Towards Federated Learning with Byzantine-Robust Client Weighting

Featured Application

The paper provides a solution for practical federated learning tasks in which a dataset is partitioned among potentially malicious clients. One such case is training a model on edge medical devices, where a compromised device could not only lead to lower model accuracy but may also introduce public safety issues.

Abstract

Federated learning (FL) is a distributed machine learning paradigm where data are distributed among clients who collaboratively train a model in a computation process coordinated by a central server. By assigning a weight to each client based on the proportion of data instances it possesses, the rate of convergence to an accurate joint model can be greatly accelerated. Some previous works studied FL in a Byzantine setting, in which a fraction of the clients may send arbitrary or even malicious information regarding their model. However, these works either ignore the issue of data unbalancedness altogether or assume that client weights are a priori known to the server, whereas, in practice, it is likely that weights will be reported to the server by the clients themselves and therefore cannot be relied upon. We address this issue for the first time by proposing a practical weight-truncation-based preprocessing method and demonstrating empirically that it is able to strike a good balance between model quality and Byzantine robustness. We also establish analytically that our method can be applied to a randomly selected sample of client weights.

1. Introduction

Federated learning (FL) [1,2,3,4] is a distributed machine learning paradigm where training data reside at autonomous client machines and the learning process is facilitated by a central server. The server maintains a shared model and alternates between requesting clients to try and improve it and integrating their suggested improvements back into that shared model.

A few challenges arise from this model. First, the need for communication efficiency, both in terms of the size of data transferred and the number of required messages for reaching convergence. Second, clients are outside of the control of the server and as such may be unreliable or even malicious (Blanchard et al. [5] dubbed this behavior Byzantine). Third, whereas classical learning models generally assume that data are homogeneous, here, privacy and the aforementioned communication concerns force us to deal with the data as it is seen by the clients; that is (1) non-IID (identically and independently distributed)—data may depend on the client they reside at, and (2) unbalanced—different clients may possess different amounts of data.

In previous works [6,7,8,9,10], unbalancedness is either ignored or is represented by a collection of a priori known client importance weights that are usually derived from the amount of data each client has. This work investigates aspects that stem from this unbalancedness. Concretely, we focus on the case where unreliable clients declare the amount of data they have and may thus adversely influence their importance weight. We show that without some mitigation, a single malicious client can obstruct convergence in this manner even in the presence of popular FL defense mechanisms. Our experiments consider protections that replace the server step by a robust mean estimator, such as median [11,12,13] and trimmed mean [12].

2. Materials and Methods

2.1. Problem Setup

2.1.1. Optimization Goal

We are given K clients where each client k has a local collection $Z_k$ of $n_k$ samples taken IID from some unknown distribution over sample space $\mathit{Z}$. We denote the unified sample collection as $Z={\bigcup }_{k\in \left[K\right]}{Z}_k$ and the total number of samples as n (i.e., $n=\left|Z\right|={\sum }_{k\in \left[K\right]}{n}_k$).

Our objective is global empirical risk minimization (ERM) for some loss function class $\ell (w;·):\mathit{Z}\to \mathbb{R}$, parameterized by $w\in {\mathbb{R}}^d$:

$$\underset{w\in {\mathbb{R}}^d}{min}F\left(w\right),\mathrm{where}F\left(w\right):=\frac{1}{n}\sum _{z\in Z}\ell (w;z).$$

(1)

We let $w^{\ast }$ denote ${arg\; min}_{w\in {\mathbb{R}}^d}F\left(w\right)$.

In the following sections, we denote the vector of client sample sizes as $\mathit{N}=(n_1,\dots ,n_K)$ and assume, without loss of generality, that it is sorted in decreasing order.

2.1.2. Collaboration Model

We restrict ourselves to the FL paradigm, which leaves the training data distributed among client machines and learns a shared model by iterating between client updates and server aggregation.

Additionally, a subset of the clients, marked $\mathcal{B}$, can be Byzantine, meaning they can send arbitrary and possibly malicious results on their local updates. Moreover, unlike previous works, we also consider clients’ sample sizes to be unreliable because they are reported by possibly Byzantine clients. When the distinction is important, values that are sent by clients are marked with an overdot to signify that they are unreliable (e.g., ${\dot{n}}_k$), whereas values that have been preprocessed in some way are marked with a tilde (e.g., ${\tilde{n}}_k$).

2.1.3. Federated Learning Meta Algorithm

We build upon the baseline federated averaging algorithm ($FedAvg$) described by McMahan et al. [2]. There, it is suggested that in order to save communication rounds, clients perform multiple stochastic gradient descent (SGD) steps while a central server occasionally averages the parameter vectors.

