Defense against poisoning in Federated Learning Systems for Autonomous Driving
Benign Scenario
Total Users
Poisoned Scenario
Poisoner Precentage
Recovered Scenario

Background

Autonomous driving is a prominent 6G use case that will benefit from ultra-low latency and high-reliability communication. Many autonomous driving tasks (Image classification, Object detection and Semantic Segmentation) are conducted using Artificial Intelligence and Machine Learning. Massive amounts of data generated by vehicles also serve as an invaluable source for learning algorithms. There is strong motivation for protecting sensitive data given the emerging and existing regulation for privacy protection. Federated Learning (FL) is a distributed machine learning technique that allows learning from a large population while keeping raw data at the source. However, FL could be vulnerbale to poisoning attacks that degrade the model performance. Our demonstration explores the question
"What if malicious data from compromised participants is fed to distributed learning systems in autonomous driving?"

Implementation

We implement a traffic-sign recognition system using Federated Learning using Convolutional Neural Networks (CNN). CNNs are capable of learning patterns regardless of their placement in training image samples, making it a favored approach in image-based classification operations. We use the autonomous driving dataset German Traffic Sign Recognition Benchmark (GTSRB) for the training. The charts displayed in the dashboard present the following three scenarios.
  1. Benign Scenario: Participants with different traffic-sign datasets train their own CNN and share the trained weights with the central server. Central server updates the model using provided weights and broadcasts it to all participants.
  2. Poisoned Scenario: We define the precentage of malicious paritcipants, and simulate them conducting a label flipping attack on the system. The selected participants flip the labels for a specific class such that it is trained to be incorrectly classified as another. They share the poisoned weights alongside honest participants. Central server aggergates the poisoned weights, causing the performance to degrade over training iterations. We choose a subset of road signs as training classes.
    0 : 1 : 2 : 3 : 4 : 5 :
    We conduct the following label flipping attack. (Class 2 to Class 4)
  3. Recovered Scenario: We implement FoolsGold algorithm at the central server. The defense algorithm compares the received model characteristics from the distributed set of cars, perform a similarity measurement, identify the malicious nature of a model update, and assign a lower weight for potentially poisoned models.

Outcome

We observe that the defense mechanism is capable of recovering the accuracy loss by continuously removing the poisoning effects at the training phase. We also see that it scales considerably when the portion of poisoners present in the system grows higher. Therefore, introducing a defense mechanism against poisoning attacks will add safety to the learning processes and make sure the system learns accurately. Such systems will prevent situations like collisions among vehicles due to improper object classification, where the outcomes could be catastrophic.

Our demonstration indicates that it is imperative that Artificial Intelligence and Machine Learning for Autonomous Driving in 6G era utilize novel defense algorithms to defend against poisoning attacks.
Authors: J. Kehelwala, Y. Siriwardhana, T. Hewa, M. Ylianttila.