Competitive Advantage Attacks to Decentralized Federated Learning

We sincerely appreciate your recognition of our work and your valuable feedback. Please find our responses below.

W1: A clearer comparison to existing attacks: Thank you for your positive feedback on our work. We discuss the "Comparison with poisoning attacks" of SelfishAttack in the Threat Model section. Overall, the differences between SelfishAttack and existing attacks are:

1). Adversary type: Byzantine or collusion-based attacks are typically launched by external adversaries or internal clients, while SelfishAttack is conducted by internal, coordinated clients within the system.

2). Objective: Byzantine or collusion-based attacks aim to indiscriminately degrade overall model performance, often harming even the compromised clients. SelfishAttack, on the other hand, aims to degrade non-selfish clients’ performance while improving or preserving the performance of selfish clients, thereby gaining a competitive advantage.

W2: Discussion of related work on fairness-aware FL: We will consider incorporating some related works about fairness into our paper, such as [1, 2, 3].

[1] Mohri, Mehryar, Gary Sivek, and Ananda Theertha Suresh. "Agnostic federated learning." International conference on machine learning. PMLR, 2019.

[2] Shi, Yuxin, Han Yu, and Cyril Leung. "Towards fairness-aware federated learning." IEEE Transactions on Neural Networks and Learning Systems 35.9 (2023): 11922-11938.

[3] Ezzeldin, Yahya H., et al. "Fairfed: Enabling group fairness in federated learning." Proceedings of the AAAI conference on artificial intelligence. Vol. 37. No. 6. 2023.

W3: New defenses: We discussed potential defenses against SelfishAttack in Appendix K. For example, one possible direction is to explore cryptographic techniques to enforce that a selfish client sends the same shared model to all clients.

Thank you for your comments and feedback. Please find our responses below.

W1: Simple robust aggregation: In Table 3, we present results for other aggregation rules. We also conduct experiments on complex CenteredClip aggregation rule. Similar to the attacks against other aggregation rules in Table 3, we apply the attack originally designed for FedAvg to CenteredClip. The corresponding MTAS/MTANS/Gap are 0.527/0.437/0.090, respectively. These results indicate that our attack successfully achieves both attack goals even under the CenteredClip defense.

W2: Few clients: To further evaluate the effectiveness of our approach, we conduct experiments on CIFAR-10 with 100 clients. The corresponding MTAS/MTANS/Gap results are:

W3: More attacks: We further add label flipping and sign flipping attacks to our baseline. The results are:

These results indicate that the two attacks fail to obtain a significant competitive advantage.

Q1: Permutation invariant: Permutation invariance is an important property for FL aggregation rules. However, since our method is an attack in the DFL setting, the concept of 'permutation invariance' may not be applicable to our method.

Q2: Attacks should be benchmarked against defenses: In addition to comparing the performance of our attack with other attacks, we also benchmarked against defenses. Tables 1 and 3 report the results of SelfishAttack against various robust aggregation rules. Moreover, comparing our attack with other baseline attacks better highlights its effectiveness, which is also a common practice in many attack papers (e.g., [1]).

[1] Fang et al. "Local model poisoning attacks to Byzantine-Robust federated learning." In USENIX security symposium 2020.

Q3: Modeling as a game: This is a very interesting suggestion. In Table 3, we have already included several advanced defenses, such as FLTrust, FLAME, and RFA, which modify aggregation weights, as well as FLDetector, which tracks per-round variance. To further verify that attackers can still be effective even when defenders adopt random aggregation rules, we conduct the following experiment: in each round, each non-selfish client randomly selects an aggregation rule from those listed in Tables 1 and 3, while the selfish clients consistently apply the attack strategy designed for FedAvg. The results are 0.573/0.480/0.093. While an attacker could potentially adapt its strategy based on the specific aggregation rule used by the defender, it needs the selfish clients to know the exact aggregation rules used by non-selfish clients, which is impractical. Therefore, we believe modeling games goes beyond the scope of the current paper and would be better positioned as a new line of attack. We believe it is a promising future work.