The intuition behind this approach becomes clearer when we mark the kth client’s ERM objective function by $F_k\left(w\right)\frac{1}{n_k}{\sum }_{z\in Z_k}\ell (w;z)$ and observe that the objective function in Equation (1) can be rewritten as a weighted average of clients’ objectives:

$$F\left(w\right):=\frac{1}{n}\sum _{k\in \left[K\right]}{n}_k{F}_k\left(w\right).$$

(2)

Similarly to previous works [10,13,14], we capture a large set of algorithms by abstracting $FedAvg$ into a meta-algorithm for the FL (Algorithm 1). We require three procedures to be specified by any concrete algorithm:

• $Preprocess$—receives possibly Byzantine ${\dot{n}}_k$s from clients and produces secure estimates marked as ${\tilde{n}}_k$s. To the best of our knowledge, previous works ignore this procedure and assume that the $n_k$s are correct.
• $ClientUpdate$—per-client $w_k$ computation. In $FedAvg$, this corresponds to a few local mini-batch SGD rounds. See Algorithm 2 for the pseudocode.
• $Aggregate$—the server’s strategy for updating w. In $FedAvg$, this corresponds to the weighted arithmetic mean, i.e., $w\leftarrow \frac{1}{\dot{n}}{\sum }_{k\in \left[K\right]}{\dot{n}}_k{\dot{w}}_k$.

Algorithm 1 Federated Learning Meta-Algorithm

Given procedures: $Preprocess$, $ClientUpdate$, and $Aggregate$. 1: ${\left\{{\dot{n}}_k\right\}}_{k\in \left[K\right]}\leftarrow$ collect sample size from clients 2: ${\left\{{\tilde{n}}_k\right\}}_{k\in \left[K\right]}\leftarrow Preprocess\left({\left\{{\dot{n}}_k\right\}}_{k\in \left[K\right]}\right)$ 3: $w\leftarrow$ initial guess 4: for  $t\leftarrow 1$  to  T  do 5:  $S_t\leftarrow$ a random set of client indices 6:  for all $k\in S_t$ do 7:   ${\dot{w}}_k\leftarrow$ $ClientUpdate\left(w\right)$ 8:  end for 9:  $w\leftarrow Aggregate\left({\left\{\langle {\tilde{n}}_k,{\dot{w}}_k\rangle \right\}}_{k\in S_t}\right)$ 10: end for

Algorithm 2 FedAvg: $ClientUpdate$

Hyperparameters: learning rate ($\eta$), number of epochs (E), and batch size (B). 1: for E epochs do 2:  for B-sized batch $b_k$ in $Z_k$ do 3:   $w_k\leftarrow w_k-\eta \frac{1}{B}{\sum }_{z\in b_k}\nabla \ell (w_k;z)$ 4:  end for 5: end for 6: return  $w_k$

2.2. Preprocessing Client-Declared Sample Sizes

2.2.1. Preliminaries

The following assumption is common among works on Byzantine robustness:

Assumption 1

(Bounded Byzantine proportion). The proportion of clients who are Byzantine is bounded by some constant α; i.e., $\frac{1}{K}\left|\mathcal{B}\right|\le \alpha$.

The next assumption is a natural generalization when considering unbalancedness:

Assumption 2

(Bounded Byzantine weight proportion). The proportion between the combined weight of Byzantine clients and the total weight is bounded by some constant ${\alpha }^{\ast }$; i.e., $\frac{1}{n}{\sum }_{b\in \mathcal{B}}{n}_b\le {\alpha }^{\ast }$.

Previous works on robust aggregation [6,7,8,9,15] either used Assumption 1, without considering the unbalancedness of the data, or implicitly used Assumption 2. However, we observe that Assumption 2 is unattainable in practice since Byzantine clients can often influence their own weight.

We address this gap with the following definition and an appropriate $Preprocess$ procedure.

Definition 1

(mwp). Given a proportion p and a weights vector $\mathit{V}=(v_1,\dots ,v_{\left|\mathit{V}\right|})$ sorted in decreasing order, the maximal weight proportion, $mwp(\mathit{V},p)$, is the maximum combined weight for any p-proportion of the values of $\mathit{V}$:

$$\begin{array}{c}\hfill mwp(\mathit{V},p)\frac{{\sum }_{i=1}^t{v}_i}{{\sum }_{i=1}^{\left|\mathit{V}\right|}{v}_i},\mathrm{where}t=⌊p\left|\mathit{V}\right|⌋.\end{array}$$

Note that this is just the weight proportion of the $⌊p\left|\mathit{V}\right|⌋$ clients with the largest sample sizes.

