Byzantine robust aggregation in federated distillation with adversaries

Federated learning empowers privacy-preserving, multi-party secure model training without the necessity of sharing raw data. In recent years, knowledge distillation has emerged as a promising solution to address the significant challenge of model heterogeneity within federated learning. However, current research often overlooks the potential threats posed by Byzantine attacks, which can significantly compromise the security of federated distillation. Previous work on Byzantine attacks has been primarily focused on manipulating local gradients to compromise global model, lacking attacks on logits in knowledge distillation scenarios. In this paper, we introduce two innovative attacks, shedding light on the inherent risks in federated distillation. The proposed attacks include a topk attack, which perturbs the top k values of logits in each column, and an impersonation attack, which emulates knowledge significantly deviating from the norm. To counter such attacks, we propose a robust aggregation strategy-FedTGD (Federated Top Guard Distillation), designed to ensure robust distillation with heterogeneous models. Specifically, FedTGD incorporates Density-Based Spatial Clustering of Applications with Noise (DBSCAN) and maximum cosine similarity on top-k values of logits to select benign knowledge. Experimental evaluations conducted on FEMNIST and CIFAR100 datasets, considering scenarios for both IID and Non-IID, reveal that top-k attack results in a substantial 27.16% accuracy reduction for FedMD. In contrast, our aggregation method shows a marginal 0.7% accuracy decrease under top-k attacks, outperforming state-of-the-art baselines.