Your search keyword '"Minghong Fang"' showing total 9 results

1. AFLGuard: Byzantine-robust Asynchronous Federated Learning

Author

Minghong Fang, Jia Liu, Neil Zhenqiang Gong, and Elizabeth S. Bentley

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer Science - Distributed, Parallel, and Cluster Computing, Distributed, Parallel, and Cluster Computing (cs.DC), Cryptography and Security (cs.CR), Machine Learning (cs.LG)

Abstract

Federated learning (FL) is an emerging machine learning paradigm, in which clients jointly learn a model with the help of a cloud server. A fundamental challenge of FL is that the clients are often heterogeneous, e.g., they have different computing powers, and thus the clients may send model updates to the server with substantially different delays. Asynchronous FL aims to address this challenge by enabling the server to update the model once any client's model update reaches it without waiting for other clients' model updates. However, like synchronous FL, asynchronous FL is also vulnerable to poisoning attacks, in which malicious clients manipulate the model via poisoning their local data and/or model updates sent to the server. Byzantine-robust FL aims to defend against poisoning attacks. In particular, Byzantine-robust FL can learn an accurate model even if some clients are malicious and have Byzantine behaviors. However, most existing studies on Byzantine-robust FL focused on synchronous FL, leaving asynchronous FL largely unexplored. In this work, we bridge this gap by proposing AFLGuard, a Byzantine-robust asynchronous FL method. We show that, both theoretically and empirically, AFLGuard is robust against various existing and adaptive poisoning attacks (both untargeted and targeted). Moreover, AFLGuard outperforms existing Byzantine-robust asynchronous FL methods., Accepted by ACSAC 2022

Published

2022

2. NET-FLEET: Achieving Linear Convergence Speedup for Fully Decentralized Federated Learning with Heterogeneous Data

Author

Xin Zhang, Minghong Fang, Zhuqing Liu, Haibo Yang, Jia Liu, and Zhengyuan Zhu

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Machine Learning (cs.LG)

Abstract

Federated learning (FL) has received a surge of interest in recent years thanks to its benefits in data privacy protection, efficient communication, and parallel data processing. Also, with appropriate algorithmic designs, one could achieve the desirable linear speedup for convergence effect in FL. However, most existing works on FL are limited to systems with i.i.d. data and centralized parameter servers and results on decentralized FL with heterogeneous datasets remains limited. Moreover, whether or not the linear speedup for convergence is achievable under fully decentralized FL with data heterogeneity remains an open question. In this paper, we address these challenges by proposing a new algorithm, called NET-FLEET, for fully decentralized FL systems with data heterogeneity. The key idea of our algorithm is to enhance the local update scheme in FL (originally intended for communication efficiency) by incorporating a recursive gradient correction technique to handle heterogeneous datasets. We show that, under appropriate parameter settings, the proposed NET-FLEET algorithm achieves a linear speedup for convergence. We further conduct extensive numerical experiments to evaluate the performance of the proposed NET-FLEET algorithm and verify our theoretical findings.

Published

2022

3. Data Poisoning Attacks and Defenses to Crowdsourcing Systems

Author

Minghao Sun, Jin Tian, Neil Zhenqiang Gong, Minghong Fang, Qi Li, and Jia Liu

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Optimization problem, Computer Science - Cryptography and Security, Computer science, Big data, Computer Science - Human-Computer Interaction, 02 engineering and technology, Computer security, computer.software_genre, Crowdsourcing, Bridge (nautical), Human-Computer Interaction (cs.HC), Machine Learning (cs.LG), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, business.industry, Volume (computing), Computer Science - Distributed, Parallel, and Cluster Computing, Data quality, Key (cryptography), Benchmark (computing), 020201 artificial intelligence & image processing, Distributed, Parallel, and Cluster Computing (cs.DC), business, Cryptography and Security (cs.CR), computer