L1: Weaker performance in non-iid: We clarify that all our results, except for the iid case in Figure 4 (i.e., degree of non-iid=0.1), are conducted under non-iid scenarios. We will make this setting more clear.

L2: Not effective during early rounds: We argue that in early rounds, all clients have poorly performing local models, and a more meaningful attack goal is to prevent them from obtaining high-performance models later on. Our algorithm includes a component that determines when to start the attack. In practice, the attack typically begins between 1/6 and 1/3 of the total training rounds, meaning that selfish clients can gain a significant competitive advantage for the majority of the training process.

We thank you for your constructive feedback and for recognizing the contributions of our work. Our point-by-point responses are as follows.

W1: Asymmetry: Regarding the 'asymmetry' concern, we experiment with using the models received from each non-selfish client in the previous round, as estimates of their current-round sent models, when computing the selfish model to be sent by selfish clients. The results (CIFAR-10, MTAS/MTANS/Gap) are as follows:

These results are very close to those obtained using the actual current-round models. We will consider updating our algorithm to use the previous-round models to address this concern.

W2: Aggregation rules are unknown: We include several advanced aggregation rules (e.g., FLTrust, RFA, FLDetector) in Table 3. These experiments do not require prior knowledge of which aggregation rule the clients are using, as we apply a unified attack strategy rather than adapting it based on the specific aggregation rule. Of course, if the attacker knows in advance which aggregation rule the non-selfish clients are using, it is possible to launch more targeted and effective attacks (as we did for FedAvg, Median, and Trimmed-mean). We also attempt to attack Trimmed-mean using the strategy designed for Median as suggested, resulting in MTAS/MTANS/Gap of 0.583/0.512/0.071, demonstrating a certain degree of transferability.

W3: A subset of agents active in each round: We conduct an experiment where only 50% of the clients participate in each round, while keeping other parameters unchanged (e.g., $\lambda$). The results are as follows:

The results still demonstrate that our method achieves a strong competitive advantage. In addition, using only 50% of the clients delays the attack by 20-30 rounds compared to using all clients, which may be due to the slower convergence of the system with fewer participants.

Q1: Aggregation rules are unknown: If the aggregation rules are not known in advance, using the attack strategies designed for FedAvg is the most effective approach. This is also consistent with our experiments on most other aggregation rules in Table 3. Under the same parameter settings, applying the FedAvg-based attack against Median and Trimmed-mean yields the following results:

Q2: A subset of agents active in each round: Please refer to the responses to W3 above.

Q3: Potential defense: We evaluate the aggregation rule FedFomo proposed in [1]. Similar to how we attacked other aggregation rules in Table 3, we apply the attack strategy designed for FedAvg to FedFomo. In our experiments, each non-selfish client uses its entire training dataset to evaluate the models from other clients. The results are 0.474/0.323/0.151. This outcome may be due to the fact that, under our attack on FedAvg, most selfish clients send models identical to the local models of the non-selfish clients. Since FedFomo assigns higher weights to models that are similar to a client’s own local model, the models from selfish clients receive relatively high weights. As a result, the final aggregated model essentially becomes the non-selfish client's own model. This explains why the attack results on FedFomo are very close to those on FedAvg.

Q4:Not fully connect graph: We conduct an experiment under a not fully connected setting. Specifically, we randomly generate a graph structure where each client is connected to only 10 other clients (20 clients in total). In this case, selfish clients do not have access to the full connectivity structure of the DFL system, that is, they do not know which clients each non-selfish client is collaborating with. Therefore, it is difficult to directly apply the attack strategies proposed in the paper for FedAvg, Median, and Trimmed-mean in this setting. However, we can still construct an attack based on all the local models of non-selfish clients that are accessible to selfish clients. Therefore, we use the same attack strategy designed for FedAvg to attack FedAvg, Median, and Trimmed-mean. The results are as follows:

These results demonstrate that SelfishAttack can still achieve a clear competitive advantage even in a not fully connected setting. Therefore, we believe that the attack strategy designed for FedAvg can be generalized to the not fully connected setting.

