Byzantine-Robust Distributed Learning: Towards Optimal Statistical Rates

03/05/2018 ∙ by Dong Yin, et al. ∙ cornell university berkeley college 0

In large-scale distributed learning, security issues have become increasingly important. Particularly in a decentralized environment, some computing units may behave abnormally, or even exhibit Byzantine failures---arbitrary and potentially adversarial behavior. In this paper, we develop distributed learning algorithms that are provably robust against such failures, with a focus on achieving optimal statistical performance. A main result of this work is a sharp analysis of two robust distributed gradient descent algorithms based on median and trimmed mean operations, respectively. We prove statistical error rates for three kinds of population loss functions: strongly convex, non-strongly convex, and smooth non-convex. In particular, these algorithms are shown to achieve order-optimal statistical error rates for strongly convex losses. To achieve better communication efficiency, we further propose a median-based distributed algorithm that is provably robust, and uses only one communication round. For strongly convex quadratic loss, we show that this algorithm achieves the same optimal error rate as the robust distributed gradient descent algorithms.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Many tasks in computer vision, natural language processing and recommendation systems require learning complex prediction rules from large datasets. As the scale of the datasets in these learning tasks continues to grow, it is crucial to utilize the power of distributed computing and storage. In such large-scale distributed systems, robustness and security issues have become a major concern. In particular, individual computing units—known as worker machines—may exhibit abnormal behavior due to crashes, faulty hardware, stalled computation or unreliable communication channels. Security issues are only exacerbated in the so-called

Federated Learning setting, a modern distributed learning paradigm that is more decentralized, and that uses the data owners’ devices (such as mobile phones and personal computers) as worker machines (McMahan and Ramage, 2017, Konečnỳ et al., 2016). Such machines are often more unpredictable, and in particular may be susceptible to malicious and coordinated attacks.

Due to the inherent unpredictability of this abnormal (sometimes adversarial) behavior, it is typically modeled as Byzantine failure (Lamport et al., 1982)

, meaning that some worker machines may behave completely arbitrarily and can send any message to the master machine that maintains and updates an estimate of the parameter vector to be learned. Byzantine failures can incur major degradation in learning performance. It is well-known that standard learning algorithms based on naive aggregation of the workers’ messages can be arbitrarily skewed by a single Byzantine-faulty machine. Even when the messages from Byzantine machines take only moderate values—and hence are difficult to detect—and when the number of such machines is small, the performance loss can still be significant. We demonstrate such an example in our experiments in Section 


In this paper, we aim to develop distributed statistical learning algorithms that are provably robust against Byzantine failures. While this objective is considered in a few recent works (Feng et al., 2014, Blanchard et al., 2017, Chen et al., 2017), a fundamental problem remains poorly understood, namely the optimal statistical performance of a robust learning algorithm. A learning scheme in which the master machine always outputs zero regardless of the workers’ messages is certainly not affected by Byzantine failures, but it will not return anything statistically useful either. On the other hand, many standard distributed algorithms that achieve good statistical performance in the absence of Byzantine failures, become completely unreliable otherwise. Therefore, a main goal of this work is to understand the following questions: what is the best achievable statistical performance while being Byzantine-robust, and what algorithms achieve this performance?

To formalize this question, we consider a standard statistical setting of empirical risk minimization (ERM). Here data points are sampled independently from some distribution and distributed evenly among machines,

of which are Byzantine. The goal is to learn a parametric model by minimizing some loss function defined by the data. In this statistical setting, one expects that the error in learning the parameter, measured in an appropriate metric, should decrease when the amount of data

becomes larger and the fraction of Byzantine machines becomes smaller. In fact, we can show that, at least for strongly convex problems, no algorithm can achieve an error lower than

regardless of communication costs;111Throughout the paper, unless otherwise stated, and hide universal multiplicative constants; and further hide terms that are independent of or logarithmic in see Observation 1 in Section 6. Intuitively, the above error rate is the optimal rate that one should target, as

is the effective standard deviation for each machine with

data points, is the bias effect of Byzantine machines, and is the averaging effect of normal machines. When there are no or few Byzantine machines, we see the usual scaling with the total number of data points; when some machines are Byzantine, their influence remains bounded, and moreover is proportional to . If an algorithm is guaranteed to attain this bound, we are assured that we do not sacrifice the quality of learning when trying to guard against Byzantine failures—we pay a price that is unavoidable, but otherwise we achieve the best possible statistical accuracy in the presence of Byzantine failures.