Abstract

A key challenge of big data analytics is how to collect a large volume of (labeled) data. Crowdsourcing aims to address this challenge via aggregating and estimating high-quality data (e.g., sentiment label for text) from pervasive clients/users. Existing studies on crowdsourcing focus on designing new methods to improve the aggregated data quality from unreliable/noisy clients. However, the security aspects of such crowdsourcing systems remain under-explored to date. We aim to bridge this gap in this work. Specifically, we show that crowdsourcing is vulnerable to data poisoning attacks, in which malicious clients provide carefully crafted data to corrupt the aggregated data. We formulate our proposed data poisoning attacks as an optimization problem that maximizes the error of the aggregated data. Our evaluation results on one synthetic and two real-world benchmark datasets demonstrate that the proposed attacks can substantially increase the estimation errors of the aggregated data. We also propose two defenses to reduce the impact of malicious clients. Our empirical results show that the proposed defenses can substantially reduce the estimation errors of the data poisoning attacks., To appear in the Web Conference 2021 (WWW '21)

Published

2021

4. FLTrust: Byzantine-robust Federated Learning via Trust Bootstrapping

Author

Xiaoyu Cao, Neil Zhenqiang Gong, Jia Liu, and Minghong Fang

Subjects

FOS: Computer and information sciences, Normalization (statistics), Root (linguistics), Computer Science - Cryptography and Security, Information retrieval, Computer Science - Artificial Intelligence, Computer science, Service provider, Bridge (nautical), Task (computing), Artificial Intelligence (cs.AI), Computer Science - Distributed, Parallel, and Cluster Computing, Bootstrapping (electronics), Bounded function, Key (cryptography), Distributed, Parallel, and Cluster Computing (cs.DC), Cryptography and Security (cs.CR)

Abstract

Byzantine-robust federated learning aims to enable a service provider to learn an accurate global model when a bounded number of clients are malicious. The key idea of existing Byzantine-robust federated learning methods is that the service provider performs statistical analysis among the clients' local model updates and removes suspicious ones, before aggregating them to update the global model. However, malicious clients can still corrupt the global models in these methods via sending carefully crafted local model updates to the service provider. The fundamental reason is that there is no root of trust in existing federated learning methods. In this work, we bridge the gap via proposing FLTrust, a new federated learning method in which the service provider itself bootstraps trust. In particular, the service provider itself collects a clean small training dataset (called root dataset) for the learning task and the service provider maintains a model (called server model) based on it to bootstrap trust. In each iteration, the service provider first assigns a trust score to each local model update from the clients, where a local model update has a lower trust score if its direction deviates more from the direction of the server model update. Then, the service provider normalizes the magnitudes of the local model updates such that they lie in the same hyper-sphere as the server model update in the vector space. Our normalization limits the impact of malicious local model updates with large magnitudes. Finally, the service provider computes the average of the normalized local model updates weighted by their trust scores as a global model update, which is used to update the global model. Our extensive evaluations on six datasets from different domains show that our FLTrust is secure against both existing attacks and strong adaptive attacks., Comment: Appeared in NDSS 2021. For demo code, see https://people.duke.edu/~zg70/code/fltrust.zip . For slides, see https://people.duke.edu/~zg70/code/Secure_Federated_Learning.pdf . For the talk, see https://www.youtube.com/watch?v=LP4uqW18yA0

Published

2021

5. Private and Communication-Efficient Edge Learning: A Sparse Differential Gaussian-Masking Distributed SGD Approach

Author

Jia Liu, Zhengyuan Zhu, Minghong Fang, and Xin Zhang

Subjects

FOS: Computer and information sciences, Information privacy, Computer Science - Machine Learning, Theoretical computer science, Computer Science - Cryptography and Security, Computer science, Gaussian, 02 engineering and technology, 010501 environmental sciences, 01 natural sciences, Machine Learning (cs.LG), Computer Science - Networking and Internet Architecture, symbols.namesake, 0202 electrical engineering, electronic engineering, information engineering, Differential privacy, Wireless, 0105 earth and related environmental sciences, Networking and Internet Architecture (cs.NI), business.industry, 020206 networking & telecommunications, Rate of convergence, Computer Science - Distributed, Parallel, and Cluster Computing, symbols, Enhanced Data Rates for GSM Evolution, Distributed, Parallel, and Cluster Computing (cs.DC), business, Mobile device, Cryptography and Security (cs.CR), MNIST database