Thank you for acknowledging our work and for your insightful comments. Our responses are provided below.

W1: Unsaid assumptions: We conduct an experiment under a not fully connected setting. Specifically, we randomly generate a graph structure where each client is connected to only 10 other clients (20 clients in total). In this case, selfish clients do not have access to the full connectivity structure of the DFL system, that is, they do not know which clients each non-selfish client is collaborating with. Therefore, it is difficult to directly apply the attack strategies proposed in the paper for FedAvg, Median, and Trimmed-mean in this setting. However, we can still construct an attack based on all the local models of non-selfish clients that are accessible to selfish clients. Therefore, we use the same attack strategy designed for FedAvg to attack FedAvg, Median, and Trimmed-mean. The results are as follows:

These results demonstrate that SelfishAttack can still achieve a clear competitive advantage even in a not fully connected setting. Therefore, we believe that the attack strategy designed for FedAvg can be generalized to the not fully connected setting.

W2: Uncertainties: For the different attack strategies proposed in our paper (FedAvg-based, Median-based, and Trimmed-mean-based), we use a fixed value of $\lambda$. Specifically, $\lambda$ is set to 0.0 for the FedAvg-based attack, and 0.5 or 1.0 for the Median- and Trimmed-mean-based attacks. This does not require full knowledge of the system and remains constant regardless of any other factors. Figure 3 is only intended to illustrate the motivation behind our choice of $\lambda$ for these three strategies. Table 3 presents results of attacks against other aggregation rules. In these experiments, we adopted the FedAvg-based attack, and thus $\lambda$ is fixed at 0.0 accordingly. As for r in Equation 8, it is computed directly and does not require manual selection. Therefore, our experimental parameters are fixed and do not rely on any specific knowledge of the dataset or DFL system.

W3: Delay is suspicious: We experiment with using the models received from each non-selfish client in the previous round, as estimates of their current-round sent models, when computing the selfish model to be sent by selfish clients. The results (CIFAR-10, MTAS/MTANS/Gap) are as follows:

These results are very close to those obtained using the actual current-round models. We will consider updating our algorithm to use the previous-round models to address this concern.

W4: Stronger Baseline: In fact, the Fang attack is equivalent to the TrimAttack described in our paper. We further include its Krum-based variant, referred to as the Krum Attack. The results are as follows:

Q1: The attack is started late…: In fact, for CIFAR-10, the attack typically begins around round 200, and once initiated, selfish clients can achieve a clear competitive advantage within just 10 rounds. After that point, the average accuracy of both selfish and non-selfish clients increases slightly (by about 0.05), and the Gap tends to stabilize until training ends (at 600 rounds). Therefore, neither early stopping nor continuing training significantly affects the effectiveness of SelfishAttack. As long as the attack is launched after a certain round, selfish clients can consistently gain a stable competitive advantage.

We test the effectiveness of SelfishAttack when launched during the final 50 rounds of training, while also preventing selfish clients from learning from non-selfish clients. The resulting Gaps are 0.132 for FedAvg, 0.116 for Median, and 0.110 for Trimmed-mean, which are relatively close to the results in Table 1. However, 'early stopping' can be an effective defense against such 'last-round attacks,' especially in settings where the model is continuously updated and the end of training is uncertain.

Q2: Selfish defense does not improve selfish accuracy: Here, the 'Selfish' entry under the 'Info' column does not refer to a defense mechanism, but rather indicates whether the model used during aggregation by selfish clients comes from all clients or only from selfish clients. The reason why 'All' outperforms 'Selfish' is that selfish clients can still gain some useful information from the models of non-selfish clients. In addition, we add experiments where non-selfish clients use Median, selfish clients perform a Median-based attack, and use FedAvg to aggregate the selfish clients' local models. The results are as follows:

This further supports the conclusion that models from all clients should be used for aggregation, rather than relying solely on those from the selfish clients. Q3: Number of benign and malicious training rounds: Roughly, on CIFAR-10, the first 200 rounds are benign, and the later 400 rounds are attacked.