Another important consideration for us is communication efficiency. As communication between machines is costly, one cannot simply send all data to the master machine. This constraint precludes direct application of standard robust learning algorithms (such as M-estimators (Huber, 2011)), which assume access to all data. Instead, a desirable algorithm should involve a small number of communication rounds as well as a small amount of data communicated per round. We consider a setting where in each round a worker or master machine can only communicate a vector of size , where is the dimension of the parameter to be learned. In this case, the total communication cost is proportional to the number of communication rounds.

To summarize, we aim to develop distributed learning algorithms that simultaneously achieve two objectives:

  • Statistical optimality: attain an rate.

  • Communication efficiency: communication per round, with as few rounds as possible.

To the best of our knowledge, no existing algorithm achieves these two goals simultaneously. In particular, previous robust algorithms either have unclear or sub-optimal statistical guarantees, or incur a high communication cost and hence are not applicable in a distributed setting—we discuss related work in more detail in Section 2.

1.1 Our Contributions

We propose two robust distributed gradient descent (GD) algorithms, one based on coordinate-wise median, and the other on coordinate-wise trimmed mean. We establish their statistical error rates for strongly convex, non-strongly convex, and non-convex population loss functions. For strongly convex losses, we show that these algorithms achieve order-optimal statistical rates under mild conditions. We further propose a median-based robust algorithm that only requires one communication round, and show that it also achieves the optimal rate for strongly convex quadratic losses. The statistical error rates of these three algorithms are summarized as follows.

  • Median-based GD: , order-optimal for strongly convex loss if .

  • Trimmed-mean-based GD: , order-optimal for strongly convex loss.

  • Median-based one-round algorithm: , order-optimal for strongly convex quadratic loss if .

A major technical challenge in our statistical setting here is as follows: the data points are sampled once and fixed, and each worker machine has access to a fixed set of data throughout the learning process. This creates complicated probabilistic dependency across the iterations of the algorithms. Worse yet, the Byzantine machines, which have complete knowledge of the data and the learning algorithm used, may create further unspecified probabilistic dependency. We overcome this difficulty by proving certain uniform bounds via careful covering arguments. Furthermore, for the analysis of median-based algorithms, we cannot simply adapt standard techniques (such as those in Minsker et al. (2015)), which can only show that the output of the master machine is as accurate as that of one normal machine, leading to a sub-optimal rate even without Byzantine failures (). Instead, we make use of a more delicate argument based on normal approximation and Berry-Esseen-type inequalities, which allows us to achieve the better rates when is small while being robust for a nonzero .

Above we have omitted the dependence on the parameter dimension ; see our main theorems for the precise results. In some settings the rates in these results may not have the optimal dependence on . Understanding the fundamental limits of robust distributed learning in high dimensions, as well as developing algorithms with optimal dimension dependence, is an interesting and important future direction.

1.2 Notation

We denote vectors by boldface lowercase letters such as , and the elements in the vector are denoted by italics letters with subscripts, such as . Matrices are denoted by boldface uppercase letters such as . For any positive integer , we denote the set by . For vectors, we denote the norm and norm by and , respectively. For matrices, we denote the operator norm and the Frobenius norm by and , respectively. We denote by

the cumulative distribution function (CDF) of the standard Gaussian distribution. For any differentiable function

, we denote its partial derivative with respect to the -th argument by .

2 Related Work

Outlier-robust estimation in non-distributed settings is a classical topic in statistics (Huber, 2011). Particularly relevant to us is the so-called median-of-means method, in which one partitions the data into subsets, computes an estimate from each subset, and finally takes the median of these estimates. This idea is studied in Nemirovskii et al. (1983), Jerrum et al. (1986), Alon et al. (1999), Lerasle and Oliveira (2011), Minsker et al. (2015), and has been applied to bandit and least square regression problems (Bubeck et al., 2013, Lugosi and Mendelson, 2016, Kogler and Traxler, 2016) as well as problems involving heavy-tailed distributions (Hsu and Sabato, 2016, Lugosi and Mendelson, 2017). In a very recent work, Minsker and Strawn (2017) provide a new analysis of median-of-means using a normal approximation. We borrow some techniques from this paper, but need to address a significant harder problem: 1) we deal with the Byzantine setting with arbitrary/adversarial outliers, which is not considered in their paper; 2) we study iterative algorithms for general multi-dimensional problems with convex and non-convex losses, while they mainly focus on one-shot algorithms for mean-estimation-type problems.