Abstract

With rise of machine learning (ML) and the proliferation of smart mobile devices, recent years have witnessed a surge of interest in performing ML in wireless edge networks. In this paper, we consider the problem of jointly improving data privacy and communication efficiency of distributed edge learning, both of which are critical performance metrics in wireless edge network computing. Toward this end, we propose a new decentralized stochastic gradient method with sparse differential Gaussian-masked stochastic gradients (SDM-DSGD) for non-convex distributed edge learning. Our main contributions are three-fold: i) We theoretically establish the privacy and communication efficiency performance guarantee of our SDM-DSGD method, which outperforms all existing works; ii) We show that SDM-DSGD improves the fundamental training-privacy trade-off by {\em two orders of magnitude} compared with the state-of-the-art. iii) We reveal theoretical insights and offer practical design guidelines for the interactions between privacy preservation and communication efficiency, two conflicting performance goals. We conduct extensive experiments with a variety of learning models on MNIST and CIFAR-10 datasets to verify our theoretical findings. Collectively, our results contribute to the theory and algorithm design for distributed edge learning.

Published

2020

6. Influence Function based Data Poisoning Attacks to Top-N Recommender Systems

Author

Jia Liu, Neil Zhenqiang Gong, and Minghong Fang

Subjects

FOS: Computer and information sciences, 021110 strategic, defence & security studies, Focus (computing), Computer Science - Machine Learning, Information retrieval, Computer Science - Cryptography and Security, Computer science, 0211 other engineering and technologies, Machine Learning (stat.ML), 02 engineering and technology, 010501 environmental sciences, Adversarial machine learning, Recommender system, computer.software_genre, 01 natural sciences, Computer Science - Information Retrieval, Machine Learning (cs.LG), Statistics - Machine Learning, Component (UML), Leverage (statistics), Web service, computer, Cryptography and Security (cs.CR), Information Retrieval (cs.IR), 0105 earth and related environmental sciences

Abstract

Recommender system is an essential component of web services to engage users. Popular recommender systems model user preferences and item properties using a large amount of crowdsourced user-item interaction data, e.g., rating scores; then top-$N$ items that match the best with a user's preference are recommended to the user. In this work, we show that an attacker can launch a data poisoning attack to a recommender system to make recommendations as the attacker desires via injecting fake users with carefully crafted user-item interaction data. Specifically, an attacker can trick a recommender system to recommend a target item to as many normal users as possible. We focus on matrix factorization based recommender systems because they have been widely deployed in industry. Given the number of fake users the attacker can inject, we formulate the crafting of rating scores for the fake users as an optimization problem. However, this optimization problem is challenging to solve as it is a non-convex integer programming problem. To address the challenge, we develop several techniques to approximately solve the optimization problem. For instance, we leverage influence function to select a subset of normal users who are influential to the recommendations and solve our formulated optimization problem based on these influential users. Our results show that our attacks are effective and outperform existing methods., Comment: Accepted by WWW 2020; This is technical report version

Published

2020

7. Toward Low-Cost and Stable Blockchain Networks

Author

Minghong Fang and Jia Liu

Subjects

Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Computer Science - Machine Learning, 020203 distributed computing, Queueing theory, Service (systems architecture), Computer Science - Cryptography and Security, Blockchain, Computer science, Distributed computing, Parameterized complexity, Lyapunov optimization, 02 engineering and technology, Machine Learning (cs.LG), Computer Science - Networking and Internet Architecture, Computer Science - Distributed, Parallel, and Cluster Computing, 0202 electrical engineering, electronic engineering, information engineering, Leverage (statistics), Probability distribution, 020201 artificial intelligence & image processing, Distributed, Parallel, and Cluster Computing (cs.DC), Queue, Cryptography and Security (cs.CR)

Abstract

Envisioned to be the future of secured distributed systems, blockchain networks have received increasing attention from both the industry and academia in recent years. However, blockchain mining processes demand high hardware costs and consume a vast amount of energy (studies have shown that the amount of energy consumed in Bitcoin mining is almost the same as the electricity used in Ireland). To address the high mining cost problem of blockchain networks, in this paper, we propose a blockchain mining resources allocation algorithm to reduce the mining cost in PoW-based (proof-of-work-based) blockchain networks. We first propose an analytical queueing model for general blockchain networks. In our queueing model, transactions arrive randomly to the queue and are served in a batch manner with unknown service rate probability distribution and agnostic to any priority mechanism. Then, we leverage the Lyapunov optimization techniques to propose a dynamic mining resources allocation algorithm (DMRA), which is parameterized by a tuning parameter $K>0$. We show that our algorithm achieves an $[O(1/K), O(K)]$ cost-optimality-gap-vs-delay tradeoff. Our simulation results also demonstrate the effectiveness of DMRA in reducing mining costs., Accepted by IEEE ICC 2020

