DESC:FORM 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003

COMPLETE SPECIFICATION
(See Section 10 and Rule 13)

Title of invention:
METHOD AND SYSTEM FOR PREVENTING POISONING ATTACKS IN COLLABORATIVE LEARNING SYSTEMS

Applicant:
Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th Floor,
Nariman Point, Mumbai 400021,
Maharashtra, India

The following specification particularly describes the invention and the manner in which it is to be performed.
CROSS-REFERENCE TO RELATED APPLICATIONS AND PRIORITY
The present application claims priority from Indian provisional patent application no. 202321039349, filed on June 8, 2023. The entire contents of the aforementioned application are incorporated herein by reference.

TECHNICAL FIELD
The present invention generally relates to the field of machine learning and, more particularly, to a method and system for preventing poisoning attacks in collaborative learning systems.

BACKGROUND
Collaborative learning or multi-agent federated learning (FL) is used in several applications, such as signal processing, mobile user personalization, speech recognition, and more. In federated learning, server shares an initial global model trained on auxiliary public data to the clients. The clients finetune this initial global on their own devices using their own data to create a local model. The difference between the initial global model and the local model, known as the local update, will be shared with the server by the clients. The server receives local updates from all the clients and aggregate them to create the next version of the global model. Federated learning can simultaneously offload the computation and memory-intensive training work onto multiple clients which are low-end computation devices. FL functions as a highly distributed decentralized system preserving data privacy with limited communication, and computational capabilities. Despite the advantages of privacy and shared intelligence, FL with deep neural networks (DNN) faces unique challenges with respect to data and system heterogeneity, computation and memory constraints and adversarial poisoning attacks.
Past works in FL have exposed its high vulnerability to adversarial attacks under the white box setting. However, they are somewhat unrealistic as the attacker needs to have complete knowledge of the model structure and parameters distributed across all the clients. Recently FL research community is showing more interest in investigating the black-box adversarial attacks. For example, in autonomous vehicles, where the FL setting is more relevant, these attacks can misdirect the vehicle controller, which might result in catastrophic events. Untargeted data poisoning attack in FL is the most common type of black box attack and is relevant to production deployments. Specifically, the attacker is interested in generic misclassification (untargeted) rather than specific misclassification (targeted).
Existing defenses against FL data poisoning attacks are either based on anomaly detection or using model aggregation to dampen the poisoned update effectiveness. The anomaly detection-based techniques detect malicious clients by grouping various aspects of client updates and removing those that are not part of a majority group. These techniques vary according to different aspects of client updates. Recently, Rieger et al. proposed DeepSight which uses deep inspection of the updates in neural network layers to detect anomalous updates. Further, the aggregation techniques such as Krum, trimmed mean, and median claim to be Byzantine robust. However, they have some critical limitations in common. They only provide asymptotic bounds that are far from practice. Specifically, they only offer the order-optimal bounds on error rates of parameters. However, even if such order optimal bounds are given, there is no guarantee for classification performance on the learned global model. Further, they strongly assume that data is independent and identically distributed (i.i.d), and the optimization problem is strongly convex, which is not practical in real-world scenarios.