The median-of-means method is used in the context of Byzantine-robust distributed learning in two recent papers. In particular, the work of Feng et al. (2014) considers a simple one-shot application of median-of-means, and only proves a sub-optimal error rate as mentioned. The work of Chen et al. (2017) considers only strongly convex losses, and seeks to circumvent the above issue by grouping the worker machines into mini-batches; however, their rate still falls short of being optimal, and in particular their algorithm fails even when there is only one Byzantine machine in each mini-batch.

Other methods have been proposed for Byzantine-robust distributed learning and optimization; e.g., Su and Vaidya (2016a, b). These works consider optimizing fixed functions and do not provide guarantees on statistical error rates. Most relevant is the work by Blanchard et al. (2017)

, who propose to aggregate the gradients from worker machines using a robust procedure. Their optimization setting—which is at the level of stochastic gradient descent and assumes unlimited, independent access to a strong stochastic gradient oracle—is fundamentally different from ours; in particular, they do not provide a characterization of the statistical errors given a fixed number of data points.

Communication efficiency has been studied extensively in non-Byzantine distributed settings (McMahan et al., 2016, Yin et al., 2017). An important class of algorithms are based on one-round aggregation methods (Zhang et al., 2012, 2015, Rosenblatt and Nadler, 2016). More sophisticated algorithms have been proposed in order to achieve better accuracy than the one-round approach while maintaining lower communication costs; examples include DANE (Shamir et al., 2014), Disco (Zhang and Lin, 2015), distributed SVRG (Lee et al., 2015) and their variants (Reddi et al., 2016, Wang et al., 2017). Developing Byzantine-robust versions of these algorithms is an interesting future direction.

For outlier-robust estimation in non-distributed settings, much progress has been made recently in terms of improved performance in high-dimensional problems (Diakonikolas et al., 2016, Lai et al., 2016, Bhatia et al., 2015) as well as developing list-decodable and semi-verified learning schemes when a majority of the data points are adversarial (Charikar et al., 2017). These results are not directly applicable to our distributed setting with general loss functions, but it is nevertheless an interesting future problem to investigate their potential extension for our problem.

3 Problem Setup

In this section, we formally set up our problem and introduce a few concepts key to our the algorithm design and analysis. Suppose that training data points are sampled from some unknown distribution on the sample space . Let be a loss function of a parameter vector associated with the data point , where is the parameter space, and is the corresponding population loss function. Our goal is to learn a model defined by the parameter that minimizes the population loss:


The parameter space is assumed to be convex and compact with diameter , i.e., . We consider a distributed computation model with one master machine and worker machines. Each worker machine stores data points, each of which is sampled independently from . Denote by the -th data on the -th worker machine, and the empirical risk function for the -th worker. We assume that an fraction of the worker machines are Byzantine, and the remaining fraction are normal. With the notation , we index the set of worker machines by , and denote the set of Byzantine machines by (thus ). The master machine communicates with the worker machines using some predefined protocol. The Byzantine machines need not obey this protocol and can send arbitrary messages to the master; in particular, they may have complete knowledge of the system and learning algorithms, and can collude with each other.

We introduce the coordinate-wise median and trimmed mean operations, which serve as building blocks for our algorithm.

Definition 1 (Coordinate-wise median).

For vectors , , the coordinate-wise median is a vector with its -th coordinate being for each , where is the usual (one-dimensional) median.

Definition 2 (Coordinate-wise trimmed mean).

For and vectors , , the coordinate-wise -trimmed mean is a vector with its -th coordinate being for each . Here is a subset of obtained by removing the largest and smallest fraction of its elements.

For the analysis, we need several standard definitions concerning random variables/vectors.

Definition 3 (Variance of random vectors).

For a random vector

, define its variance as


Definition 4 (Absolute skewness).

For a one-dimensional random variable , define its absolute skewness222Note the difference with the usual skewness . as . For a -dimensional random vector , we define its absolute skewness as the vector of the absolute skewness of each coordinate of , i.e., .

Definition 5 (Sub-exponential random variables).

A random variable with is called -sub-exponential if .

Finally, we need several standard concepts from convex analysis regarding a differentiable function .

Definition 6 (Lipschitz).

is -Lipschitz if .

Definition 7 (Smoothness).

is -smooth if .

