the fundamental principles underlying FLAME, i.e., our defense mechanism effectively repels these attempted attacks.
△ Less
Submitted 5 August, 2023; v1 submitted 6 January, 2021;
originally announced January 2021.
-
Non-thermal response of YBCO thin films to picosecond THz pulses
Authors:
P. Probst,
A. Semenov,
M. Ries,
A. Hoehl,
P. Rieger,
A. Scheuring,
V. Judin,
S. Wünsch,
K. Il'in,
N. Smale,
Y. -L. Mathis,
R. Müller,
G. Ulm,
G. Wüstefeld,
H. -W. Hübers,
J. Hänisch,
B. Holzapfel,
M. Siegel,
A. -S. Müller
Abstract:
The photoresponse of YBa2Cu3O7-d thin film microbridges with thicknesses between 15 and 50 nm was studied in the optical and terahertz frequency range. The voltage transients in response to short radiation pulses were recorded in real time with a resolution of a few tens of picoseconds. The bridges were excited by either femtosecond pulses at a wavelength of 0.8 μm or broadband (0.1 - 1.5 THz) pic…
▽ More
The photoresponse of YBa2Cu3O7-d thin film microbridges with thicknesses between 15 and 50 nm was studied in the optical and terahertz frequency range. The voltage transients in response to short radiation pulses were recorded in real time with a resolution of a few tens of picoseconds. The bridges were excited by either femtosecond pulses at a wavelength of 0.8 μm or broadband (0.1 - 1.5 THz) picosecond pulses of coherent synchrotron radiation. The transients in response to optical radiation are qualitatively well explained in the framework of the two-temperature model with a fast component in the picosecond range and a bolometric nanosecond component whose decay time depends on the film thickness. The transients in the THz regime showed no bolometric component and had amplitudes up to three orders of magnitude larger than the two-temperature model predicts. Additionally THz-field dependent transients in the absence of DC bias were observed. We attribute the response in the THz regime to a rearrangement of vortices caused by high-frequency currents.
△ Less
Submitted 12 April, 2012;
originally announced April 2012.