AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning

Yanjun Zhang; Guangdong Bai; Mahawaga Arachchige Pathum Chamikara; Mengyao Ma; Liyue Shen; Jingwei Wang; Surya Nepal; Minhui Xue; Long Wang; Joseph K. Liu

doi:10.1145/3543507.3583542

AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning

Yanjun Zhang
, Guangdong Bai
, Mahawaga Arachchige Pathum Chamikara
, Mengyao Ma
, Liyue Shen
, Jingwei Wang
, Surya Nepal
, Minhui Xue
, Long Wang
, Joseph K. Liu

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

25 Citations (Scopus)

Abstract

The Poisoning Membership Inference Attack (PMIA) is a newly emerging privacy attack that poses a significant threat to federated learning (FL). An adversary conducts data poisoning (i.e., performing adversarial manipulations on training examples) to extract membership information by exploiting the changes in loss resulting from data poisoning. The PMIA significantly exacerbates the traditional poisoning attack that is primarily focused on model corruption. However, there has been a lack of a comprehensive systematic study that thoroughly investigates this topic. In this work, we conduct a benchmark evaluation to assess the performance of PMIA against the Byzantine-robust FL setting that is specifically designed to mitigate poisoning attacks. We find that all existing coordinate-wise averaging mechanisms fail to defend against the PMIA, while the detect-then-drop strategy was proven to be effective in most cases, implying that the poison injection is memorized and the poisonous effect rarely dissipates. Inspired by this observation, we propose AgrEvader, a PMIA that maximizes the adversarial impact on the victim samples while circumventing the detection by Byzantine-robust mechanisms. AgrEvader significantly outperforms existing PMIAs. For instance, AgrEvader achieved a high attack accuracy of between 72.78% (on CIFAR-10) to 97.80% (on Texas100), which is an average accuracy increase of 13.89% compared to the strongest PMIA reported in the literature. We evaluated AgrEvader on five datasets across different domains, against a comprehensive list of threat models, which included black-box, gray-box and white-box models for targeted and non-targeted scenarios. AgrEvader demonstrated consistent high accuracy across all settings tested. The code is available at: https://github.com/PrivSecML/AgrEvader. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM

Original language	English
Title of host publication	WWW '23: Proceedings of the ACM Web Conference 2023
Editors	Ying Ding, Jie Tang, Juan Sequeda
Publisher	Association for Computing Machinery
Pages	2371-2382
ISBN (Print)	9781450394161
DOIs	https://doi.org/10.1145/3543507.3583542
Publication status	Published - Apr 2023
Externally published	Yes
Event	32nd ACM World Wide Web Conference (WWW 2023) - Austin, United States Duration: 30 Apr 2023 → 4 May 2023

Publication series

Name	ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023

Conference

Conference	32nd ACM World Wide Web Conference (WWW 2023)
Place	United States
City	Austin
Period	30/04/23 → 4/05/23

Funding

This work is supported by CSIRO s Data61 - University Collaboration Agreement (DUCA); The University of Queensland under the NSRG grant and Cyber Seed grant; Deakin University under the MAAP Linkage grant; and the Ant Group, MYBank

Access Output

10.1145/3543507.3583542

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Zhang, Y., Bai, G., Chamikara, M. A. P., Ma, M., Shen, L., Wang, J., Nepal, S., Xue, M., Wang, L., & Liu, J. K. (2023). AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning. In Y. Ding, J. Tang, & J. Sequeda (Eds.), WWW '23: Proceedings of the ACM Web Conference 2023 (pp. 2371-2382). (ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023). Association for Computing Machinery. https://doi.org/10.1145/3543507.3583542

Zhang, Yanjun ; Bai, Guangdong ; Chamikara, Mahawaga Arachchige Pathum et al. / AgrEvader : Poisoning Membership Inference against Byzantine-robust Federated Learning. WWW '23: Proceedings of the ACM Web Conference 2023. editor / Ying Ding ; Jie Tang ; Juan Sequeda. Association for Computing Machinery, 2023. pp. 2371-2382 (ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023).

