XFED: Non-Collusive Model Poisoning Attack Against Byzantine-Robust Federated Classifiers

XFED introduces a non-collusive model poisoning attack that bypasses Byzantine-robust defenses in Federated Learning. It enables individual malicious clients to independently corrupt global models, significantly lowering attack barriers and posing a severe threat to FL integrity and current security protocols.

intermediate2 hours6 steps

The play

Set Up a Baseline Federated Learning Environment
Initialize a central server and multiple clients using an FL framework like Flower or TensorFlow Federated. Ensure your setup includes a global model and a dataset split across clients.
Define the Malicious Objective
Determine the specific goal of the attack. This could be causing misclassification for a target class, backdoor insertion, or degrading overall model performance on specific inputs.
Implement a Malicious Client Strategy
Design a client that generates poisoned local model updates without requiring coordination with other attackers. This typically involves manipulating local training data (e.g., label flipping, data poisoning) or directly altering gradients before sending them to the server.
Integrate Byzantine-Robust Aggregation
Configure your FL server to use a Byzantine-robust aggregation mechanism (e.g., Krum, Trimmed Mean, Median) to simulate the defense XFED aims to bypass. This is crucial for evaluating the attack's effectiveness.
Execute Federated Learning Rounds with Attackers
Run the FL training process for several rounds, allowing the malicious client(s) to submit their crafted poisoned updates alongside benign client updates. Observe the server's aggregation process.
Evaluate Attack Effectiveness
After training, evaluate the global model's performance. Measure accuracy on benign test data and, critically, on targeted (attacked) data or specific inputs designed to reveal the attack's success, demonstrating the bypass of Byzantine defenses.

Starter code

import flwr as fl
import numpy as np

# Define a simple client for demonstration
class FlowerClient(fl.client.NumPyClient):
    def get_parameters(self, config):
        # In a real scenario, this would return model weights
        return [np.array([0.1, 0.2, 0.3])]

    def fit(self, parameters, config):
        # Simulate training: update parameters (e.g., add noise for poisoning later)
        new_params = [p + np.random.rand(*p.shape) * 0.01 for p in parameters]
        num_examples = 10 # Simulate data size
        return new_params, num_examples, {}

    def evaluate(self, parameters, config):
        # Simulate evaluation
        loss = 0.5
        accuracy = 0.9
        num_examples = 5 # Simulate data size
        return loss, num_examples, {"accuracy": accuracy}

# Start a simple Flower server with a basic strategy
# For a real XFED simulation, you'd use a Byzantine-robust strategy here
if __name__ == "__main__":
    strategy = fl.server.strategy.FedAvg(min_available_clients=2, fraction_fit=1.0, fraction_evaluate=1.0)
    fl.server.start_server(server_address="0.0.0.0:8080", config=fl.server.ServerConfig(num_rounds=3), strategy=strategy)