COMBATING EXACERBATED HETEROGENEITY FOR ROBUST MODELS IN FEDERATED LEARNING

Abstract

Privacy and security concerns in real-world applications have led to the development of adversarially robust federated models. However, the straightforward combination between adversarial training and federated learning in one framework can lead to the undesired robustness deterioration. We discover that the attribution behind this phenomenon is that the generated adversarial data could exacerbate the data heterogeneity among local clients, making the wrapped federated learning perform poorly. To deal with this problem, we propose a novel framework called Slack Federated Adversarial Training (SFAT), assigning the client-wise slack during aggregation to combat the intensified heterogeneity. Theoretically, we analyze the convergence of the proposed method to properly relax the objective when combining federated learning and adversarial training. Experimentally, we verify the rationality and effectiveness of SFAT on various benchmarked and real-world datasets with different adversarial training and federated optimization methods.

1. INTRODUCTION

Federated learning (McMahan et al., 2017) has gained increasing attention due to the concerns of data privacy and governance issues (Smith et al., 2017; Li et al., 2018; Kairouz et al., 2019; Li et al., 2020; Karimireddy et al., 2020; Khodak et al., 2021) . However, training in local clients aggravates the vulnerability to adversarial attacks (Goodfellow et al., 2015; Kurakin et al., 2016; Li et al., 2021c; Sanyal et al., 2021) , motivating the consideration of adversarial robustness for the federated system. For this purpose, some recent studies explore to integrate the adversarial training into federated learning (Kairouz et al., 2019; Zizzo et al., 2020; Shah et al., 2021) . Federated adversarial training faces different challenges from perspectives of the distributed systems (Li et al., 2020) and the learning paradigm (Kairouz et al., 2019) . Previous works mainly target overcoming the constraints in the communication budget (Shah et al., 2021) and the hardware capacity (Hong et al., 2021) . However, one critical challenge in the algorithmic aspect is that the straightforward combination of two paradigms suffers from the unexpected robustness deterioration, impeding the progress towards adversarially robust federated systems. As shown in the Figure 1 (a), when considering the Federated Adversarial Training (FAT) (Zizzo et al., 2020) that directly employs adversarial training (Madry et al., 2018) in federated learning based on FedAvg (McMahan et al., 2017) , one typical phenomenon is that its robust accuracy dramatically decreases at the later stage of training compared with the centralized cases (Madry et al., 2018) . To the best of our knowledge, there is still a lack of in-depth understanding and algorithmic breakthroughs to overcome it, as almost all the previous explorations (Shah et al., 2021; Hong et al., 2021) still consistently adopt the conventional framework (i.e., FAT). We dive into the issue of robustness deterioration and discover that it may attribute to the intensified heterogeneity induced by adversarial training in local clients (as Figure 2 in Section 4.1). Compared et al., 2018) to evaluate the natural and robust accuracies. Compared with centralized AT, FAT shows performance decreasing (especially the robust accuracy) along with the learning process. In comparison, our proposed SFAT can achieve a higher robust accuracy than FAT (as indicated by the black dash line) by alleviating the deterioration. The underlying reason is elaborated out in Figure 2 . with the centralized adversarial training (Madry et al., 2018) , the training data of FAT is distributed to each client, which leads to the adversarial training in each client independent from the data in the others. Therefore, the adversarial examples generated by the inner-maximization of adversarial training tend to be highly biased to each local distribution. Previous study (Li et al., 2018; 2019) indicated the local training in federated learning exhibits the optimization bias under the data heterogeneity among clients. The adversarial data generated by the biased local model even exacerbate the heterogeneity in federated optimization, making it more difficult to converge to a robust optimum. To deal with the above challenge in the combination of adversarial training and federated learning, we propose a novel learning framework based on an α-slack mechanism, namely, Slack Federated Adversarial Training (SFAT). In the high level, we relax the inner-maximization objective of adversarial training (Madry et al., 2018) into a lower bound by an α-slack mechanism (as Eq. ( 1) in Section 4.2). By doing so, we construct a mediating function that asymptotically approaches the original goal while alleviating the intensified heterogeneity induced by the local adversarial generation. In detail, our SFAT assigns the client-wise slack during aggregation to upweight the clients having the small adversarial training loss (simultaneously downweight the large-loss clients), which reduces the extra exacerbated heterogeneity and alleviates the robustness deterioration (as Figure 1(b) ). Theoretically, we analyze the property of our α-slack mechanism and its benefit to achieve a better convergence (as Theorem 4.2 in Section 4.3). Empirically, we conduct extensive experiments (as Section 5 and Appendix E) to provide a comprehensive understanding of the proposed SFAT, and the results of SFAT in the context of different adversarial training and federated optimization methods demonstrate its superiority to improve the model performance. We summarize our main contributions as follows, • We study the critical, yet thus far overlooked robustness deterioration in FAT, and discover that the reason behind this phenomenon may attribute to the intensified data heterogeneity induced by the adversarial generation in local clients (Section 4.1). • We derive an α-slack mechanism for adversarial training to relax the inner-maximization to a lower bound, which could asymptotically approach the original goal towards adversarial robustness and alleviate the intensified heterogeneity in federated learning (Section 4.2). • We propose a novel framework, i.e., Slack Federated Adversarial Training (SFAT), to realize the mechanism in FAT via assigning client-wise slack during aggregation, which addresses the data heterogeneity and adversarial vulnerability in a proper manner (Section 4.3). • We conduct extensive experiments to comprehensively understand the characteristics of the proposed SFAT (Section 5.1), as well as to verify its effectiveness on improving the model performance using several representative federated optimization methods (Section 5.2).



Figure 1: (a) comparison between centralized AT (Madry et al., 2018) and FAT (Zizzo et al., 2020) in terms of the robust accuracy and the natural accuracy. (b) comparison between FAT and SFAT (our proposed method). All the experiments of FAT and SFAT are conducted on CIFAR-10 dataset (Non-IID) with 5 clients, and use natural test data and adversarial test data generated by PGD-20 (Madryet al., 2018)  to evaluate the natural and robust accuracies. Compared with centralized AT, FAT shows performance decreasing (especially the robust accuracy) along with the learning process. In comparison, our proposed SFAT can achieve a higher robust accuracy than FAT (as indicated by the black dash line) by alleviating the deterioration. The underlying reason is elaborated out in Figure2.

availability

://github.com/ZFancy/SFAT.

