Kick Bad Guys Out! Zero-Knowledge-Proof-Based Anomaly Detection in Federated Learning

As we responded to W3 in the section above, we would like to address the remaining 2 weaknesses mentioned by Reviewer TEpF.

W1: The authors did not compare with FL anomaly detection methods such as FLDetector in experiments.

As already mentioned in our paper, FLDetector is not practical in real-world scenarios. It relies heavily on historical client models from previous training rounds. By examining their detailed implementation, we found that the number of pre-training rounds may vary based on the datasets. For example, the number of pre-training rounds is set to 50 when the datasets are MNIST and FEMNIST, and 20 when the dataset is CIFAR10. Since our approach starts with zero pre-training rounds, it is more generalized, and we do not think there is need in the experiment section to compare our approach with FLDetector which has the practical design limitations above. Thus, in our paper, we decided to mention this work in the Related Works section.

W2: The authors did not test their methods with some strong attacks

Reviewer TEpF suggested 3 attacks (paper [1][2][3]) to us. While we have already included one of the three attacks in our experiments ([2]), we would like to point out that our work has already leveraged stronger and more practical attacks in our paper, compared to those suggested by Reviewer TEpF.

As addressed in the whole paper, our anomaly detection solution handles the challenges faced by real-world FL systems. The basic rule to select attacks in our experiments is that the attack must be practical to be utilized by malicious clients in real-world cases.

As for the other two attacks suggested by Reviewer TEpF, [1] is a famous defense paper in fact, – even its title clearly reflects that it is a defense paper. Though they design an attack, to the best of our knowledge, there is neither an existing work leveraging this attack nor it is practical in real-world scenarios. As shown in their open-sourced implementation (https://github.com/moranant/attacking_distributed_learning/blob/master/malicious.py), the method requires the malicious clients to modify their local models based on the “distribution” of all local models in the current FL training round, using a mean and a standard deviation. Implementing this in real-world FL applications requires the server (or a malicious third party) to compute the real mean (i.e., the averaged model) and the standard deviation, then send them back to the malicious clients for them to compute the poisoned local model. If the mean (averaged model) is computed by the server, the server has no reason to take the poisoned local model again from the local clients, as it has already obtained the averaged model for the current FL round. If the mean is computed by a malicious third party, then the assumption is that the third party attacker has taken control over the whole FL system, which is too strong and almost impractical in real-world scenarios (remember we have an honest majority).

Regarding the attack in [3], in fact, in our experiments, we have already considered two practical attacks ([2] in the reviewer’s suggested attacks and [4]) that are stronger than [3]. The stronger attack in our experiments can even induce the global model to be the local model submitted by a malicious client. Even under this scenario, we show that our proposed method works effectively.

[4] Chen, Yudong, Lili Su, and Jiaming Xu. "Distributed statistical machine learning in adversarial settings: Byzantine gradient descent." Proceedings of the ACM on Measurement and Analysis of Computing Systems 1.2 (2017): 1-25.

Dear Chairs and Reviewers,

We do appreciate your effort in reviewing our paper. We got an overall rating of 3 (reject) and a confidence of 4 (confident in their assessment) from Reviewer TEpF, however, we would like to point out that the review is problematic and full of mistakes contradicting our work. In what follows, we expand our concerns in the following aspects:

Nearly copy-paste summary

Reviewer TEpF summarized the paper as follows:

The paper proposed a FL anomaly detection method with the following features: i) Detecting the occurrence of attacks and performing defense operations only when attacks happen; ii) Upon the occurrence of an attack, further detecting the malicious client models and eliminating them without harming the benign ones; iii) Ensuring honest execution of defense mechanisms at the server by leveraging a zero-knowledge-proof mechanism.

