One of the most common defense strategies against model poisoning in federated learning is to employ a robust aggregator mechanism that makes the training more resilient. Many of the existing Byzantine robust aggregators provide theoretical guarantees and are empirically effective against certain categories of attacks. However, we observe that certain high-strength attacks can subvert the aggregator and collapse the training. In addition, most aggregators require identifying tolerant settings to converge. Impact of attacks becomes more pronounced when the number of Byzantines is near-majority, and becomes harder to evade if the attacker is omniscient with access to data, honest updates and aggregation methods. Motivated by these observations, we develop a robust aggregator called FedRISE for cross-silo FL that is consistent and less susceptible to poisoning updates by an omniscient attacker. The proposed method explicitly determines the optimal direction of each gradient through a sign-voting strategy that uses variance-reduced sparse gradients. We argue that vote weighting based on the cosine similarity of raw gradients is misleading, and we introduce a sign-based gradient valuation function that ignores the gradient magnitude. We compare our method against 8 robust aggregators under 6 poisoning attacks on 3 datasets and architectures. Our results show that existing robust aggregators collapse for at least some attacks under severe settings, while FedRISE demonstrates better robustness because of a stringent gradient inclusion formulation.

翻译：针对联邦学习中的模型投毒攻击，最常见的防御策略之一是采用鲁棒的聚合机制，以增强训练的韧性。现有的许多拜占庭鲁棒聚合器提供了理论保证，并在实证中对特定类别的攻击具有防御效果。然而，我们观察到某些高强度攻击能够绕过聚合器并导致训练崩溃。此外，大多数聚合器需要识别容忍参数设置才能收敛。当拜占庭节点数量接近多数时，攻击的影响更为显著；若攻击者具备全知能力（能够访问数据、诚实节点更新及聚合方法），则攻击更难规避。基于这些观察，我们为跨机构联邦学习开发了一种名为FedRISE的鲁棒聚合器，该聚合器具有一致性，且对全知攻击者的投毒更新具有较低敏感性。所提方法通过采用方差缩减稀疏梯度的符号投票策略，显式确定每个梯度的最优方向。我们认为基于原始梯度余弦相似度的投票加权具有误导性，因此引入了一种忽略梯度幅度的基于符号的梯度评估函数。我们在3个数据集和架构上，针对6种投毒攻击，将本方法与8种鲁棒聚合器进行了对比。结果表明，现有鲁棒聚合器在严苛设置下至少会对某些攻击失效，而FedRISE因其严格的梯度纳入机制，展现出更优的鲁棒性。