In Federated Learning (FL), a set of clients collaboratively train a machine learning model (called global model) without sharing their local training data. The local training data of clients is typically non-i.i.d. and heterogeneous, resulting in varying contributions from individual clients to the final performance of the global model. In response, many contribution evaluation methods were proposed, where the server could evaluate the contribution made by each client and incentivize the high-contributing clients to sustain their long-term participation in FL. Existing studies mainly focus on developing new metrics or algorithms to better measure the contribution of each client. However, the security of contribution evaluation methods of FL operating in adversarial environments is largely unexplored. In this paper, we propose the first model poisoning attack on contribution evaluation methods in FL, termed ACE. Specifically, we show that any malicious client utilizing ACE could manipulate the parameters of its local model such that it is evaluated to have a high contribution by the server, even when its local training data is indeed of low quality. We perform both theoretical analysis and empirical evaluations of ACE. Theoretically, we show our design of ACE can effectively boost the malicious client's perceived contribution when the server employs the widely-used cosine distance metric to measure contribution. Empirically, our results show ACE effectively and efficiently deceive five state-of-the-art contribution evaluation methods. In addition, ACE preserves the accuracy of the final global models on testing inputs. We also explore six countermeasures to defend ACE. Our results show they are inadequate to thwart ACE, highlighting the urgent need for new defenses to safeguard the contribution evaluation methods in FL.

翻译：在联邦学习（FL）中，一组客户端在不共享其本地训练数据的情况下协作训练一个机器学习模型（称为全局模型）。客户端的本地训练数据通常是非独立同分布且异质的，这导致各个客户端对全局模型最终性能的贡献存在差异。为此，研究者提出了许多贡献评估方法，使得服务器能够评估每个客户端所做的贡献，并激励高贡献客户端维持其长期参与联邦学习。现有研究主要集中于开发新的度量标准或算法以更好地衡量每个客户端的贡献。然而，在对抗性环境中运行的联邦学习贡献评估方法的安全性在很大程度上尚未得到探索。本文中，我们提出了首个针对联邦学习贡献评估方法的模型投毒攻击，称为ACE。具体而言，我们证明任何恶意客户端利用ACE均可操纵其本地模型的参数，使得服务器评估其具有高贡献，即使其本地训练数据实际上质量低下。我们对ACE进行了理论分析和实证评估。理论上，我们证明了当服务器采用广泛使用的余弦距离度量来衡量贡献时，我们的ACE设计能有效提升恶意客户端的感知贡献。实证结果表明，ACE能有效且高效地欺骗五种最先进的贡献评估方法。此外，ACE能保持最终全局模型在测试输入上的准确性。我们还探讨了六种防御ACE的对策。结果表明这些对策不足以阻止ACE，这凸显了迫切需要新的防御机制来保障联邦学习中的贡献评估方法。