Q4: Why is \lambda set to 0 for FedAvg: Because FedAvg is not a robust aggregation rule, using a large value of $\lambda$ would cause the model aggregated by non-selfish clients to deviate significantly from the model aggregated solely from all non-selfish clients' models. This would lead to poor performance for the non-selfish clients, preventing the selfish clients from benefiting from them. For the impact of different $\lambda$ values on performance, please refer to Figure 3.

Q5: Trim attack has no impact on Sent140: This may be because Sent140 is a binary classification task, where the worst-case performance (i.e., random guessing) is 0.5. In addition, the TrimAttack also has some impact, causing the average accuracy of non-selfish clients to drop by around 0.08.

Q6: Dataset used in Table 3: It’s CIFAR-10, which is our default setting. We mentioned our default settings in line 251.

Q7: How krum is fooled: Because Krum selects the model that has the smallest sum of Euclidean distances to its closest (n+m)−m−2 neighbors, and most selfish clients send models that are identical to the local model of the targeted non-selfish client, the distances between these models are nearly 0. As a result, Krum is highly likely to select the model sent by a selfish client.

L1: Leverage the past updates: Thank you for your suggestion. We experiment with using the past models received from each non-selfish client. Please see the response to W3 for more details.

Thank you for your positive feedback on our rebuttal!

First, we redefine the threat model under the setting where the communication graph may not be fully connected.

DFL Settings

The communication graph may not be fully connected. This means each non-selfish client only sends and receives its local model to and from a subset of clients.

Attacker's Knowledge

Each selfish client receives the pre-aggregation local models from all non-selfish clients it is connected to. They also share their own pre-aggregation local models, as well as all local models they have received from their neighboring non-selfish clients, among themselves.

We consider two scenarios:

i) Selfish clients know the structure of the communication graph, i.e., they know which clients each non-selfish client is connected to;

ii) Selfish clients do not know the structure of the communication graph.

We then discuss how theoretical guarantees of the algorithm change when the attacker knows or does not know the graph structure, and when the attacker can only use local models received in the previous round to approximate the optimal solution.

Let $A_ i$ denote the set of indices of all neighbors of client $i$. Suppose there are $n_ i$ non-selfish clients and $m_ i$ selfish clients in $A_ i$. Denote the model sent from client $i$ to $j$ in round $t$ as $w_ {(i,j)}^{(t)}$. After approximating using shared models from non-selfish clients in round $t-1$, our objective function is defined as:

$$\min_ {\{w_ {(j,i)}^{(t)}\}_ {n\leq j\leq n+m-1}}\Vert w^{(t)}_ i- \hat{w}^{(t-1)}_ i \Vert^2 - \lambda \Vert w^{(t)}_ i -\tilde{w}^{(t-1)}_ i \Vert^2,$$

where $w_ i^{(t)} = \text{Agg}(\{w_ {(h,i)}^{(t)}\}_ {h\in A_ i})$, $\tilde{w}_ i^{(t-1)} = \text{Agg}(\{w_ {(h,i)}^{(t-1)}\}_ {0\leq h\leq n-1})$. The unconstrained minimizer now is $p_ i^{(t)}[k] = \frac{\hat{w}_ i^{(t-1)}[k] - \lambda \tilde{w}_ i^{(t-1)}[k]}{1-\lambda}$, and the optimal solution is computed using $p_ i^{(t)}$.

We first consider the scenario in which selfish clients know the structure of the communication graph; then they can craft shared models similar to the methods described in the main paper. More specifically, we sort the $k$th-dimensional shared models from non-selfish clients to $i$ in descending order in round $t-1$ as ${q}_ {0i}^{(t-1)}[k] \ge \cdots \ge {q}_ {(n_ i-1)i}^{(t-1)}[k]$. Let all the indices of selfish clients in $A_ i$ be $j_ 0, \ldots, j_ {m_ i-1}$.