Definition 8 (Strong convexity).

is -strongly convex if .

4 Robust Distributed Gradient Descent

We describe two robust distributed gradient descent algorithms, one based on coordinate-wise median and the other on trimmed mean. These two algorithms are formally given in Algorithm 1 as Option I and Option II, respectively, where the symbol represents an arbitrary vector.

In each parallel iteration of the algorithms, the master machine broadcasts the current model parameter to all worker machines. The normal worker machines compute the gradients of their local loss functions and then send the gradients back to the master machine. The Byzantine machines may send any messages of their choices. The master machine then performs a gradient descent update on the model parameter with step-size , using either the coordinate-wise median or trimmed mean of the received gradients. The Euclidean projection ensures that the model parameter stays in the parameter space .

Initialize parameter vector , algorithm parameters (for Option II), and .
for  do
   Master machine: send to all the worker machines.
   for all do in parallel
      Worker machine : compute local gradient
      send to master machine.
   end for
   Master machine: compute aggregate gradient
   update model parameter .
end for
Algorithm 1 Robust Distributed Gradient Descent

Below we provide statistical guarantees on the error rates of these algorithms, and compare their performance. Throughout we assume that each loss function and the population loss function are smooth:

Assumption 1 (Smoothness of and ).

For any , the partial derivative of with respect to the -th coordinate of its first argument, denoted by , is -Lipschitz for each , and the function is -smooth. Let . Also assume that the population loss function is -smooth.

It is easy to see hat . When the dimension of is high, the quantity may be large. However, we will soon see that only appears in the logarithmic factors in our bounds and thus does not have a significant impact.

4.1 Guarantees for Median-based Gradient Descent

We first consider our median-based algorithm, namely Algorithm 1 with Option I. We impose the assumptions that the gradient of the loss function has bounded variance, and each coordinate of the gradient has coordinate-wise bounded absolute skewness:

Assumption 2 (Bounded variance of gradient).

For any , .

Assumption 3 (Bounded skewness of gradient).

For any , .

These assumptions are satisfied in many learning problems with small values of and

. Below we provide a concrete example in terms of a linear regression problem.

Proposition 1.

Suppose that each data point is generated by with some . Assume that the elements of

are independent and uniformly distributed in

, and that the noise is independent of . With the quadratic loss function , we have , and

We prove Proposition 1 in Appendix A.1. In this example, the upper bound on depends on dimension and the diameter of the parameter space. If the diameter is a constant, we have . Moreover, the gradient skewness is bounded by a universal constant regardless of the size of the parameter space. In Appendix A.2, we provide another example showing that when the features in are i.i.d. Gaussian distributed, the coordinate-wise skewness can be upper bounded by .

We now state our main technical results on the median-based algorithm, namely statistical error guarantees for strongly convex, non-strongly convex, and smooth non-convex population loss functions . In the first two cases with a convex , we assume that , the minimizer of in , is also the minimizer of in , i.e., .

Strongly Convex Losses:

We first consider the case where the population loss function is strongly convex. Note that we do not require strong convexity of the individual loss functions .

Theorem 1.

Consider Option I in Algorithm 1. Suppose that Assumptions 12, and 3 hold, is -strongly convex, and the fraction of Byzantine machines satisfies


for some . Choose step-size

. Then, with probability at least

, after parallel iterations, we have



and is defined as


with being the inverse of the cumulative distribution function of the standard Gaussian distribution .

We prove Theorem 1 in Appendix B. In (3), we hide universal constants and a higher order term that scales as , and the factor is a function of ; as a concrete example, when . Theorem 1 together with the inequality , guarantees that after running parallel iterations, with high probability we can obtain a solution with error .

Here we achieve an error rate (defined as the distance between and the optimal solution ) of the form . In Section 6, we provide a lower bound showing that the error rate of any algorithm is . Therefore the first two terms in the upper bound cannot be improved. The third term is due to the dependence of the median on the skewness of the gradients. When each worker machine has a sufficient amount of data, more specifically , we achieve an order-optimal error rate up to logarithmic factors.

Non-strongly Convex Losses:

We next consider the case where the population risk function is convex, but not necessarily strongly convex. In this case, we need a mild technical assumption on the size of the parameter space .

Assumption 4 (Size of ).

The parameter space contains the following ball centered at : .

We then have the following result on the convergence rate in terms of the value of the population risk function.

Theorem 2.

