We propose FedGT, a novel framework for identifying malicious clients in federated learning with secure aggregation. Inspired by group testing, the framework leverages overlapping groups of clients to identify the presence of malicious clients in the groups via a decoding operation. The clients identified as malicious are then removed from the model training, which is performed over the remaining clients. By choosing the size, number, and overlap between groups, FedGT strikes a balance between privacy and security. Specifically, the server learns the aggregated model of the clients in each group - vanilla federated learning and secure aggregation correspond to the extreme cases of FedGT with group size equal to one and the total number of clients, respectively. The effectiveness of FedGT is demonstrated through extensive experiments on the MNIST, CIFAR-10, and ISIC2019 datasets in a cross-silo setting under different data-poisoning attacks. These experiments showcase FedGT's ability to identify malicious clients, resulting in high model utility. We further show that FedGT significantly outperforms the private robust aggregation approach based on the geometric median recently proposed by Pillutla et al. in multiple settings.

翻译：我们提出FedGT，一种用于在安全聚合联邦学习中识别恶意客户端的新型框架。该框架受群体测试启发，利用客户端的重叠分组，通过解码操作识别组内是否存在恶意客户端。被识别为恶意的客户端随后将从模型训练中移除，训练仅在剩余客户端上进行。通过选择分组的大小、数量及重叠程度，FedGT在隐私与安全之间实现了平衡。具体而言，服务器仅获知每个组内客户端的聚合模型——传统联邦学习与安全聚合分别对应FedGT在分组大小为1和等于客户端总数时的极端情况。通过在跨机构场景下对MNIST、CIFAR-10和ISIC2019数据集进行多种数据投毒攻击的广泛实验，验证了FedGT的有效性。这些实验展示了FedGT识别恶意客户端的能力，并实现了较高的模型效用。我们进一步证明，在多种设置下，FedGT显著优于Pillutla等人最近提出的基于几何中位数的私有鲁棒聚合方法。