SUMMARY
Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one embodiment, a method for preventing poisoning attacks in collaborative learning systems is provided. The method includes receiving a plurality of local updates to a global model from a plurality of clients. Further, the method includes determining a) a first vector comprising a plurality of losses of the plurality of updates on a global validation dataset and b) a second vector by subtracting each of a plurality of elements of the first vector from a maximum value of the first vector. Furthermore, the method includes identifying and eliminating one or more malicious updates among the plurality of updates by iteratively updating the second vector for a pre-defined number of iterations and updating the global model. The global model is updated by (i) computing a plurality of Wasserstein distances between a plurality of parameters of the global model and a plurality of parameters of each of a plurality of local models corresponding to the plurality of local updates; (ii) determining a plurality of products of the updated second vector and each of the plurality of Wasserstein distances; and (iii) updating the global model based on an aggregation rule which minimizes sum of the plurality of products.
In another aspect, a system for preventing poisoning attacks in collaborative learning systems is provided. The system includes: a memory storing instructions; one or more communication interfaces; and one or more hardware processors coupled to the memory via the one or more communication interfaces, wherein the one or more hardware processors are configured by the instructions to: receive a plurality of local updates to a global model from a plurality of clients. Further the one or more hardware processors are configured to determine a) a first vector comprising a plurality of losses of the plurality of updates on a global validation dataset and b) a second vector by subtracting each of a plurality of elements of the first vector from a maximum value of the first vector. Furthermore, the one or more hardware processors are configured to identify and eliminate one or more malicious updates among the plurality of updates by iteratively updating the second vector for a pre-defined number of iterations and updating the global model. The global model is updated by (i) computing a plurality of Wasserstein distances between a plurality of parameters of the global model and a plurality of parameters of each of a plurality of local models corresponding to the plurality of local updates; (ii) determining a plurality of products of the updated second vector and each of the plurality of Wasserstein distances; and (iii) updating the global model based on an aggregation rule which minimizes sum of the plurality of products..
In yet another aspect, there are provided one or more non-transitory machine-readable information storage mediums comprising one or more instructions which when executed by one or more hardware processors cause a method for preventing poisoning attacks in collaborative learning systems. The method includes receiving a plurality of local updates to a global model from a plurality of clients. Further, the method includes determining a) a first vector comprising a plurality of losses of the plurality of updates on a global validation dataset and b) a second vector by subtracting each of a plurality of elements of the first vector from a maximum value of the first vector. Furthermore, the method includes identifying and eliminating one or more malicious updates among the plurality of updates by iteratively updating the second vector for a pre-defined number of iterations and updating the global model. The global model is updated by (i) computing a plurality of Wasserstein distances between a plurality of parameters of the global model and a plurality of parameters of each of a plurality of local models corresponding to the plurality of local updates; (ii) determining a plurality of products of the updated second vector and each of the plurality of Wasserstein distances; and (iii) updating the global model based on an aggregation rule which minimizes sum of the plurality of products.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:
FIG. 1 illustrates an exemplary block diagram of a system for preventing poisoning attacks in collaborative learning systems, according to some embodiments of the present disclosure.
FIGS. 2A and 2B (collectively referred as FIG. 2) is a flow diagram illustrating method for preventing poisoning attacks in collaborative learning systems, according to some embodiments of the present disclosure.
FIG. 3 illustrates overview of method illustrated in FIG. 2 integrated into a collaborative learning system with n clients, according to some embodiments of the present disclosure.
FIG. 4 is a graph illustrating validation losses of individual client updates at a server for 100 global communication rounds under 33% multi-attack settings for KUL Belgium traffic sign (KBTS) dataset, according to some embodiments of the present disclosure.
FIG. 5 is a visualization of global model interpolation for t rounds, according to some embodiments of the present disclosure.