In the rest of this work we assume Assumption 1 and design a $Preprocess$ procedure that ensures the following:

$$mwp(Preprocess\left(\mathit{N}\right),\alpha )\le {\alpha }^{\ast }.$$

(3)

Observe that this requirement enables the use of weighted robust mean estimators in a realistic setting by ensuring that Assumption 2 holds for the preprocessed client sample sizes. It should also be noted that here, $\alpha$ is our assumption about the proportion of Byzantine clients, whereas ${\alpha }^{\ast }$ relates to an analytical property of the underlying robust algorithm. For example, we may replace the federated average with a weighted median as suggested by Chen et al. [11], in which case, ${\alpha }^{\ast }$ must be less than $1/2$.

2.2.2. Truncating the Values of N

Our suggested preprocessing procedure uses element-wise truncation of the values of $\mathit{N}$ by some value U, marked $trunc(\mathit{N},U)=(min(n_1,U),\dots ,min(n_K,U))$. Given $\alpha$ and ${\alpha }^{\ast }$, we search for the maximal truncation that satisfies Equation (3):

$$U^{\ast }:=\underset{U\in \mathbb{R}}{arg\; max}mwp(trunc(\mathit{N},U),\alpha )\le {\alpha }^{\ast }.$$

(4)

Here, $\alpha$ and $U^{\ast }$ present a trade-off. A higher $\alpha$ means more Byzantine tolerance but requires a smaller truncation value $U^{\ast }$, which may cause slower and less accurate convergence, as we demonstrate empirically in Section 3 and theoretically in Theorem 3.

Finding $U^{\ast }$ Given $\alpha$

If one has an estimate for $\alpha$, it is easy to calculate $U^{\ast }$, for example, by going over values in $\mathit{N}$ in decreasing order until finding a value that satisfies the inequality in Equation (4). Then we mark the index of this value by u and use the fact that in the range $[n_{u-1},n_u]$, we can express $mwp(trunc(\mathit{N},U),\alpha )$ as a simple function of the form $\frac{a+bU}{c+dU}$:

$$\begin{array}{c}\hfill \frac{{\sum }_{i=u}^t{n}_i+\left|\{n_i:i<min(t,u)\}\right|U}{{\sum }_{i=u}^K{n}_i+\left|\{n_i:i<u\}\right|U}=\frac{{\sum }_{i=u}^t{n}_i+min(t,u)U}{{\sum }_{i=u}^K{n}_i+uU}\end{array}$$

for which we can solve Equation (4) with

$$U^{\ast }\leftarrow \frac{a-c{\alpha }^{\ast }}{d{\alpha }^{\ast }-b}.$$

(5)

Optimality

Theorem 1.

Given Byzantine proportion α and Byzantine weight proportion ${\alpha }^{\ast }$, then setting $\tilde{\mathit{N}}=trunc(\mathit{N},U^{\ast })=({\tilde{n}}_1,\dots ,{\tilde{n}}_K)$ for $U^{\ast }$ given in Equation (4) gives an optimal solution for the following minimization problem: ${min}_{N^{\prime }=(n_1^{\prime },\dots ,n_K^{\prime })}{∥{\mathit{N}}^{\prime }-\mathit{N}∥}_1$ s.t. Equation (3) is satisfied (for $Preprocess\left(\mathit{N}\right)={\mathit{N}}^{\prime }$) and $\forall k\in \left[K\right]:n_k^{\prime }\le n_k$.

Proof. 

See Appendix A.1. □

The $\alpha$-$U^{\ast }$ Trade-Off

When we do not know $\alpha$, as a practical procedure, we suggest plotting $U^{\ast }$ as a function of $\alpha$. In order to do so, we can start with $\alpha \leftarrow {\alpha }^{\ast }$, $U\leftarrow n_1$, and alternate between decreasing $\alpha$ by $1/K$ (one less Byzantine client tolerated) and solving Equation (4). This procedure can be made efficient by saving intermediate sums and using a specialized data structure for trimmed collections. See Algorithm 3 for the pseudocode and Figure 1 for an example output.

Algorithm 3 Plot ($\alpha$, $U^{\ast }$) Pairs

$\alpha \leftarrow {\alpha }^{\ast }$

for  $u\leftarrow 1$  to  $K-1$  do

while $mwp(trunc(\mathit{N},n_{u+1}),\alpha )>{\alpha }^{\ast }$ do

$U^{\ast }\leftarrow$ solve Equation (5) for $U\in [n_u,n_{u+1}]$

output ($\alpha$, $U^{\ast }$)

$\alpha \leftarrow \alpha -\frac{1}{K}$

end while

end for

2.2.3. Truncation Given a Partial View of N

When K is very large, we may want to sample only $k\ll K$ elements IID from $\mathit{N}$. In this case, we will need to test that the inequality in Equation (4) holds with high probability. Such a test is useful in practice as the number of clients and their dataset sizes is not always tractable or pre-known, especially in the cross-device federated learning scenarios.