Consider Option I in Algorithm 1. Suppose that Assumptions 123 and 4 hold, and that the population loss is convex, and satisfies (2) for some . Define as in (3), and choose step-size . Then, with probability at least , after parallel iterations, we have

We prove Theorem 2 in Appendix C. We observe that the error rate, defined as the excess risk , again has the form .

Non-convex Losses:

When is non-convex but smooth, we need a somewhat different technical assumption on the size of .

Assumption 5 (Size of ).

Suppose that , . We assume that contains the ball , where is defined as in (3).

We have the following guarantees on the rate of convergence to a critical point of the population loss .

Theorem 3.

Consider Option I in Algorithm 1. Suppose that Assumptions 1 23 and 5 hold, and satisfies (2) for some . Define as in (3), and choose step-size . With probability at least , after parallel iterations, we have

We prove Theorem 3 in Appendix D. We again obtain an error rate in terms of the gap to a critical point of .

4.2 Guarantees for Trimmed-mean-based Gradient Descent

We next analyze the robust distributed gradient descent algorithm based on coordinate-wise trimmed mean, namely Option II in Algorithm 1. Here we need stronger assumptions on the tail behavior of the partial derivatives of the loss functions—in particular, sub-exponentiality.

Assumption 6 (Sub-exponential gradients).

We assume that for all and , the partial derivative of with respect to the -th coordinate of , , is -sub-exponential.

The sub-exponential property implies that all the moments of the derivatives are bounded. This is a stronger assumption than the bounded absolute skewness (hence bounded third moments) required by the median-based GD algorithm.

We use the same example as in Proposition 1 and show that the derivatives of the loss are indeed sub-exponential.

Proposition 2.

Consider the regression problem in Proposition 1. For all and , the partial derivative is -sub-exponential.

Proposition 2 is proved in Appendix A.3. We now proceed to establish the statistical guarantees of the trimmed-mean-based algorithm, for different loss function classes. When the population loss is convex, we again assume that the minimizer of in is also its minimizer in . The next three theorems are analogues of Theorems 13 for the median-based GD algorithm.

Strongly Convex Losses:

We have the following result.

Theorem 4.

Consider Option II in Algorithm 1. Suppose that Assumptions 1 and 6 hold, is -strongly convex, and for some . Choose step-size . Then, with probability at least , after parallel iterations, we have



We prove Theorem 4 in Appendix E. In (5), we hide universal constants and higher order terms that scale as or . By running parallel iterations, we can obtain a solution satisfying . Note that one needs to choose the parameter for trimmed mean to satisfy . If we set for some universal constant , we can achieve an order-optimal error rate .

Non-strongly Convex Losses:

Again imposing Assumption 4 on the size of , we have the following guarantee.

Theorem 5.

Consider Option II in Algorithm 1. Suppose that Assumptions 14 and 6 hold, is convex, and for some . Choose step-size , and define as in (5). Then, with probability at least , after parallel iterations, we have

The proof of Theorem 5 is similar to that of Theorem 2, and we refer readers to Remark 1 in Appendix E. Again, by choosing , we obtain the error rate in the function value of .

Non-convex Losses:

In this case, imposing a version of Assumption 5 on the size of , we have the following.

Theorem 6.

Consider Option II in Algorithm 1, and define as in (5). Suppose that Assumptions 1 and 6 hold, Assumption 5 holds with replaced by , and for some . Choose step-size . Then, with probability at least , after parallel iterations, we have

The proof of Theorem 6 is similar to that of Theorem 3; see Remark 1 in Appendix E. By choosing with , we again achieve the statistical rate .

4.3 Comparisons

We compare the performance guarantees of the above two robust distribute GD algorithms. The trimmed-mean-based algorithm achieves the statistical error rate , which is order-optimal for strongly convex loss. In comparison, the rate of the median-based algorithm is , which has an additional term and is only optimal when . In particular, the trimmed-mean-based algorithm has better rates when each worker machine has small local sample size—the rates are meaningful even in the extreme case . On the other hand, the median-based algorithm requires milder tail/moment assumptions on the loss derivatives (bounded skewness) than its trimmed-mean counterpart (sub-exponentiality). Finally, the trimmed-mean operation requires an additional parameter , which can be any upper bound on the fraction of Byzantine machines in order to guarantee robustness. Using an overly large may lead to a looser bound and sub-optimal performance. In contrast, median-based GD does not require knowledge of . We summarize these observations in Table 1. We see that the two algorithms are complementary to each other, and our experiment results corroborate this point.

median GD trimmed mean GD
Statistical error rate
Distribution of Bounded skewness Sub-exponential
known? No Yes
Table 1: Comparison between the two robust distributed gradient descent algorithms.

