Gradient-based training in federated learning is known to be vulnerable to faulty/malicious clients, which are often modeled as Byzantine clients. To this end, previous work either makes use of auxiliary data at parameter server to verify the received gradients (e.g., by computing validation error rate) or leverages statistic-based methods (e.g. median and Krum) to identify and remove malicious gradients from Byzantine clients. In this paper, we remark that auxiliary data may not always be available in practice and focus on the statistic-based approach. However, recent work on model poisoning attacks has shown that well-crafted attacks can circumvent most of median- and distance-based statistical defense methods, making malicious gradients indistinguishable from honest ones. To tackle this challenge, we show that the element-wise sign of gradient vector can provide valuable insight in detecting model poisoning attacks. Based on our theoretical analysis of the \textit{Little is Enough} attack, we propose a novel approach called \textit{SignGuard} to enable Byzantine-robust federated learning through collaborative malicious gradient filtering. More precisely, the received gradients are first processed to generate relevant magnitude, sign, and similarity statistics, which are then collaboratively utilized by multiple filters to eliminate malicious gradients before final aggregation. Finally, extensive experiments of image and text classification tasks are conducted under recently proposed attacks and defense strategies. The numerical results demonstrate the effectiveness and superiority of our proposed approach. The code is available at \textit{\url{https://github.com/JianXu95/SignGuard}}

翻译：[translated abstract in Chinese] 联邦学习中的基于梯度的训练已知容易受到故障/恶意客户端的影响，这类客户端通常被建模为拜占庭客户端。对此，先前的工作要么利用参数服务器上的辅助数据来验证接收到的梯度（例如，通过计算验证错误率），要么利用基于统计的方法（例如中位数和Krum）来识别并移除来自拜占庭客户端的恶意梯度。本文指出，辅助数据在实践中可能并不总是可用，因此将研究重点聚焦于基于统计的方法。然而，近期关于模型投毒攻击的研究表明，精心设计的攻击能够规避大多数基于中位数和距离的统计防御方法，使得恶意梯度与正常梯度难以区分。为应对这一挑战，我们展示了梯度向量的逐元素符号能够在检测模型投毒攻击方面提供有价值的洞察。基于对《Little is Enough》攻击的理论分析，我们提出了一种名为《SignGuard》的新方法，通过协作式恶意梯度过滤实现拜占庭鲁棒的联邦学习。更具体地，首先对接收到的梯度进行处理以生成相关的幅度、符号和相似性统计量，随后这些统计量被多个过滤器协作利用，以在最终聚合之前消除恶意梯度。最后，针对近期提出的攻击和防御策略，在图像和文本分类任务上进行了大量实验。数值结果证明了我们提出方法的有效性和优越性。代码可在\textit{\url{https://github.com/JianXu95/SignGuard}}获取。