We consider k discrete random variables taken IID from $\mathit{N}$ after truncation by U, that is, taken from a distribution over $\{0,\dots ,U\}$. We mark these random variables as $X_1,\dots ,X_k$, and their order statistic as $X_{\left(1\right)},\dots ,X_{\left(k\right)}$ where $X_{\left(1\right)}\le \cdots \le X_{\left(k\right)}$.

Theorem 2.

Given parameter $\delta >0$ and ${\epsilon }_1=\sqrt{\frac{ln(3/\delta )}{2k}}$, ${\epsilon }_2=U\sqrt{\frac{lnln(3/\delta )}{2(k(\alpha -{\epsilon }_1)+1)}}$, ${\epsilon }_3$ = $U\sqrt{\frac{lnln(3/\delta )}{2k}}$, we have that $mwp(trunc(\mathit{N},U),\alpha )\le {\alpha }^{\ast }$ is true with $1-\delta$ confidence if the following holds:

$$\begin{array}{c}\hfill \frac{\alpha \left(\frac{{\sum }_{i\leftarrow \lceil (1-(\alpha -{\epsilon }_1))k\rceil }^k{X}_{\left(i\right)}}{k-\lceil (1-(\alpha -{\epsilon }_1))k\rceil +1}+{\epsilon }_2\right)}{\left(\frac{1}{k}{\sum }_{i\in \left[k\right]}{X}_i-{\epsilon }_3\right)}\le {\alpha }^{\ast }.\end{array}$$

(6)

Proof. 

See Appendix A.2. □

2.2.4. Convergence Analysis

We split our analysis into two parts. In the first part, we analyze our truncation preprocessing step, showing how it bounds the skewness of the learning objective that may be caused by Byzantine clients. In the second part, we discuss stronger guarantees of convergence.

Objective Function Skewness Bound

After applying our $Preprocess$ procedure, we have the truncated number of samples per client, marked ${\left\{{\tilde{n}}_k\right\}}_{k\in \left[K\right]}$. We can trivially ensure that any algorithm instance works as expected by requiring that clients ignore samples that were truncated. That is, even if an honest (non-Byzantine) client k has $n_k$ samples, it may use only ${\tilde{n}}_k$ samples during its $ClientUpdate$.

Although this solution always preserves the semantics of any underlying algorithm, it does hurt convergence guarantees since the total number of samples decreases [Tables 5 and 6 in Kairouz et al. [3]; Yin et al. [12]; Haddadpour and Mahdavi [9]]. Interestingly, Theorem 3 in Li et al. [16] analyzes the baseline FedAvg and shows that the convergence bound increases with $max{n}_k/min{n}_k$ (marked there as $\nu /\varsigma$). This suggests that in some cases, unbalancedness itself deteriorates the convergence rate, a phenomenon that may be mitigated by truncation to some degree.

Additionally, we note that when the clients’ sample distributions are similar, the performance of federated averaging-based algorithms improves when honest clients use all their original $n_k$ samples. Intuitively, this follows from the observation that $Aggregate$ procedures are generally composite mean estimators and $ClientUpdate$ calls are likely to produce more accurate results given more samples.

Lastly, as we have mentioned before, convergence is guaranteed, but we note that the optimization goal itself is inevitably skewed in our Byzantine scenario. The following theorem bounds this difference between the original weighted optimization goal (Equation (2)) and the new goal after truncation. In order to emphasize the necessity of this bound (in terms of Assumption 2), we use an overdot and tilde to signify unreliable and truncated values, respectively, as previously described in Section 2.1.2.

Theorem 3.

Given the same setup as in Equation (1) and a truncation bound U, the following holds for all $w\in {\mathbb{R}}^d$:

$$\begin{array}{cc}\hfill & ∥\frac{1}{\dot{n}}\sum _{i\in \left[K\right]}{\dot{n}}_i{F}_i\left(w\right)-\frac{1}{\tilde{n}}\sum _{i\in \left[K\right]}{\tilde{n}}_i{F}_i\left(w\right)∥\le \hfill \\ \hfill & ∥\sum _{i:{\dot{n}}_i>U}(\frac{{\dot{n}}_i}{\dot{n}}-\frac{1}{K})F_i\left(w\right)+(\frac{1}{\dot{n}}-\frac{1}{\tilde{n}})\sum _{i:{\dot{n}}_i\le U}\mathcal{L}\left(Z_i\right)∥,\hfill \end{array}$$

where $\mathcal{L}\left(Z_i\right)$ is defined as ${\sum }_{z\in Z_i}\ell (w;z)$.

