Federated learning is a distributed training framework vulnerable to Byzantine attacks, particularly when over 50% of clients are malicious or when datasets are highly non-independent and identically distributed (non-IID). Additionally, most existing defense mechanisms are designed for specific attack types (e.g., gradient similarity-based schemes can only defend against outlier model poisoning), limiting their effectiveness. In response, we propose FedGuard, a novel federated learning mechanism. FedGuard cleverly addresses the aforementioned issues by leveraging the high sensitivity of membership inference to model bias. By requiring clients to include an additional mini-batch of server-specified data in their training, FedGuard can identify and exclude poisoned models, as their confidence in the mini-batch will drop significantly. Our comprehensive evaluation unequivocally shows that, under three highly non-IID datasets, with 90% of clients being Byzantine and seven different types of Byzantine attacks occurring in each round, FedGuard significantly outperforms existing robust federated learning schemes in mitigating various types of Byzantine attacks.

翻译：联邦学习作为一种分布式训练框架，易受拜占庭攻击，尤其是在超过50%的客户端为恶意客户端或数据集呈现高度非独立同分布（non-IID）特性时。此外，现有的大多数防御机制仅针对特定攻击类型设计（例如基于梯度相似性的方案仅能防御异常模型投毒），限制了其有效性。为此，我们提出FedGuard，一种新颖的联邦学习机制。FedGuard巧妙地利用成员推断对模型偏差的高度敏感性来解决上述问题。通过要求客户端在其训练中包含一个额外的、由服务器指定的小批量数据，FedGuard能够识别并排除被投毒的模型，因为这些模型对该小批量数据的置信度将显著下降。我们的全面评估明确表明，在三种高度非IID数据集下，当90%的客户端为拜占庭客户端且每轮发生七种不同类型的拜占庭攻击时，FedGuard在缓解各类拜占庭攻击方面显著优于现有的鲁棒联邦学习方案。