@inproceedings{02ca441dd30a4acca38414ff91d0f66c,

title = "AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning",

abstract = "The Poisoning Membership Inference Attack (PMIA) is a newly emerging privacy attack that poses a significant threat to federated learning (FL). An adversary conducts data poisoning (i.e., performing adversarial manipulations on training examples) to extract membership information by exploiting the changes in loss resulting from data poisoning. The PMIA significantly exacerbates the traditional poisoning attack that is primarily focused on model corruption. However, there has been a lack of a comprehensive systematic study that thoroughly investigates this topic. In this work, we conduct a benchmark evaluation to assess the performance of PMIA against the Byzantine-robust FL setting that is specifically designed to mitigate poisoning attacks. We find that all existing coordinate-wise averaging mechanisms fail to defend against the PMIA, while the detect-then-drop strategy was proven to be effective in most cases, implying that the poison injection is memorized and the poisonous effect rarely dissipates. Inspired by this observation, we propose AgrEvader, a PMIA that maximizes the adversarial impact on the victim samples while circumventing the detection by Byzantine-robust mechanisms. AgrEvader significantly outperforms existing PMIAs. For instance, AgrEvader achieved a high attack accuracy of between 72.78\% (on CIFAR-10) to 97.80\% (on Texas100), which is an average accuracy increase of 13.89\% compared to the strongest PMIA reported in the literature. We evaluated AgrEvader on five datasets across different domains, against a comprehensive list of threat models, which included black-box, gray-box and white-box models for targeted and non-targeted scenarios. AgrEvader demonstrated consistent high accuracy across all settings tested. The code is available at: https://github.com/PrivSecML/AgrEvader. {\textcopyright} 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM",

author = "Yanjun Zhang and Guangdong Bai and Chamikara, \{Mahawaga Arachchige Pathum\} and Mengyao Ma and Liyue Shen and Jingwei Wang and Surya Nepal and Minhui Xue and Long Wang and Liu, \{Joseph K.\}",

year = "2023",

month = apr,

doi = "10.1145/3543507.3583542",

language = "English",

isbn = "9781450394161",

series = "ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023",

publisher = "Association for Computing Machinery",

pages = "2371--2382",

editor = "Ding, \{Ying \} and Tang, \{Jie \} and Sequeda, \{Juan \}",

booktitle = "WWW '23: Proceedings of the ACM Web Conference 2023",

address = "United States",

note = "32nd ACM World Wide Web Conference (WWW 2023) ; Conference date: 30-04-2023 Through 04-05-2023",

}

Zhang, Y, Bai, G, Chamikara, MAP, Ma, M, Shen, L, Wang, J, Nepal, S, Xue, M, Wang, L & Liu, JK 2023, AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning. in Y Ding, J Tang & J Sequeda (eds), WWW '23: Proceedings of the ACM Web Conference 2023. ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023, Association for Computing Machinery, pp. 2371-2382, 32nd ACM World Wide Web Conference (WWW 2023), Austin, United States, 30/04/23. https://doi.org/10.1145/3543507.3583542

AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning. / Zhang, Yanjun; Bai, Guangdong; Chamikara, Mahawaga Arachchige Pathum et al.
WWW '23: Proceedings of the ACM Web Conference 2023. ed. / Ying Ding; Jie Tang; Juan Sequeda. Association for Computing Machinery, 2023. p. 2371-2382 (ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - AgrEvader

T2 - 32nd ACM World Wide Web Conference (WWW 2023)

AU - Zhang, Yanjun

AU - Bai, Guangdong

AU - Chamikara, Mahawaga Arachchige Pathum

AU - Ma, Mengyao

AU - Shen, Liyue

AU - Wang, Jingwei

AU - Nepal, Surya

AU - Xue, Minhui

AU - Wang, Long

AU - Liu, Joseph K.