Proof. 

Using the fact that $\tilde{n}\le UK$, we obtain:

$$\begin{array}{cc}\hfill & ∥\frac{1}{\dot{n}}\sum _{i\in \left[K\right]}{\dot{n}}_i{F}_i\left(w\right)-\frac{1}{\tilde{n}}\sum _{i\in \left[K\right]}{\tilde{n}}_i{F}_i\left(w\right)∥=\hfill \\ \hfill & ∥\sum _{i:{\dot{n}}_i>U}\frac{{\dot{n}}_i}{\dot{n}}{F}_i\left(w\right)+\frac{1}{\dot{n}}\sum _{i:{\dot{n}}_i\le U}\mathcal{L}\left(Z_i\right)-\sum _{i:{\dot{n}}_i>U}\frac{U}{\tilde{n}}{F}_i\left(w\right)-\frac{1}{\tilde{n}}\sum _{i:{\dot{n}}_i\le U}\mathcal{L}\left(Z_i\right)∥\le \hfill \\ \hfill & ∥\sum _{i:{\dot{n}}_i>U}\frac{{\dot{n}}_i}{\dot{n}}{F}_i\left(w\right)+\frac{1}{\dot{n}}\sum _{i:{\dot{n}}_i\le U}\mathcal{L}\left(Z_i\right)-\sum _{i:{\dot{n}}_i>U}\frac{1}{K}{F}_i\left(w\right)-\frac{1}{\tilde{n}}\sum _{i:{\dot{n}}_i\le U}\mathcal{L}\left(Z_i\right)∥=\hfill \\ \hfill & ∥\sum _{i:{\dot{n}}_i>U}\left(\frac{{\dot{n}}_i}{\dot{n}}-\frac{1}{K}\right)F_i\left(w\right)+\left(\frac{1}{\dot{n}}-\frac{1}{\tilde{n}}\right)\sum _{i:{\dot{n}}_i\le U}\mathcal{L}\left(Z_i\right)∥.\hfill \end{array}$$

□

From the bound in Theorem 3, we can clearly see how the coefficients in the left term, $({\dot{n}}_i/\dot{n}-1/K)$, stem from unbalancedness in the values above the truncation threshold, whereas the coefficient in the right term, $(1/\dot{n}-1/\tilde{n})$, accounts for the increase of relative weight of the values below the truncation threshold. Additionally, note that this formulation demonstrates how a single Byzantine client can increase this difference arbitrarily by increasing its ${\dot{n}}_i$. Lastly, observe how both terms vanish as U increases, which motivates our selection of $U^{\ast }$ as the maximal truncation threshold for any given $\alpha$ and ${\alpha }^{\ast }$.

Convergence Guarantees

Having bounded the difference between the pre-truncation and post-truncation training objectives, we can now utilize known convergence guarantees.

Such guarantees and their respective proofs depend on the specific underlying $Aggregate$ procedures and are orthogonal to our work. Nevertheless, we include two examples of how to account for our preprocessing step in the convergence analysis of specific underlying algorithms. In the first example, which we defer to Appendix C, we restate and adapt for truncation the convergence analysis given by Li et al. [16] for the standard, non-Byzantine-tolerant, $FedAvg$ algorithm. In the second example, we do the same for the Byzantine-robust trimmed mean aggregation procedure by Yin et al. [12]. This establishes that convergence is still guaranteed, even though the weights of some clients are truncated.

The following definitions and assumptions are required for the analysis of Yin et al. [12]:

Definition 2

(Coordinate-wise trimmed mean). For $\beta \in [0,\frac{1}{2})$ and vectors $x^i\in {\mathbb{R}}^d$, $i\in \left[m\right]$, the coordinate-wise β-trimmed mean $\mathbf{g}:={\mathsf{trmean}}_{\beta }\{x^i:i\in \left[m\right]\}$ is a vector with its k-th coordinate being $g_k=\frac{{\sum }_{i\in R_k}{n}_i{x}_k^i}{{\sum }_{i\in R_k}{n}_i}$ for each $k\in \left[d\right]$. Here, $R_k$ is a subset of indices from $\{x_k^1,\dots ,x_k^m\}$ obtained by removing the largest and smallest β fraction of its elements.