5 Robust One-round Algorithm

As mentioned, in our distributed computing framework, the communication cost is proportional to the number of parallel iterations. The above two GD algorithms both require a number iterations depending on the desired accuracy. Can we further reduce the communication cost while keeping the algorithm Byzantine-robust and statistically optimal?

A natural candidate is the so-called one-round algorithm. Previous work has considered a standard one-round scheme where each local machine computes the empirical risk minimizer (ERM) using its local data and the master machine receives all workers’ ERMs and computes their average (Zhang et al., 2012). Clearly, a single Byzantine machine can arbitrary skew the output of this algorithm. We instead consider a Byzantine-robust one-round algorithm. As detailed in Algorithm 2, we employ the coordinate-wise median operation to aggregate all the ERMs.

for all do in parallel
   Worker machine : compute:
   send to master machine.
end for
Master machine: compute .
Algorithm 2 Robust One-round Algorithm

Our main result is a characterization of the error rate of Algorithm 2 in the presence of Byzantine failures. We are only able to establish such a guarantee when the loss functions are quadratic and . However, one can implement this algorithm in problems with other loss functions.

Definition 9 (Quadratic loss function).

The loss function is quadratic if it can be written as

where , , and , and are drawn from the distributions , , and , respectively.

Denote by , , and the expectations of , , and , respectively. Thus the population risk function takes the form .

We need a technical assumption which guarantees that each normal worker machine has unique ERM.

Assumption 7 (Strong convexity of ).

With probability , the empirical risk minimization function on each normal machine is strongly convex.

Note that this assumption is imposed on , rather than on the individual loss associated with a single data point. This assumption is satisfied, for example, when all ’s are strongly convex, or in the linear regression problems with the features drawn from some continuous distribution (e.g. isotropic Gaussian) and . We have the following guarantee for the robust one-round algorithm.

Theorem 7.

Suppose that , the loss function is convex and quadratic, is -strongly convex, and Assumption 7 holds. Assume that satisfies

for some , where is a quantity that depends on , , and is monotonically decreasing in . Then, with probability at least , the output of the robust one-round algorithm satisfies

where is defined as in (4) and

with and drawn from and , respectively.

We prove Theorem 7 and provide an explicit expression of in Appendix F. In terms of the dependence on , , and , the robust one-round algorithm achieves the same error rate as the robust gradient descent algorithm based on coordinate-wise median, i.e., , for quadratic problems. Again, this rate is optimal when . Therefore, at least for quadratic loss functions, the robust one-round algorithm has similar theoretical performance as the robust gradient descent algorithm with significantly less communication cost. Our experiments show that the one-round algorithm has good empirical performance for other losses as well.

6 Lower Bound

In this section, we provide a lower bound on the error rate for strongly convex losses, which implies that the term is unimprovable. This lower bound is derived using a mean estimation problem, and is an extension of the lower bounds in the robust mean estimation literature such as Chen et al. (2015), Lai et al. (2016).

We consider the problem of estimating the mean of some random variable , which is equivalent to solving the following minimization problem:


Note that this is a special case of the general learning problem (1). We consider the same distributed setting as in Section 4, with a minor technical difference regarding the Byzantine machines. We assume that each of the worker machines is Byzantine with probability , independently of each other. The parameter is therefore the expected fraction of Byzantine machines. This setting makes the analysis slightly easier, and we believe the result can be extended to the original setting.

In this setting we have the following lower bound.

Observation 1.

Consider the distributed mean estimation problem in (6) with Byzantine failure probability , and suppose that is Gaussian distribution with mean and covariance matrix . Then, any algorithm that computes an estimation of the mean from the data has a constant probability of error .

We prove Observation 1 in Appendix G. According to this observation, we see that the dependence cannot be avoided, which in turn implies the order-optimality of the results in Theorem 1 (when ) and Theorem 4.

7 Experiments

We conduct experiments to show the effectiveness of the median and trimmed mean operations. Our experiments are implemented with Tensorflow 

(Abadi et al., 2016) on Microsoft Azure system. We use the MNIST (LeCun et al., 1998) dataset and randomly partition the 60,000 training data into subsamples with equal sizes. We use these subsamples to represent the data on machines.

