Federated learning (FL) is a collaborative learning paradigm allowing multiple clients to jointly train a model without sharing their training data. However, FL is susceptible to poisoning attacks, in which the adversary injects manipulated model updates into the federated model aggregation process to corrupt or destroy predictions (untargeted poisoning) or implant hidden functionalities (targeted poisoning or backdoors). Existing defenses against poisoning attacks in FL have several limitations, such as relying on specific assumptions about attack types and strategies or data distributions or not sufficiently robust against advanced injection techniques and strategies and simultaneously maintaining the utility of the aggregated model. To address the deficiencies of existing defenses, we take a generic and completely different approach to detect poisoning (targeted and untargeted) attacks. We present FreqFed, a novel aggregation mechanism that transforms the model updates (i.e., weights) into the frequency domain, where we can identify the core frequency components that inherit sufficient information about weights. This allows us to effectively filter out malicious updates during local training on the clients, regardless of attack types, strategies, and clients' data distributions. We extensively evaluate the efficiency and effectiveness of FreqFed in different application domains, including image classification, word prediction, IoT intrusion detection, and speech recognition. We demonstrate that FreqFed can mitigate poisoning attacks effectively with a negligible impact on the utility of the aggregated model.

翻译：联邦学习（FL）是一种协作学习范式，允许多个客户端在不共享训练数据的情况下联合训练模型。然而，FL容易遭受投毒攻击，攻击者通过向联邦模型聚合过程中注入被篡改的模型更新，以破坏或摧毁预测结果（无目标投毒）或植入隐藏功能（有目标投毒或后门攻击）。现有针对FL投毒攻击的防御方法存在若干局限性，例如依赖对攻击类型、策略或数据分布的特定假设，或者对高级注入技术与策略的鲁棒性不足，且难以同时保持聚合模型的效用。为解决现有防御的缺陷，我们采用了一种通用且完全不同的方法来检测投毒攻击（有目标与无目标）。我们提出FreqFed，这是一种新型聚合机制，它将模型更新（即权重）转换到频域，从而能够识别继承权重充分信息的核心频率分量。这使得我们能够在客户端本地训练过程中有效过滤恶意更新，而无需考虑攻击类型、策略及客户端数据分布。我们在不同应用领域（包括图像分类、单词预测、物联网入侵检测和语音识别）中全面评估了FreqFed的效率与有效性。结果表明，FreqFed能够有效缓解投毒攻击，且对聚合模型效用的影响微乎其微。