Definition 3

(Sub-exponential random variables). A random variable X with $\mathbb{E}\left[X\right]=\mu$ is called v-sub-exponential if $\mathbb{E}\left[e^{\lambda (X-\mu )}\right]\le e^{\frac{1}{2}{v}^2{\lambda }^2},\forall \left|\lambda \right|<\frac{1}{v}$.

Definition 4

(Lipschitz). h is L-Lipschitz if $|h\left(w\right)-h\left(w^{\prime }\right)|\le L∥w-w^{\prime }∥,\forall w,w^{\prime }$.

Definition 5

(Smoothness). h is $L^{\prime }$-smooth if $∥\nabla h\left(w\right)-\nabla h\left(w^{\prime }\right)∥\le L^{\prime }∥w-w^{\prime }∥,\forall w,w^{\prime }$.

Definition 6

(Strong convexity). h is λ-strongly convex if $h\left(w^{\prime }\right)\ge h\left(w\right)+〈\nabla h\left(w\right),w^{\prime }-w〉+\frac{\lambda }{2}{∥w^{\prime }-w∥}^2,\forall w,w^{\prime }$.

Assumption 3

(Parameter space convexity and compactness). We assume that the parameter space $\mathcal{W}$ is convex and compact with diameter D, i.e., $∥w-w^{\prime }∥\le D,\forall w,w^{\prime }\in \mathcal{W}$.

Assumption 4

(Smoothness of ℓ and F). We assume that for any $z\in \mathit{Z}$, the partial derivative of $\ell (·;z)$ with respect to the k-th coordinate of its first argument, denoted by ${\partial }_k\ell (·;z)$, is $L_k$-Lipschitz for each $k\in \left[d\right]$, and the function $\ell (·;z)$ is L-smooth. Let $\widehat{L}:=\sqrt{{\sum }_{k=1}^d{L}_k^2}$. We also assume that the population loss function $F(·)$ is $L_F$-smooth.

Assumption 5

(Sub-exponential gradients). We assume that for all $k\in \left[d\right]$ and $w\in \mathcal{W}$, the partial derivative of $\ell (w;z)$ with respect to the k-th coordinate of w, ${\partial }_k\ell (w;z)$, is v-sub-exponential.

Define

$$m=\underset{i\in \left[K\right]}{min}\left\{n_i\right\},\tilde{m}=\underset{i\in \left[K\right]}{min}\left\{{\tilde{n}}_i\right\}.$$

In order to prove convergence with truncation, we can adapt Theorems 4–6 from [12], which provide convergence guarantees for the trimmed mean aggregation procedure for the strongly convex, non-strongly convex, and non-convex cases, respectively. We restate Theorem 4 (for the trimmed mean aggregation procedure), where $\Delta$ is an upper bound that we prove on the distance between the trimmed mean aggregation of client-reported stochastic gradients and the true gradient (i.e., $∥\mathbf{g}\left(w\right)-\nabla F\left(w\right)∥$).

Theorem 4

([12] Theorem 4). Consider the trimmed mean aggregation procedure. Suppose that Assumptions 4 and 5 hold, $F(·)$ is ${\lambda }_F$-strongly convex, and $\alpha \le \beta \le \frac{1}{2}-ϵ$ for some $ϵ>0$. We choose a step-size of $\eta =1/L_F$. Then, with a probability of at least $1-\mathcal{O}\left(\frac{d}{{\widehat{L}}^d{D}^d{K}^{d-1}{m}^d}\right)$, after T parallel iterations, we have

$$∥w^T-w^{\ast }∥\le {\left(1-\frac{{\lambda }_F}{L_F+{\lambda }_F}\right)}^T∥w^0-w^{\ast }∥+\frac{2}{{\lambda }_F}\Delta ,$$

where $w^t$ denotes the model-weights vector at the server at the end of step number t such that 0 is the first step of the algorithm. For brevity, we do not repeat Theorems 5 and 6 from [12]. Note that they similarly depend on Δ.

In the following lemma, we prove the upper bound $\Delta$. This lemma is an adaptation of Theorem 11 in [12] to our setting. Given this updated bound, the proofs of Theorems 4–6 follow precisely as in [12].

Lemma 1.

