In Federated Learning (FL), a set of clients collaboratively train a machine learning model (called global model) without sharing their local training data. The local training data of clients is typically non-i.i.d. and heterogeneous, resulting in varying contributions from individual clients to the final performance of the global model. In response, many contribution evaluation methods were proposed, where the server could evaluate the contribution made by each client and incentivize the high-contributing clients to sustain their long-term participation in FL. Existing studies mainly focus on developing new metrics or algorithms to better measure the contribution of each client. However, the security of contribution evaluation methods of FL operating in adversarial environments is largely unexplored. In this paper, we propose the first model poisoning attack on contribution evaluation methods in FL, termed ACE. Specifically, we show that any malicious client utilizing ACE could manipulate the parameters of its local model such that it is evaluated to have a high contribution by the server, even when its local training data is indeed of low quality. We perform both theoretical analysis and empirical evaluations of ACE. Theoretically, we show our design of ACE can effectively boost the malicious client's perceived contribution when the server employs the widely-used cosine distance metric to measure contribution. Empirically, our results show ACE effectively and efficiently deceive five state-of-the-art contribution evaluation methods. In addition, ACE preserves the accuracy of the final global models on testing inputs. We also explore six countermeasures to defend ACE. Our results show they are inadequate to thwart ACE, highlighting the urgent need for new defenses to safeguard the contribution evaluation methods in FL.

翻译：在联邦学习中，一组客户端在不共享本地训练数据的情况下协作训练机器学习模型（称为全局模型）。客户端的本地训练数据通常是非独立同分布且异构的，导致各个客户端对全局模型最终性能的贡献存在差异。为此，研究者提出了许多贡献评估方法，使服务器能够评估每个客户端所做出的贡献，并激励高贡献的客户端持续参与联邦学习。现有研究主要侧重于开发新的度量标准或算法，以更好地衡量每个客户端的贡献。然而，在对抗性环境下运行的联邦学习贡献评估方法的安全性在很大程度上尚未被探索。本文首次提出了一种针对联邦学习中贡献评估方法的模型投毒攻击，称为ACE。具体而言，我们证明任何利用ACE的恶意客户端都可以操控其本地模型的参数，使得服务器评估其具有高贡献，即使其本地训练数据实际上质量较低。我们对ACE进行了理论分析和实证评估。理论上，我们证明当服务器采用广泛使用的余弦距离度量来评估贡献时，我们的ACE设计能够有效提升恶意客户端被感知到的贡献。实证上，我们的结果显示ACE能够有效且高效地欺骗五种最先进的贡献评估方法。此外，ACE还能保持最终全局模型在测试输入上的准确率。我们还探索了六种防御ACE的对策。结果表明这些对策不足以阻止ACE，凸显了迫切需要新的防御措施来保护联邦学习中的贡献评估方法。