For FedAvg, the bounds become $\overline{w}_ i^{(t)}[k] = \max_ {0\leq h\leq n-1} w_ {(h,i)}^{(t-1)}[k]$ and $\underline{w}_ i^{(t)}[k] = \min_ {0\leq h\leq n-1} w_ {(h,i)}^{(t-1)}[k]$, and shared models become:

w_ {(j_ 0,i)}^{(t)}[k]=(n_ i+1)\cdot w_ i^* [k] - \sum_ {h=0}^{n_ i-1}q_ {hi}^{(t-1)}[k].$$ For **Median**, the bounds become

\overline{w}_ i^{(t)}[k] = \frac{1}{2}(q_ {\lfloor\frac{n_ i-m_ i-1}{2}\rfloor i}^{(t-1)}[k] + q_ {\lfloor\frac{n_ i-m_ i}{2}\rfloor i}^{(t-1)}[k]), \quad \underline{w}_ i^{(t)}[k] = \frac{1}{2}(q^{(t-1)}_ {\lfloor\frac{n_ i+m_ i-1}{2}\rfloor i}[k] + q^{(t-1)}_ {\lfloor\frac{n_ i+m_ i}{2}\rfloor i}[k]).

$$and shared models become$$

w_ {(j_ 1,i)}^{(t)}[k] = \cdots = w_ {(j_ {m_ i-1},i)}^{(t)}[k] = w_ i^* [k],

$$$$

w_ {(j_ 0,i)}^{(t)}[k] = \begin{cases} 2w_ i^* [k] - q_ {ui}^{(t-1)}[k], & \text{if } w_ i^* [k] > q_ {ui}[k], \\ 2w_ i^* [k] - q_ {vi}^{(t-1)}[k], & \text{if } w_ i^* [k] < q_ {vi}[k], \\ w_ i^* [k], & \text{otherwise} \end{cases}

$$For **Trimmed-mean**, the bounds become$$

\overline{w}_ i^{(t)}[k] = \frac{1}{n_ i - m_ i} \sum_ {h=0}^{n_ i - m_ i - 1} q_ {hi}^{(t-1)}[k], \quad \underline{w}_ i^{(t)}[k] = \frac{1}{n_ i - m_ i} \sum_ {h=m_ i}^{n_ i - 1} q_ {hi}^{(t-1)}[k].

and shared models become Case I: $$ w_ {(j,i)}^{(t)}[k]= \begin{cases} q^{(t-1)}_ {(n_ i-1)i}[k]-b, & j\in\\{j_ {n_ i-r_ i-1},...,j_ {m_ i-1}\\}\\\\ {\mathbf{c}}^{(t)}_ i[k], & j\in\\{j_ 0,...,j_ {n_ i-r_ i-1}\\} \end{cases}

where $\mathbf{c}_ i^{(t)}[k] = \frac{(n_ i - m_ i)\cdot w_ i^* [k] - \sum_ {h = m_ i}^{r_ i - 1} q_ {hi}^{(t-1)}[k]}{n_ i - r_ i}$, $r_ i$ is the largest integer to ensure $n_ i-m_ i\leq r_ i\leq n_ i$ and $w^* _ i[k]\leq \frac{1}{n_ i-m_ i}((n_ i-r_ i)\cdot q^{(t-1)}_ {(m_ i-1)i}[k]+\sum_ {h=m_ i}^{r_ i-1}q^{(t-1)}_ {hi}[k])$

Case II is similar.

When the selfish clients do not know the graph structure, they cannot accurately obtain the bounds used in median and trimmed-mean, nor the shared models. Therefore, we adopt a heuristic approach, allowing them to launch the attack as if targeting FedAvg. Below are our experimental results under different datasets in the setting where the graph is not fully connected and past models are used.