Define

$$\begin{array}{ccc}\hfill & {\mathbf{g}}^i\left(w^t\right)\leftarrow \left\{\begin{array}{cc}\ast \hfill & i\in \mathcal{B}\hfill \\ \nabla F_i\left(w^t\right)\hfill & \mathrm{else}\hfill \end{array}\right.,\hfill & \hfill \mathbf{g}\left(w^t\right)\leftarrow {\mathsf{trmean}}_{\beta }\left\{{\mathbf{g}}^i\left(w^t\right):i\in \left[K\right]\right\}.\end{array}$$

Suppose that Assumptions 4 and 5 are satisfied, and that $\alpha \le \beta \le \frac{1}{2}-ϵ$. Then, with probability at least $1-\mathcal{O}\left(\frac{d}{{\widehat{L}}^d{D}^d{K}^{d-1}{m}^d}\right)$,

$$∥\mathbf{g}\left(w\right)-\nabla F\left(w\right)∥\le \mathcal{O}\left(\frac{vdU}{\tilde{m}\sqrt{m}}\right)\sqrt{log\left(1+\widehat{L}D{\sum }_{i=1}^K{n}_i\right)+\frac{1}{d}logK}+\tilde{\mathcal{O}}\left(\frac{U}{K\tilde{m}m}\right).$$

(7)

Proof. 

See Appendix D. □

It can be seen that $\Delta$ increases with d and U and decreases with m and $\tilde{m}$, with the latter three showing that the bound becomes less tight when the distributed dataset becomes more imbalanced.

3. Experimental Evaluation

In this section, we demonstrate how truncating $\mathit{N}$ is a crucial requirement for Byzantine robustness. That is, we show that no matter what the specific attack or aggregation method is, using $\mathit{N}$ “as-is” categorically devoids any robustness guarantees.

The code for the experiments is based on the Tensorflow machine learning library Abadi et al. [17]. Specifically, the code for the shakespeare experiments is based on the Tensorflow Federated sub-library of Tensorflow. It is given under the Apache license 2.0. We perform the experiments using a single NVIDIA GeForce RTX 2080 Ti GPU, but the results are easily reproducible on any device. Our code is given under the MIT license and can be found in the following GitHub repository: https://github.com/amitport/Towards-Federated-Learning-with-Byzantine-Robust-Client-Weighting, accessed on 1 July 2022.

3.1. Experimental Setup

3.1.1. The Machine Learning Tasks and Models

Shakespeare: Next-Character-Prediction Partitioned by Speaker

Presented in the original FedAvg paper [2] and also as part of the LEAF benchmark [18], the Shakespeare dataset contains 422,615 sentences taken from The Complete Works of William Shakespeare [19] (freely available public domain texts). The next-character-prediction task with the per-speaker partitioning represents a realistic scenario in the FL domain. Each client trains using an LSTM recurrent model [20] with hyperparameters matching those suggested by Reddi et al. [21] for FedAvg.

MNIST: Digit Recognition with Synthetic Client Partitioning

The MNIST database [22] (available under Creative Commons Attribution-ShareAlike 3.0 license) includes $28\times 28$ grayscale labeled images of handwritten digits split into 60,000 training images and 10,000 testing images. We randomly partition the training set among 100 clients. The partition sizes are determined by taking 100 samples from a Lognormal distribution with $\mu =1.5$, $\sigma =3.45$ and then interpolating corresponding integers that sum to 60,000. This produces a right-skewed, fat-tailed partition size distribution that emphasizes the importance of correctly weighting aggregation rules and the effects of truncation. Clients train a classifier using a 64-unit perceptron with ReLU activation and $20\%$ dropout, followed by a softmax layer. Following Yin et al. [12], on every communication round, all clients perform a mini-batch SGD with 10% of their examples.

Note that the the Shakespeare and MNIST synthetic tasks were selected because they are relatively simple, unbalanced tasks: simple, because we want to evaluate a preprocessing phase and avoid tuning of the underlying algorithms we compare; unbalanced, since as can be understood from Theorem 3, when the client sample sizes are spread mostly evenly, ignoring the client sample size altogether is a viable approach. See Figure 2 for the histograms of the partitions.

3.1.2. The Server

We show three $Aggregate$ procedures: arithmetic mean, as used by the original $FedAvg$, and two additional procedures that replace the arithmetic mean with robust mean estimators. The first of the latter uses the coordinatewise median [11,12]. That is, each server model coordinate is taken as the median of the clients’ corresponding coordinates. The second robust aggregation method uses the coordinatewise trimmed mean [12], which, for a given hyperparameter $\beta$, first removes the $\beta$-proportion lowest and $\beta$-proportion highest values in each coordinate and only then calculates the arithmetic mean of the remaining values.

When preprocessing the client-declared sample size, we compare three options: we either ignore client sample size, truncate according to $\alpha =10\%$ and ${\alpha }^{\ast }=50\%$, or just pass through the client sample size as reported. Note that the ${\alpha }^{\ast }$ value is derived from the fact that the robust median and trimmed mean defenses require at least $50\%$ honest clients [12].

