Delving into the Adversarial Robustness of Federated Learning
Authors: Jie Zhang, Bo Li, Chen Chen, Lingjuan Lyu, Shuang Wu, Shouhong Ding, Chao Wu
AAAI 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | To facilitate a better understanding of the adversarial vulnerability of the existing FL methods, we conduct comprehensive robustness evaluations on various attacks and adversarial training methods. Moreover, we reveal the negative impacts induced by directly adopting adversarial training in FL, which seriously hurts the test accuracy, especially in non-IID settings. In this work, we propose a novel algorithm called Decision Boundary based Federated Adversarial Training (DBFAT), which consists of two components (local re-weighting and global regularization) to improve both accuracy and robustness of FL systems. Extensive experiments on multiple datasets demonstrate that DBFAT consistently outperforms other baselines under both IID and non-IID settings. |
| Researcher Affiliation | Collaboration | Jie Zhang1 , Bo Li2 , Chen Chen3 , Lingjuan Lyu3 , Shuang Wu2, Shouhong Ding2, Chao Wu1 1Zhejiang University 2Youtu Lab, Tencent 3Sony AI {zj zhangjie, chao.wu}@zju.edu.cn {libraboli, calvinwu, ericshding}@tencent.com, {chen.chen, Lingjuan.Lv}@sony.com |
| Pseudocode | No | The paper provides mathematical formulations (Equations 1, 3, 4, 5, 6) but no explicitly labeled 'Pseudocode' or 'Algorithm' block in the main text. It mentions 'We show the training process of DBFAT in the supplementary' but does not confirm it's pseudocode. |
| Open Source Code | No | No explicit statement about releasing open-source code for the described methodology or a link to a code repository was found in the paper. |
| Open Datasets | Yes | MNIST (Lecun et al. 1998), Fashion MNIST (Xiao, Rasul, and Vollgraf 2017) (FMNIST), CIFAR10 (Krizhevsky and Hinton 2009), CIFAR100 (Krizhevsky and Hinton 2009), Tiny-Image Net (Le and Yang 2015), and Image Net-12 (Deng et al. 2009). |
| Dataset Splits | No | The paper describes how training data is distributed among clients ('distribute training data among 100 clients in both IID and non-IID fashion') and how clients are selected for communication rounds ('randomly select 10 clients to average the model parameters'), and various data partitioning methods (Dirichlet, Sharding). However, it does not explicitly provide distinct 'validation dataset splits' with specific percentages or counts separate from the training or test data, as needed for traditional validation set reproduction. |
| Hardware Specification | Yes | All experiments are conducted with 8 Tesla V100 GPUs. |
| Software Dependencies | No | The paper mentions various algorithms and methods (e.g., Fed Avg, PGD AT, FGSM) and their corresponding research papers, but it does not specify any software dependencies with version numbers (e.g., Python, PyTorch, TensorFlow versions, or specific library versions). |
| Experiment Setup | Yes | The paper provides specific experimental setup details, including network architectures ('a simple CNN with two convolutional layers, followed by two fully connected layers', 'a larger CNN architecture'), perturbation bounds (e.g., 'ϵ = 0.3', 'ϵ = 32/255', 'ϵ = 0.031'), step sizes (e.g., 'α = 0.01', 'α = 0.031', 'α = 0.007'), number of iterations for attacks ('20 iterations', '10 steps'), and discussion of local epochs ('E = 5'). It also discusses hyperparameter β (Table 6). |