flex-clash is a Python library dedicated to adversarial attacks and defences in Federated Learning. It offers the state-of-the methods and features to ease the implementation of custom methods. It is intended to extend the FLEXible framework.
This repository includes both:
- Features to implement poisoning attacks in Federated Learning.
- Features to implement defences in the aggregator in Federated Learning.
- State-of-the-art defences implementedin FLEXible.
- flexclash/data: which contains the features to poison the clients' data.
- flexclash/model: which contains the features to poison the clients' model updates.
- flexclash/pool: which contains the features to implement any defence in the aggregation operator as well as the state-of-the-art implemented defences.
- notebooks: which contains explanatory notebooks showing how to implement poisoning attacks and use the implemented defences.
- test: which contains the test for the implemented features.
- Poisoning_data_FLEX.ipynb: A notebook showing how to implement data-poisoning attacks using
flexclashincluding both byzantine and backdoor attacks. - Poisoning_model_FLEX.ipynb: A notebook showing how to implement model-poisoning attacks using
flexclash. - Defences_FLEX.ipynb: A notebook showing how to employ defences against adversarial attacks using
flexclash.
In the following we detail the poisoning attacks implemented:
| Attack | Description | Citation |
|---|---|---|
| Data poisoning | It consists of poisoning a certain amount of data of certain clients randomly or according to certain criteria. Several examples are shown in the notebooks. | Data Poisoning Attacks Against Federated Learning Systems |
| Model poisoning | It consists of directly poisoning the weights of the model update that the client shares with the server. | Deep Model Poisoning Attack on Federated Learning |
In the following we detail the defences implemented:
| Defence | Description | Citation |
|---|---|---|
| Median | It is a robust-aggregation operator based on replacing the arithmetic mean by the median of the model updates, which choose the value that represents the centre of the distribution. | Byzantine-robust distributed learning: Towards optimal statistical rates. |
| Trimmed mean | It is a version of the arithmetic mean, consisting of filtering a fixed percentage of extreme values both below and above the data distribution. | Byzantine-robust distributed learning: Towards optimal statistical rates. |
| MultiKrum | It sorts the clients according to the geometric distances of their model updates. Hence, it employs an aggregation parameter, which specifies the number of clients to be aggregated (the first ones after being sorted) resulting in the aggregated model. | Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent |
| Bulyan | It is a federated aggregation operator to prevent poisoning attacks, combining the MultiKrum federated aggregation operator and the trimmed-mean. Hence, it sorts the clients according to their geometric distances, and according to a 𝑓 parameter filters out the 2𝑓 clients of the tails of the sorted distribution of clients and aggregates the rest of them. | The Hidden Vulnerability of Distributed Learning in Byzantium |
In order to install this repo locally:
pip install -e .
FLEX-Clash is available on the PyPi repository and can be easily installed using pip:
pip install flex-clash
If you use this repository in your research work, please cite Flexible paper: