Adversarial attacks such as poisoning attacks have attracted the attention of many machine learning researchers. Traditionally, poisoning attacks attempt to inject adversarial training data in order to manipulate the trained model. In federated learning (FL), data poisoning attacks can be generalized to model poisoning attacks, which cannot be detected by simpler methods due to the lack of access to local training data by the detector. State-of-the-art poisoning attack detection methods for FL have various weaknesses, e.g., the number of attackers has to be known or not high enough, working with i.i.d. data only, and high computational complexity. To overcome above weaknesses, we propose a novel framework for detecting poisoning attacks in FL, which employs a reference model based on a public dataset and an auditor model to detect malicious updates. We implemented a detector based on the proposed framework and using a one-class support vector machine (OC-SVM), which reaches the lowest possible computational complexity O(K) where K is the number of clients. We evaluated our detector's performance against state-of-the-art (SOTA) poisoning attacks for two typical applications of FL: electrocardiograph (ECG) classification and human activity recognition (HAR). Our experimental results validated the performance of our detector over other SOTA detection methods.

翻译：对抗性攻击（如投毒攻击）已引起众多机器学习研究者的关注。传统上，投毒攻击试图注入对抗性训练数据以操纵训练后的模型。在联邦学习（FL）中，数据投毒攻击可泛化为模型投毒攻击，由于检测器无法访问本地训练数据，这类攻击难以通过简单方法检测。当前针对联邦学习的先进投毒攻击检测方法存在诸多缺陷，例如：需预先知晓攻击者数量或攻击者数量不可过高、仅适用于独立同分布（i.i.d.）数据、以及计算复杂度高等问题。为克服上述不足，我们提出一种新型联邦学习投毒攻击检测框架，该框架利用基于公共数据集的参考模型和审计模型来检测恶意更新。我们基于该框架实现了一个检测器，采用单类支持向量机（OC-SVM），其计算复杂度可达最低的O(K)（K为客户端数量）。针对联邦学习的两个典型应用——心电图（ECG）分类和人体活动识别（HAR），我们评估了检测器在面对当前最先进（SOTA）投毒攻击时的性能。实验结果表明，我们的检测器优于其他SOTA检测方法。