WMDefense: Using Watermark to Defense Byzantine Attacks in Federated Learning

Federated learning enables data owners to train a global ML model without exchanging data. However, the unique pattern of training in federated learning can be exploited by malicious adversaries. These malicious adversaries degrade the accuracy of the federated training model by sending malicious inputs during the federated training process. Existing Byzantine robust federated learning algorithms remain vulnerable to customized local model poisoning attacks because they are not designed with a suitable malicious client detection mechanism. To defend against the latest Byzantine attacks, this work proposes an effective algorithm, WMDefense, which identifies malicious clients by embedding a watermark to the global model and tracking the degree of watermark recession after local model training. Our experiments apply WMDefense to two recent Byzantine attack algorithms and validate them using two publicly available datasets, showing that it can defend well against both attacks. Furthermore, we compare WMDefense with two current state-of-the-art Byzantine robustness federated learning algorithms and show our superior performance.