DETAILED DESCRIPTION OF EMBODIMENTS
Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments.
Existing methods that handle poisoning attacks in collaborative learning systems are based on certain assumptions such as data is independent and identically distributed (i.i.d), and the optimization problem is strongly convex, which is not practical in real-world scenarios. Embodiments of present disclosure overcomes the drawbacks of existing methods by a method and system for preventing poisoning attacks in collaborative learning systems. The method is based on loss function-based rejection (LFR) that suppresses high-loss performing malicious updates and then applies Optimal Transport (OT) optimization to smoothen the aggregated global model. Specifically, the method leverages the benefits of Wasserstein barycenter in order to obtain a global model from a given set of local models. Further, the LFR provides the weighted coefficients for the Wasserstein barycentric function that helps in discarding the malicious updates.
Referring now to the drawings, and more particularly to FIGS. 1 to 5, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments, and these embodiments are described in the context of the following exemplary system and/or method.
FIG. 1 illustrates an exemplary block diagram of a system for preventing poisoning attacks in collaborative learning systems, according to some embodiments of the present disclosure. In an embodiment, the system 100 includes one or more processors (104), communication interface device(s) (106) or Input/Output (I/O) interface(s) (106) or user interface (106), and one or more data storage devices or memory (102) operatively coupled to the one or more processors (104). The one or more processors (104) that are hardware processors can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the processor(s) is configured to fetch and execute computer-readable instructions stored in the memory. In an embodiment, the system 100 can be implemented in a variety of computing systems, such as laptop computers, notebooks, hand-held devices, workstations, mainframe computers, servers, a network cloud, and the like.
The I/O interface device(s) 106 can include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like and can facilitate multiple communications within a wide variety of networks N/W and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. The memory 102 may include any computer-readable medium known in the art including, for example, volatile memory, such as Static Random-Access Memory (SRAM) and Dynamic Random-Access Memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. The database 108 stores information pertaining to inputs fed to the system 100 and/or outputs generated by the system (e.g., at each stage), specific to the methodology described herein. Functions of the components of system 100 are explained in conjunction with flow diagram depicted in FIGS. 2, 3 and 5, and experimental results illustrated in FIG. 4 for preventing poisoning attacks in collaborative learning systems.
In an embodiment, the system 100 comprises one or more data storage devices or the memory (102) operatively coupled to the processor(s) (104) and is configured to store instructions for execution of steps of the method (200) depicted in FIGS. 2 and 3 by the processor(s) or one or more hardware processors (104). The steps of the method of the present disclosure will now be explained with reference to the components or blocks of the system 100 as depicted in FIG. 1, the steps of flow diagrams as depicted in FIGS. 2, 3 and 5 and experimental results illustrated in FIG. 4. Although process steps, method steps, techniques or the like may be described in a sequential order, such processes, methods, and techniques may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps to be performed in that order. The steps of processes described herein may be performed in any order practical. Further, some steps may be performed simultaneously.
FIGS. 2A and 2B (collectively referred as FIG. 2) is a flow diagram illustrating a method 200 for preventing poisoning attacks in collaborative learning systems, according to some embodiments of the present disclosure. As understood by a person skilled in the art, in collaborative learning (alternatively referred as federated learning or FL) systems, a server shares an initial global model (for example, a machine learning model or a deep learning model) trained on auxiliary public data with the clients. At each global epoch t (alternatively referred as global communication round), every client: (i) tries to minimize the empirical loss over its data shared and trains the model with a batch size of b_s for E local epochs with the initial global model w_t^G, (ii) after the completion of training phase with E local epochs, all client(s) calculate the local updates using ?C_(t+1)^n=w_(t+1)^n-w_t^G, and (iii) these individual client model updates are sent back to the server for model aggregation. Since clients in FL communicate local model updates to the server, adversarial attacks in FL are usually performed either through client data (data poisoning) or model updates (model poisoning). Broadly, there are two major types of adversarial attacks in FL: (i) targeted and untargeted data poisoning attacks, and (ii) model poisoning attacks. In the data poisoning attacks, the attacker or the malicious client tries creating poisonous data that, through local updates, leads to an incorrect or imprecise global model. In model poisoning attacks, the attacker directly sends malicious updates to the server. The method 200 focuses on defending untargeted data poisoning in FL as it is significantly most common and relevant to production deployments. Also, data poisoning attacks can affect a large population of FL clients and remain undetected for a longer period. However, the method 200 can handle any other types of poisoning attacks as well.
In an embodiment, the attacker performs the following steps for attacking the FL system: (i) generate adversarial samples based on the gradient-based black-box attack method, (ii) add these samples to the local training dataset, (iii) train the local model, and (iv) transmit the malicious updates to poison the global model. An example of such an attack is M-SimBA data poisoning attack proposed by Kumar et al. It is recent and powerful as compared to other gradient-based black-box attack methods. In order to generate an adversarial image (malicious data), a random gradient perturbation is added to the original image. It is calculated according to equation 1, where I_adv is the adversarial image, I_x is the original image, and G_p is randomized gradient perturbation.
I_adv=I_x+e*G_p .....(1)
The step size (e) controls intensity of perturbation. The equation 1 is repeatedly executed until it generates the final adversarial image. In addition, it converges on the L2 norm such that ?I_adv-I_x ?_2