PY - 2023/4

Y1 - 2023/4

N2 - The Poisoning Membership Inference Attack (PMIA) is a newly emerging privacy attack that poses a significant threat to federated learning (FL). An adversary conducts data poisoning (i.e., performing adversarial manipulations on training examples) to extract membership information by exploiting the changes in loss resulting from data poisoning. The PMIA significantly exacerbates the traditional poisoning attack that is primarily focused on model corruption. However, there has been a lack of a comprehensive systematic study that thoroughly investigates this topic. In this work, we conduct a benchmark evaluation to assess the performance of PMIA against the Byzantine-robust FL setting that is specifically designed to mitigate poisoning attacks. We find that all existing coordinate-wise averaging mechanisms fail to defend against the PMIA, while the detect-then-drop strategy was proven to be effective in most cases, implying that the poison injection is memorized and the poisonous effect rarely dissipates. Inspired by this observation, we propose AgrEvader, a PMIA that maximizes the adversarial impact on the victim samples while circumventing the detection by Byzantine-robust mechanisms. AgrEvader significantly outperforms existing PMIAs. For instance, AgrEvader achieved a high attack accuracy of between 72.78% (on CIFAR-10) to 97.80% (on Texas100), which is an average accuracy increase of 13.89% compared to the strongest PMIA reported in the literature. We evaluated AgrEvader on five datasets across different domains, against a comprehensive list of threat models, which included black-box, gray-box and white-box models for targeted and non-targeted scenarios. AgrEvader demonstrated consistent high accuracy across all settings tested. The code is available at: https://github.com/PrivSecML/AgrEvader. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM

AB - The Poisoning Membership Inference Attack (PMIA) is a newly emerging privacy attack that poses a significant threat to federated learning (FL). An adversary conducts data poisoning (i.e., performing adversarial manipulations on training examples) to extract membership information by exploiting the changes in loss resulting from data poisoning. The PMIA significantly exacerbates the traditional poisoning attack that is primarily focused on model corruption. However, there has been a lack of a comprehensive systematic study that thoroughly investigates this topic. In this work, we conduct a benchmark evaluation to assess the performance of PMIA against the Byzantine-robust FL setting that is specifically designed to mitigate poisoning attacks. We find that all existing coordinate-wise averaging mechanisms fail to defend against the PMIA, while the detect-then-drop strategy was proven to be effective in most cases, implying that the poison injection is memorized and the poisonous effect rarely dissipates. Inspired by this observation, we propose AgrEvader, a PMIA that maximizes the adversarial impact on the victim samples while circumventing the detection by Byzantine-robust mechanisms. AgrEvader significantly outperforms existing PMIAs. For instance, AgrEvader achieved a high attack accuracy of between 72.78% (on CIFAR-10) to 97.80% (on Texas100), which is an average accuracy increase of 13.89% compared to the strongest PMIA reported in the literature. We evaluated AgrEvader on five datasets across different domains, against a comprehensive list of threat models, which included black-box, gray-box and white-box models for targeted and non-targeted scenarios. AgrEvader demonstrated consistent high accuracy across all settings tested. The code is available at: https://github.com/PrivSecML/AgrEvader. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM

UR - https://www.scopus.com/pages/publications/85159269292

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85159269292&origin=recordpage

U2 - 10.1145/3543507.3583542

DO - 10.1145/3543507.3583542

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 9781450394161

T3 - ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023

SP - 2371

EP - 2382

BT - WWW '23: Proceedings of the ACM Web Conference 2023

A2 - Ding, Ying

A2 - Tang, Jie

A2 - Sequeda, Juan

PB - Association for Computing Machinery

Y2 - 30 April 2023 through 4 May 2023

ER -

Zhang Y, Bai G, Chamikara MAP, Ma M, Shen L, Wang J et al. AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning. In Ding Y, Tang J, Sequeda J, editors, WWW '23: Proceedings of the ACM Web Conference 2023. Association for Computing Machinery. 2023. p. 2371-2382. (ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023). Epub 2023 Apr 30. doi: 10.1145/3543507.3583542

AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning

Abstract

Publication series

Conference

Funding

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this