Model Stability Defense against Model Poisoning in Federated Learning

Abstract

Federated Learning (FL) exhibits susceptible to model poisoning attacks, which compromise the availability of the collaboratively trained model by introducing detrimental local updates during the training process. The predominant line of defense against such attacks has been to impose stringent restrictions on clients' model updates. However, this strategy raises new vulnerabilities where the global model can be infiltrated by meticulously crafted malicious perturbations. This vulnerability arises due to the model's inherent sensitivity to perturbations, making it exposed and fragile. In response, this work investigates a novel defensive paradigm centered on model stability-specifically, a model's resilience against perturbations within its parameter space. As a solution, we introduce a new method named Model Stability Defense for Federated Learning (MSDFL), designed to fortify the defense of FL systems against model poisoning attacks. MSDFL utilizes a minmax optimization framework, which is fundamentally linked to empirical risk for exploring the effects of model perturbations. The core aim of our approach is to minimize the norm of the model-output Jacobian matrix without compromising predictive performance, thereby establishing defense through enhanced model stability. Moreover, we propose a refined version of MSDFL, named Holistic Model Stability Defense for Federated Learning (HMSDFL), which considers model stability across all output dimensions of the logits to effectively eradicate the disparity in model convergence speed induced by MSDFL. Extensive experimental results fully demonstrate the fidelity, robustness, compatibility, and self-protection of our methods.