Published

2020

8. Byzantine-Resilient Stochastic Gradient Descent for Distributed Learning: A Lipschitz-Inspired Coordinate-wise Median Approach

Author

Haibo Yang, Xin Zhang, Jia Liu, and Minghong Fang

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Theoretical computer science, Stochastic process, Computer science, Machine Learning (stat.ML), Lipschitz continuity, Convolutional neural network, Machine Learning (cs.LG), Stochastic gradient descent, Computer Science - Distributed, Parallel, and Cluster Computing, Statistics - Machine Learning, Distributed algorithm, Server, Almost surely, Distributed, Parallel, and Cluster Computing (cs.DC), MNIST database

Abstract

In this work, we consider the resilience of distributed algorithms based on stochastic gradient descent (SGD) in distributed learning with potentially Byzantine attackers, who could send arbitrary information to the parameter server to disrupt the training process. Toward this end, we propose a new Lipschitz-inspired coordinate-wise median approach (LICM-SGD) to mitigate Byzantine attacks. We show that our LICM-SGD algorithm can resist up to half of the workers being Byzantine attackers, while still converging almost surely to a stationary region in non-convex settings. Also, our LICM- SGD method does not require any information about the number of attackers and the Lipschitz constant, which makes it attractive for practical implementations. Moreover, our LICM- SGD method enjoys the optimal O(md) computational time- complexity in the sense that the time-complexity is the same as that of the standard SGD under no attacks. We conduct extensive experiments to show that our LICM-SGD algorithm consistently outperforms existing methods in training multiclass logistic regression and convolutional neural networks with MNIST and CIFAR-10 datasets. In our experiments, LICM- SGD also achieves a much faster running time thanks to its low computational time-complexity.

Published

2019

9. Poisoning Attacks to Graph-Based Recommender Systems

Author

Neil Zhenqiang Gong, Minghong Fang, Jia Liu, and Guolei Yang

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Optimization problem, Computer Science - Cryptography and Security, Computer science, E.3, 0211 other engineering and technologies, D.4.6, I.2.6, Machine Learning (stat.ML), 02 engineering and technology, Adversarial machine learning, Recommender system, Computer security, computer.software_genre, App store, Machine Learning (cs.LG), Computer Science - Information Retrieval, Statistics - Machine Learning, 0202 electrical engineering, electronic engineering, information engineering, 021110 strategic, defence & security studies, Graph based, Graph (abstract data type), 020201 artificial intelligence & image processing, Web service, Limited resources, computer, Cryptography and Security (cs.CR), Information Retrieval (cs.IR)

Abstract

Recommender system is an important component of many web services to help users locate items that match their interests. Several studies showed that recommender systems are vulnerable to poisoning attacks, in which an attacker injects fake data to a given system such that the system makes recommendations as the attacker desires. However, these poisoning attacks are either agnostic to recommendation algorithms or optimized to recommender systems that are not graph-based. Like association-rule-based and matrix-factorization-based recommender systems, graph-based recommender system is also deployed in practice, e.g., eBay, Huawei App Store. However, how to design optimized poisoning attacks for graph-based recommender systems is still an open problem. In this work, we perform a systematic study on poisoning attacks to graph-based recommender systems. Due to limited resources and to avoid detection, we assume the number of fake users that can be injected into the system is bounded. The key challenge is how to assign rating scores to the fake users such that the target item is recommended to as many normal users as possible. To address the challenge, we formulate the poisoning attacks as an optimization problem, solving which determines the rating scores for the fake users. We also propose techniques to solve the optimization problem. We evaluate our attacks and compare them with existing attacks under white-box (recommendation algorithm and its parameters are known), gray-box (recommendation algorithm is known but its parameters are unknown), and black-box (recommendation algorithm is unknown) settings using two real-world datasets. Our results show that our attack is effective and outperforms existing attacks for graph-based recommender systems. For instance, when 1% fake users are injected, our attack can make a target item recommended to 580 times more normal users in certain scenarios., 34th Annual Computer Security Applications Conference (ACSAC), 2018; Due to the limitation "The abstract field cannot be longer than 1,920 characters", the abstract appearing here is slightly shorter than that in the PDF file

Published

2018