While, in the abstract of our submission, we wrote:

To address these challenges in real FL systems, this paper introduces a cutting-edge anomaly detection approach with the following features: i) Detecting the occurrence of attacks and performing defense operations only when attacks happen; ii) Upon the occurrence of an attack, further detecting the malicious client models and eliminating them without harming the benign ones; iii) Ensuring honest execution of defense mechanisms at the server by leveraging a zero-knowledge proof mechanism. 

By comparing our original text with Reviewer TEpF’s summary, we can easily see that Reviewer TEpF almost copied-pasted part of our abstract with little modification. This makes us think that the Reviewer TEpF has spent little to no time reviewing our paper, as evidenced by their other comments, which we discuss next.

Comments with factual mistakes regarding a “missing” experiment

In Weakness 3 (W3), the reviewer said “The authors did not explore the influence of the number of malicious clients.” However, in the original submitted version, we exactly included the experiment as Exp 5 (Varying the number of malicious clients) in the experiment section, – not the appendix. We varied the percentage of malicious clients to be 0, 20%, and 40%, and our approach works pretty well, – in both cases of 20% and 40% malicious clients, the test accuracy remains very close to the benign case.

Controversial comments with factual mistakes regarding general experiments

In W2, the reviewer said “The authors did not test their approach with some strong attacks” and then the reviewer listed 3 papers ([1][2][3]). However, we have already utilized the attack in [2] in our experiments. Moreover, [1] is in fact a famous defense paper, – even its title clearly reflects that it is a defense paper. Though that paper includes an attack, it is impractical in real-world scenarios (in the next section, we describe why it is impractical). Based on our survey so far, in our humble opinion, we have not seen any paper that utilizes the attack described in [1]. On the other hand, in our experiments, we have already utilized attacks that are both practical and stronger than the attacks suggested by the reviewer. We will explain them in detail in the following section.

Dear Chair, reviewers, and authors

Thanks to the authors for the detailed reply! However, most of my concerns still exist.

1. The authors still have not included FLDetector in experiments, which is a popular method for FL anomaly detection. The authors just said the historical information is required in FLDetector, and then the method is impractical. This is not quite convincing.

2. [1] and [3] are still not compared. [1] A Little Is Enough: Circumventing Defenses For Distributed Learning is an attack paper, even from the title.

3. Systematic exploration of the influence of the number of malicious clients is expected. In Exp5, only 2 and 4 malicious clients for a single attack are considered.

Therefore, I would like to keep my score. Finally, I suggest paying more attention to the paper itself, which will be more helpful.

As already mentioned in our paper, FLDetector is not practical in real-world scenarios. It relies heavily on historical client models from previous training rounds. By examining their detailed implementation, we found that the number of pre-training rounds may vary based on the datasets. For example, the number of pre-training rounds is set to 50 when the datasets are MNIST and FEMNIST, and 20 when the dataset is CIFAR10. Since our approach starts with zero pre-training rounds, it is more generalized, and we do not think there is a need in the experiment section to compare our approach with FLDetector which has the practical design limitations above. Thus, in our paper, we decided to mention this work in the Related Works section.

We appreciated your constructed feedback that helped enhance our paper. Below are our responses.

W1: Assumption of Malicious Clients Remaining Below 50%

Thank you for highlighting the importance of discussing the limitations of our mechanism under different proportions of malicious clients. First, we would like to point out that security solutions often address scenarios that are less frequently encountered in the real world – those that may rarely occur, but when they do, they can lead to serious consequences. This holds true for security issues in Federated Learning (FL) systems as well. In practical FL systems, the proportion of malicious clients is typically no more than 10%. Consistent with this, most literature, to the best of our knowledge, evaluates scenarios with a maximum of 50% adversarial clients, as referenced in [1][2][3][4]. Some methods impose even stricter requirements on the percentage of malicious clients. For example, the well-known m-Krum approach [1] selects n out of N clients in each FL iteration, but only m out of these n local models contribute to the aggregation. The percentage of malicious clients must be less than 1/2 - (m+2)/n as required by the method, which is usually significantly lower than 1/2. For example, in the optimal scenario with 10 participating clients and only 1 local model contributing to the aggregation, which directly leads to an upper limit on the percentage of malicious adversaries when n is 10, the requirement is that the percentage of malicious clients is less than 1/2 - 3/10 = 20%. Your comment, however, has inspired us to explore further. If given the opportunity to enhance our paper, we plan to expand Experiment 5 (Varying the number of malicious clients) to include scenarios with over 50% malicious clients. This will allow us to test the limits of our approach in more extreme conditions. It is also noteworthy that our approach has performed well so far. In Experiment 5, where we varied the percentage of malicious clients to 0%, 20%, and 40%, the test accuracy remained very close to that of the benign scenarios, even with 20% or 40% malicious clients.

