Moat: Model Agnostic Defense against Targeted Poisoning Attacks in Federated Learning.

Federated learning has migrated data-driven learning to a model-centric approach. As the server does not have access to the data, the health of the data poses a concern. The malicious participation injects malevolent gradient updates to make the model maleficent. They do not impose an overall ill-behavior. Instead, they target a few classes or patterns to misbehave. Label Flipping and Backdoor attacks belong to targeted poisoning attacks performing adversarial manipulation for targeted misclassification. The state-of-the-art defenses based on statistical similarity or autoencoder credit scores suffer from the number of attackers or ingenious injection of backdoor noise. This paper proposes a universal model-agnostic defense technique (Moat) to mitigate different poisoning attacks in Federated Learning. It uses interpretation techniques to measure the marginal contribution of individual features. The aggregation of interpreted values for important features against a baseline input detects the presence of an adversary. The proposed solution scales in terms of attackers and is also robust against adversarial noise in either homogeneous or heterogeneous distribution. The most appealing about Moat is that it achieves model convergence even in the presence of 90% attackers. We ran experiments for different combinations of settings, models, and datasets, to verify our claim. The proposed technique is compared with the existing state-of-the-art algorithms and justified that Moat outperforms them.