3.1.3. The Clients and Attackers

We examine a model negation attack [5]. In this attack, each attacker “pushes” the model towards zero by always returning a negation of the server’s model. When the data distribution is balanced, this attack is easily neutralized since Byzantine clients typically send easily detectable extreme values. However, in our unbalanced case, we demonstrate that without our preprocessing step, this attack cannot be mitigated even by robust aggregation methods.

In order to provide comparability, we additionally follow the experiment shown by Yin et al. [12], in which $10\%$ of the clients use a label shifting attack on the MNIST task. In this attack, Byzantine clients train normally except for the fact that they replace every training label y with $9-y$. The values sent by these clients are then incorrect but are relatively moderate in value, making their attack somewhat harder to detect.

We first execute our experiment without any attacks for every server aggregation and preprocessing combination. Then, for each attack type, we repeat the process two additional times: (1) with a single attacker that declares 10 million samples, and (2) with 10% attackers that declare 1 million samples each.

3.2. Experimental Results

The Shakespeare experiments without any attackers are shown in Figure 3, and the executions with attackers are shown in Figure 4. The results of the MNIST experiments are similar to the results of the Shakespeare experiments and are relegated to Appendix B.

Figure 3 shows that using truncation (dashed orange curve, labeled “Truncate”) remains comparable to the properly weighted mean estimators, where no preprocessing is done (solid blue curve, labeled “Passthrough”), whereas ignoring clients’ sample sizes and weighing the clients uniformly (dotted green curve, labeled “Ignore”) is sub-optimal. This effect is pronounced when the unweighted median is used (middle column, dotted green curve), since it is generally very far from the mean with our unbalanced partition.

From Figure 4, we observe that even with a single attacker performing a trivial attack (first row), using the weights directly without preprocessing (solid blue curve) is devastating, whereas when our truncation-based preprocessing method is used in conjunction with robust mean aggregations (i.e., median and trimmed mean) (dashed orange curve, two last columns), convergence remains stable even when there are $\alpha$ (=10%) attackers (second row). In contrast, the same cannot be said for the regular mean aggregator, as can be seen by the sub-optimal accuracy (2nd row) and an occasional accuracy drop (1st row) in the leftmost column (the drops can be explained by the fact that in each round we randomly select clients for training, and so the byzantine clients have varying effects across different rounds). We note that our method may be slightly less accurate in some cases when ignoring reported client sample sizes and weighing them uniformly (dotted green curve, second row, middle column). This is expected because we allow Byzantine clients to potentially get close to the ${\alpha }^{\ast }$-proportion (50%, in this case) of the weight. However, our method is significantly closer to the optimal solution when there are no or only a few attackers (see Figure 3). Moreover, when used with robust mean aggregation methods, it maintains their robustness properties.

The results from the first experiment, running without any attackers (Figure 3), demonstrate that ignoring client sample size results in reduced accuracy, especially when median aggregation is used, whereas truncating according to our procedure is significantly better and is on par with properly using all weights. These results highlight the imperativeness of using sample size weights when performing server aggregations.

Whereas Figure 3 shows that truncation-based preprocessing performs on par with that of taking all weights into consideration when all clients are honest, Figure 4 demonstrates that the results are very different when there is an attack. In this case, we see that when even a single attacker reports a highly exaggerated sample size and the server relies on all the values of $\mathit{N}$, the performance of all aggregation methods, including robust median and trimmed mean, quickly degrades.

In contrast, in our experiments, robustness is maintained when truncation-based preprocessing is used in conjunction with robust mean aggregations such as median or trimmed mean, even when Byzantine clients attain the maximally supported proportion, $\alpha =10\%$.

4. Discussion

The results of our experiments establish that: (1) in the absence of attacks, model convergence is on par with that of properly using all reported weights, and (2) when attacks do occur, the performance of combining truncation-based preprocessing and robust aggregations incurs almost no penalty in comparison with the performance of using all weights in the lack of attacks, whereas without preprocessing, even robust aggregation methods collapse to a performance that is worse than that of a random classifier.

When the number of clients is very large, performing server preprocessing and aggregation on the server may become computationally infeasible. We prove that, in this case, truncation-based preprocessing can achieve the same upper bound on ${\alpha }^{\ast }$ with high probability based on the weight values reported from a sufficiently large number of the clients selected IID.

In future work, we plan to further analyze the trade-off between robustness and the usage of client sample size in rectifying data unbalancedness. We also plan to investigate alternative forms of estimating client importance that may avoid client sample size altogether.