[1] Blanchard, Peva, et al. "Machine learning with adversaries: Byzantine tolerant gradient descent." Advances in neural information processing systems 30 (2017).

[2] Guerraoui, Rachid, and Sébastien Rouault. "The hidden vulnerability of distributed learning in byzantium." International Conference on Machine Learning. PMLR, 2018.

[3] Karimireddy, Sai Praneeth, Lie He, and Martin Jaggi. "Byzantine-robust learning on heterogeneous datasets via bucketing." ICLR2022.

[4] Xie, Chulin, et al. "Crfl: Certifiably robust federated learning against backdoor attacks." International Conference on Machine Learning. PMLR, 2021.

W2: Justification for Assuming Gaussian/Normal Distribution

We appreciate your feedback on the necessity of justifying the Gaussian distribution assumption for client models. As studied extensively in the distributed learning literature, if the local data of the clients are i.i.d., parameters of the local models follow a Gaussian distribution, see [5][6][7]. Further, even if the client datasets are non-i.i.d., based on the Central Limit Theorem, the distribution of the local models tends toward a normal distribution.

We included the following description in Section 3.2.

The 3 Sigma Rule is pivotal for two reasons: i) in case the client datasets are i.i.d., parameters of local models follow a Gaussian distribution [5][6][7] ; and ii) even when client datasets are non-i.i.d., the Central Limit Theorem indicates that local models tend toward a normal distribution.

[5] Baruch, Gilad, Moran Baruch, and Yoav Goldberg. "A little is enough: Circumventing defenses for distributed learning." Advances in Neural Information Processing Systems 32 (2019).

[6] Chen, Yudong, Lili Su, and Jiaming Xu. "Distributed statistical machine learning in adversarial settings: Byzantine gradient descent." Proceedings of the ACM on Measurement and Analysis of Computing Systems 1.2 (2017): 1-25.

[7] Yin, Dong, et al. "Byzantine-robust distributed learning: Towards optimal statistical rates." International Conference on Machine Learning. PMLR, 2018.

Moreover, existing defense mechanisms are deployed at the FL server without any verification procedures to ensure their correct execution. While most of the clients are benign and wish to collaboratively train machine learning models, they can also be skeptical about the server's reliability during the execution of the defense mechanisms that modify the original aggregation procedure. 

For each FL round, instead of using all client submissions for aggregation, such approaches keep local models that are the most likely to be benign to represent the other local models. Such approaches are effective, but they keep less local models than the real number of benign local models to ensure that all Byzantine local models are filtered out, causing misrepresentation of some benign local models in aggregation. This completely wastes the computation resources of the benign clients that are not being selected and thus, changes the aggregation results as some benign local models do not participate in aggregation. 

Exp8: Evaluations in real-world applications. We utilize edge devices from the Theta network (Theta Network., 2023) to validate the scalability of our anomaly detection approach to real-world applications. The FL client package is integrated into Theta’s edge nodes, which periodically fetch data from the Theta back-end. Subsequently, the FL training server capitalizes on these Theta edge nodes and their associated data to train, fine-tune, and deploy machine learning models. We utilize the Byzantine attack of random mode. Considering the challenges posed by real-world environments, such as devices equipped solely with CPUs (lacking GPUs), potential device connectivity issues, network latency, and limited storage on edge devices (for instance, some mobile devices might have less than 500MB of available storage), we choose a simple task by employing the MNIST dataset for a logistic regression task. We deploy 20 client edge devices, and set 5 as malicious for each FL training round. The information of the Theta devices is shown in Figure 15. The training process is shown in Figure 16, and the total training time is 221 seconds. We also include the CPU utilization and network traffic during training, which are shown in Figure 17 and Figure 18, respectively.

