Backdoor attacks in federated learning with regression

Master thesis (2024)

Authors

A. Simonov Electrical Engineering, Mathematics and Computer Science

Contributors

S. Picek Cyber Security - EEMCS (supervisor 1)
G. Smaragdakis Cyber Security - EEMCS (supervisor 1)
J.C. van Gemert Pattern Recognition and Bioinformatics - EEMCS (supervisor 2)
Faculty
Electrical Engineering, Mathematics and Computer Science
Copyright: © 2024 Alex Simonov
More Info
expand_more

Published Date

24-01-2024

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

Machine learning, a pivotal aspect of artificial intelligence, has dramatically altered our interaction with technology and our handling of extensive data. Through its ability to learn and make decisions from patterns and previous experiences, machine learning is growing in influence on different aspects of our lives. It is, however, shown that machine learning can be attacked, and by the attacks, its functioning may become completely opposite of what it was designed. A special kind of attack on machine learning models is a backdoor attack. It uses a special pattern that was placed in the training data by malicious users to alter the models’ behaviour. This pattern is called a backdoor trigger, and it can take any possible form. The test data with this trigger will be misclassified, while the clean data will get a correct prediction. This property makes the backdoor attacks stealthy and hard to detect.

The backdoor attacks are mostly created to attack the classification models, where for each data sample, there is a label. In this thesis, we move away from the classification setup and create the first (to our knowledge) backdoor attack on the linear regression. We show that the triggers constructed using different versions of feature selection algorithms can be effective and impose a high error on the linear learning model prediction. Additionally, the study shows that backdoor attacks with the trigger constructed with a feature selection using correlation analysis lead to a higher error than the one using random forest for feature selection.

Furthermore, we also transfer this backdoor attack to the federated learning setup. The results prove to be highly dependent on the number of poisoned nodes, while for all of them, the error for the poisoned region is higher than for the clean data.

Finally, for the attack in both setups, we have adapted popular defence mechanisms that work against backdoor attacks on classification models. For the centralised setup, we have explored the possibility of using the studentized residuals as an outlier detection mechanism. The results are diverse, becoming worse when the poisoning rate of the model increases. To prevent the attacks in the federated setup, we used the FoolsGold defence mechanism, and it proved to be effective against the backdoor attacks on the regression model in all the cases except the one with exactly one attacking node.