A Little Is Enough¶
A Little Is Enough (ALIE) gradient attack.
- Reference:
Gilad Baruch, Moriah Baruch, Yoav Goldberg, and Kfir Y. Levy. “A Little Is Enough: Circumventing Defenses For Distributed Learning.” In Advances in Neural Information Processing Systems 32 (NeurIPS 2019).
- class attacks.alie.ALIEAttack[source]¶
Bases:
AttackALIE attack.
Generates Byzantine gradients from the exact coordinate-wise mean and standard deviation of the honest gradients passed to the attack. The attack perturbs the honest mean by \(z \sigma\) along the chosen
Direction, where \(z\) is the attack factor.This corresponds to a statistics-oracle variant of ALIE rather than the original paper’s more restricted information setting: the attacker is assumed to know the full honest gradient distribution, not just a subset.
- classmethod generate(honest_gradients: Sequence[Tensor] | Tensor, /, out: Tensor | None = None, *, f: int, z: float | str = 'max', direction: Direction = Direction.NEGATIVE, **specialized: Any) Tensor[source]¶
Generate Byzantine gradients.
- Parameters:
honest_gradients – Sequence of \(h\) gradient vectors, one per honest worker, each of shape \((d,)\).
out – Optional pre-allocated tensor of shape \((f, d)\) to write the result into and return.
f – Number of Byzantine gradients to generate.
z – Attack factor in standard-deviation units, or
"max"for the largest factor that keeps the Byzantine gradients within a majority of the honest gradient distribution.direction – Direction of the perturbation relative to the honest mean.
**specialized – Additional keyword arguments.
- Returns:
Byzantine gradients of shape `` (f, d)
empty tensor of shape `` (0, d)
- Raises:
TypeError – If \(z\) is not a number or
"max",directionis not aDirection, or the honest gradients are not floating-point.ValueError – If \(z\) is negative, \(f\) is negative, there are no honest gradients, or the worker configuration admits no non-negative ALIE factor.
- static max_z(honest_gradients: Tensor, f: int) Tensor[source]¶
Compute the maximal valid ALIE attack factor for the worker configuration.
\(z_{\max}\) is the largest \(z\) such that \(\Phi(z) < (h - s) / h\), where \(h\) is the number of honest workers and \(s\) is the number of honest workers needed to form a majority among the \(n = h + f\) workers: \(s = \lfloor n / 2 \rfloor + 1 - f\).
- Parameters:
honest_gradients – Tensor of shape \((h, d)\) containing gradients from the \(h\) honest workers.
f – Number of Byzantine gradients to generate.
- Returns:
Maximal attack factor, as a 0-D tensor on the same device and
dtype as ``honest_gradients``.
- Raises:
ValueError – If there are no honest gradients, or if the worker configuration does not admit a non-negative ALIE factor.