We would like to first express our gratitude for your reviews. Your insightful comments and constructive suggestions are invaluable in enhancing our work.

Q1 & W2:The description of the threat model needs to be more accurate. It is preferable to describe the threat model based on adversary goals, knowledge, and capabilities.

Thank you for your constructive insights. Based on your feedback, we modified the description of the threat model as follows:

We consider an FL system where some clients are malicious, while most clients are honest. The clients have full access to their local data and can train models using their data. They also would like to collaboratively train a model without sharing their data. However, the malicious clients among them may conduct attacks to achieve some adversarial goals, including: i) planting a backdoor to misclassify a specific set of samples while minimally impacting the overall performance of the global model, i.e., backdoor attacks; ii) altering the local models to prevent the global model from converging, i.e., Byzantine attacks; and iii) randomly submitting contrived models without actual training, i.e., free riders. Clients are aware that the server can take some defensive methods to remove potential malicious local models, and they want to verify the mechanism is processed correctly and honestly at the server.

Q2 & W1: The explanations of some experimental results are not entirely convincing. The justification provided for selecting the 'second-to-the-last layer' in Exp1 is not sufficient.

Thank you for your suggestion. For the selection of the importance layer, our aim is to choose a general case that is suitable for real-world scenarios that involve various models and datasets. Intuitively, we selected the second-to-the-last layer, as it contains more information and can represent the whole model. In Experiment 1, we observed that this layer exhibited higher sensitivity compared to most other layers across all scenarios, thus can be utilized to represent the whole model. We acknowledge that our initial presentation for Experiment 1 was unclear. To clarify this, we have revised our descriptions as follows.

We utilize the norm of gradients to evaluate the "sensitivity" of each layer. A layer with a norm higher than most of the other layers indicates higher sensitivity compared with most of the other layers, thus can be utilized to represent the whole model. We evaluate the sensitivity of layers of CNN, RNN, and ResNet56. The results for RNN are shown in Figure 4, and the results for ResNet56 and CNN are deferred to Figure 14 and Figure 13  in Appendix B.2, respectively. The results show the sensitivity of the second-to-the-last layer is always higher than most of the other layers, which includes adequate information of the whole model, thus can be selected as the importance layer.

Q3: I didn't fully grasp the significance of "VERIFIABLE ANOMALY DETECTION USING ZKP," and the authors should emphasize the research objectives of this section more prominently.

We appreciate your feedback regarding the motivation of using ZKP. The intuition is that, while most of the clients are benign and wish to collaboratively train machine learning models, they may also have concerns about the server's procedure of removing malicious client models, as this procedure may modify the original aggregation result. Considering this, we deployed a ZKP-based verification procedure for the anomaly detection mechanism so that the benign clients can ensure the correct execution of the mechanism at the server.

Based on your feedback, we included the following description at the beginning of Section 4 (Verifiable Anomaly Detection Using ZKP). We also included corresponding explanations in the introduction.

This section introduces a ZKP-based verification procedure so that the benign clients can ensure the correct execution of the anomaly detection mechanism at the server. The intuition is that clients may be skeptical about the removal of some client models during the anomaly detection process at the server, as it may change the aggregation results.

Q4: The paper is very well structured and. There are occasional grammar hiccups and typos, so I recommend a light editing pass (below are a few of the mistakes I’ve collected, but there are more). Page 5 In this ppaer –>in this paper

Thanks for your feedback! We have proofread the paper multiple times and corrected the typos.