Model poisoning attacks greatly jeopardize the application of federated learning (FL). The effectiveness of existing defenses is susceptible to the latest model poisoning attacks, leading to a decrease in prediction accuracy. Besides, these defenses are intractable to distinguish benign outliers from malicious gradients, which further compromises the model generalization. In this work, we propose a novel proactive defense named RECESS against model poisoning attacks. Different from the passive analysis in previous defenses, RECESS proactively queries each participating client with a delicately constructed aggregation gradient, accompanied by the detection of malicious clients according to their responses with higher accuracy. Furthermore, RECESS uses a new trust scoring mechanism to robustly aggregate gradients. Unlike previous methods that score each iteration, RECESS considers clients' performance correlation across multiple iterations to estimate the trust score, substantially increasing fault tolerance. Finally, we extensively evaluate RECESS on typical model architectures and four datasets under various settings. We also evaluated the defensive effectiveness against other types of poisoning attacks, the sensitivity of hyperparameters, and adaptive adversarial attacks. Experimental results show the superiority of RECESS in terms of reducing accuracy loss caused by the latest model poisoning attacks over five classic and two state-of-the-art defenses.

翻译：模型投毒攻击严重危害联邦学习（FL）的应用。现有防御的有效性易受最新模型投毒攻击的影响，导致预测准确率下降。此外，这些防御方法难以区分良性异常梯度与恶意梯度，进一步削弱了模型泛化能力。本文提出了一种名为RECESS的新型主动防御机制来对抗模型投毒攻击。与以往防御中的被动分析不同，RECESS通过精心构造的聚合梯度主动查询每个参与客户端，并根据其响应实现更高精度的恶意客户端检测。进一步地，RECESS采用新型信任评分机制实现稳健的梯度聚合。不同于先前方法对每轮迭代独立评分，RECESS通过跨多轮迭代的客户端性能相关性评估信任得分，显著提升了容错能力。最后，我们在典型模型架构和四种数据集上对RECESS进行了广泛评估，涵盖多种设定条件。同时验证了其针对其他类型投毒攻击的防御效果、超参数敏感性及自适应对抗攻击的鲁棒性。实验结果表明，在降低最新模型投毒攻击造成的准确率损失方面，RECESS相较于五种经典防御方法和两种最先进防御方法均展现出显著优越性。