Federated learning is highly susceptible to model poisoning attacks, especially those meticulously crafted for servers. Traditional defense methods mainly focus on updating assessments or robust aggregation against manually crafted myopic attacks. When facing advanced attacks, their defense stability is notably insufficient. Therefore, it is imperative to develop adaptive defenses against such advanced poisoning attacks. We find that benign clients exhibit significantly higher data distribution stability than malicious clients in federated learning in both CV and NLP tasks. Therefore, the malicious clients can be recognized by observing the stability of their data distribution. In this paper, we propose AdaAggRL, an RL-based Adaptive Aggregation method, to defend against sophisticated poisoning attacks. Specifically, we first utilize distribution learning to simulate the clients' data distributions. Then, we use the maximum mean discrepancy (MMD) to calculate the pairwise similarity of the current local model data distribution, its historical data distribution, and global model data distribution. Finally, we use policy learning to adaptively determine the aggregation weights based on the above similarities. Experiments on four real-world datasets demonstrate that the proposed defense model significantly outperforms widely adopted defense models for sophisticated attacks.

翻译：联邦学习极易受到模型投毒攻击，尤其是那些针对服务器精心设计的攻击。传统防御方法主要侧重于更新评估或针对手工设计的短视攻击进行鲁棒聚合。面对高级攻击时，其防御稳定性明显不足。因此，亟需开发针对此类高级投毒攻击的自适应防御机制。我们发现，在计算机视觉和自然语言处理任务的联邦学习中，良性客户端的数据分布稳定性显著高于恶意客户端。因此，通过观察客户端数据分布的稳定性可以识别恶意客户端。本文提出AdaAggRL——一种基于强化学习的自适应聚合方法，以防御复杂的投毒攻击。具体而言，我们首先利用分布学习模拟客户端的数据分布；然后使用最大均值差异（MMD）计算当前本地模型数据分布、其历史数据分布与全局模型数据分布之间的两两相似度；最后通过策略学习基于上述相似度自适应地确定聚合权重。在四个真实数据集上的实验表明，所提出的防御模型在应对复杂攻击时显著优于广泛采用的现有防御模型。