In the first experiment, we compare the performance of distributed gradient descent algorithms in the following four settings: 1) (no Byzantine machines), using vanilla distributed gradient descent (aggregating the gradients by taking the mean), 2) , using vanilla distributed gradient descent, 3) , using median-based algorithm, and 4) , using trimmed-mean-based algorithm. We generate the Byzantine machines in the following way: we replace every training label on these machines with , e.g., is replaced with , is replaced with , etc, and the Byzantine machines simply compute gradients based on these data. We also note that when generating the Byzantine machines, we do not simply add extreme values in the features or gradients; instead, the Byzantine machines send messages to the master machine with moderate values.

We train a multi-class logistic regression model and a convolutional neural network model using distributed gradient descent, and for each model, we compare the test accuracies in the aforementioned four settings. For the convolutional neural network model, we use the stochastic version of the distributed gradient descent algorithm; more specifically, in every iteration, each worker machine computes the gradient using

of its local data. We periodically check the test errors, and the convergence performances are shown in Figure 1. The final test accuracies are presented in Tables 2 and 3.

0 0.05
Algorithm mean mean median trimmed mean
Test accuracy (%) 88.0 76.8 87.2 86.9
Table 2: Test accuracy on the logistic regression model using gradient descent. We set , and for trimmed mean, we choose .
0 0.1
Algorithm mean mean median trimmed mean
Test accuracy (%) 94.3 77.3 87.4 90.7
Table 3: Test accuracy on the convolutional neural network model using gradient descent. We set , and for trimmed mean, we choose .
Figure 1: Test error vs the number of parallel iterations.

As we can see, in the adversarial settings, the vanilla distributed gradient descent algorithm suffers from severe performance loss, and using the median and trimmed mean operations, we observe significant improvement in test accuracy. This shows these two operations can indeed defend against Byzantine failures.

In the second experiment, we compare the performance of distributed one-round algorithms in the following three settings: 1) , mean aggregation, 2) , mean aggregation, and 3) , median aggregation. In this experiment, the training labels on the Byzantine machines are i.i.d. uniformly sampled from , and these machines train models using the faulty data. We choose the multi-class logistic regression model, and the test accuracies are presented in Table 4.

0 0.1
Algorithm mean mean median
Test accuracy (%) 91.8 83.7 89.0
Table 4: Test accuracy on the logistic regression model using one-round algorithm. We set .

As we can see, for the one-round algorithm, although the theoretical guarantee is only proved for quadratic loss, in practice, the median-based one-round algorithm still improves the test accuracy in problems with other loss functions, such as the logistic loss here.

8 Conclusions

In this paper, we study Byzantine-robust distributed statistical learning algorithms with a focus on statistical optimality. We analyze two robust distributed gradient descent algorithms — one is based on coordinate-wise median and the other is based on coordinate-wise trimmed mean. We show that the trimmed-mean-based algorithm can achieve order-optimal error rate, whereas the median-based algorithm can achieve under weaker assumptions. We further study learning algorithms that have better communication efficiency. We propose a simple one-round algorithm that aggregates local solutions using coordinate-wise median. We show that for strongly convex quadratic problems, this algorithm can achieve error rate, similar to the median-based gradient descent algorithm. Our experiments validates the effectiveness of the median and trimmed mean operations in the adversarial setting.


D. Yin is partially supported by Berkeley DeepDrive Industry Consortium. Y. Chen is partially supported by NSF CRII award 1657420 and grant 1704828. K. Ramchandran is partially supported by NSF CIF award 1703678 and Gift award from Huawei. P. Bartlett is partially supported by NSF grant IIS-1619362. Cloud computing resources are provided by a Microsoft Azure for Research award.



Appendix A Variance, Skewness, and Sub-exponential Property

a.1 Proof of Proposition 1

We use the simplified notation . One can directly compute the gradients:

and thus

Define with its -th element being . We now compute the variance and absolute skewness of .

We can see that




which yields

Then we proceed to bound . By Jensen’s inequality, we know that


We first find a lower bound for . According to (8), we know that

Define the following three quantities.


By simple algebra, one can check that


and thus


Then, we find an upper bound on . According to (7), and Hölder’s inequality, we know that


where in the last inequality we use the moments of Gaussian random variables. Then, we compute the first term in (15). By algebra, one can obtain


Combining (15) and (16), we get