Existing model poisoning attacks to federated learning assume that an attacker has access to a large fraction of compromised genuine clients. However, such assumption is not realistic in production federated learning systems that involve millions of clients. In this work, we propose the first Model Poisoning Attack based on Fake clients called MPAF. Specifically, we assume the attacker injects fake clients to a federated learning system and sends carefully crafted fake local model updates to the cloud server during training, such that the learnt global model has low accuracy for many indiscriminate test inputs. Towards this goal, our attack drags the global model towards an attacker-chosen base model that has low accuracy. Specifically, in each round of federated learning, the fake clients craft fake local model updates that point to the base model and scale them up to amplify their impact before sending them to the cloud server. Our experiments show that MPAF can significantly decrease the test accuracy of the global model, even if classical defenses and norm clipping are adopted, highlighting the need for more advanced defenses.

本文提出了一种基于对抗造假客户端的模型毒化攻击（MPAF），在联邦学习系统中注入多个造假客户端向云服务器发送虚假的本地模型更新，将全局模型向具有低准确性的攻击者选定的基础模型方向倾斜，即使采用经典的防御和范数截断，MPAF也可以显著降低全局模型的测试精度。

基于虚假客户端的联邦学习模型投毒攻击