FedGame: A Game-Theoretic Defense against Backdoor Attacks in Federated Learning
Authors: Jinyuan Jia, Zhuowen Yuan, Dinuka Sahabandu, Luyao Niu, Arezoo Rajabi, Bhaskar Ramasubramanian, Bo Li, Radha Poovendran
NeurIPS 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Empirically, we compare Fed Game with multiple state-of-the-art baselines on several benchmark datasets under various attacks. We show that Fed Game can effectively defend against strategic attackers and achieves significantly higher robustness than baselines. |
| Researcher Affiliation | Academia | Jinyuan Jia The Pennsylvania State University jinyuan@psu.edu; Zhuowen Yuan UIUC zhuowen3@illinois.edu; Dinuka Sahabandu University of Washington sdinuka@uw.edu; Luyao Niu University of Washington luyaoniu@uw.edu; Arezoo Rajabi University of Washington rajabia@uw.edu; Bhaskar Ramasubramanian Western Washington University ramasub@wwu.edu; Bo Li UIUC lbo@illinois.edu; Radha Poovendran University of Washington rp3@uw.edu |
| Pseudocode | Yes | The complete algorithm of our Fed Game is shown in Algorithm 1 of Appendix. Algorithm 2 shows the complete algorithm for a compromised client. |
| Open Source Code | Yes | Our code is available at: https://github.com/AI-secure/Fed Game. |
| Open Datasets | Yes | We use two benchmark datasets: MNIST [23] and CIFAR10 [22] for FL tasks. For each dataset, we randomly sample 90% of training data for clients, and the remaining 10% of training data is reserved to evaluate our defense when the clean training dataset of the server is from the same domain as those of clients. We randomly sample 6,000 images from Fashion MNIST [52] for MNIST and sample 5,000 images from GTSRB [20] for CIFAR10 as the clean training dataset of the server. |
| Dataset Splits | Yes | We randomly sample 10% of the local data of each compromised client as validation data (denoted as Drev i ) to search for an optimal rt i. |
| Hardware Specification | Yes | On average, it takes 0.148s to compute a genuine score for each client in each communication round on a single NVIDIA 2080 Ti GPU. |
| Software Dependencies | No | The paper mentions software like 'SGD' (Stochastic Gradient Descent), 'PyTorch' (implicitly, as a deep learning framework for CNNs), and refers to using a specific GPU, but it does not specify version numbers for any software libraries, frameworks, or programming languages. |
| Experiment Setup | Yes | We set q = 0.5 by following [17]. Moreover, we train a global model based on 10 clients for 200 iterations with a global learning rate η = 1.0. In each communication round, we use SGD to train the local model of each client for two epochs with a local learning rate of 0.01. By default, we assume 60% of clients are compromised by an attacker. When the attacker solves the minimax game in Equation 5, we set the default λ = 1. We randomly sample 10% of the local data of each compromised client as validation data to search for an optimal rt i. Moreover, we set the granularity of grid search to 0.1 when searching for rt i. For Norm-Clipping, we set TN = 0.01 for MNIST and TN = 0.1 for CIFAR10. For DP, we set TD = 0.05 for MNIST and TD = 0.5 for CIFAR10. We set the standard deviation of noise to be 0.01 for both datasets. |