Evading model poisoning attacks in federated learning by a long-short-term-memory-based approach

Abstract

Federated Learning is designed to build a global model from a set of local learning tasks carried out by several clients. Each client trains the global model on local data and sends back only the computed model updates. Although this approach preserves data privacy, several issues arise, and model poisoning is one of the most significant issues. According to this attack, a limited number of compromised clients cooperate to cause the corruption of the global model by sending back malicious model updates. A common countermeasure to model poisoning involves discarding model updates that differ from the majority more than a suitable threshold. However, several attacks still occur that elude this countermeasure, such as LIE attack, which aims to introduce an error in the model that is less than the threshold. In this paper, we propose a new approach to detect malicious updates that is based on the use of an LSTM network suitably built and trained. The experimental validation shows that our approach is able to disarm LIE and Fang attacks, which are the most effective in this context.

Keywords

deep learning attack detection AGR LIE Fang

1. Introduction

Machine learning techniques are grounded on the availability of large sets of stored data that can be used for training models and performing predictions. Despite the advantage of using a powerful computation infrastructure to carry out machine learning, whenever data are produced by different sources and collected by a server, a privacy issue arises if a data source does not desire to share such data.

Federated Learning was proposed in 2016 to address this problem.¹ In this approach, a centralized server builds a global model; a data source, said client, downloads the model from the server, trains the model on its data, and shares with the server only the parameter variations of the updated model. In this way, several clients retain possession of their data but allow the server to generate a new global model by suitably aggregating the clients’ contributions. Federated Learning solves the privacy issues introduced above but opens new concerns.^2–6 The first concern is that each client can see a particular type of data distribution (for example, due to its geographic location) and this may reduce the accuracy of the model.⁷ Suitably tuning the model aggregation technique can help reduce this problem.⁸ A second concern pertains to communication as Federated Learning introduces overhead due to the necessity of exchanging models between client and server.⁹ The typical solution is to use compression to reduce the model size and, consequently, the amount of data exchanged.¹⁰ Another concern regards privacy leakage: even though a client keeps its data private, the transmission of the model parameters may allow an attacker to infer the data used for training.¹¹ Differential privacy is used to reduce this problem.¹²

In this paper, we focus on another relevant security threat in Federated Learning known as poisoning attack. In this attack scenario, the adversary is on the client side and tries to damage the building of the global model. In the data-poisoning version of the attack, the adversary injects wrong data into the client.¹³ Model poisoning is more sophisticated than data poisoning: in this case, the adversary controls directly the model parameters sent back from the client to the server.⁹ The standard countermeasures are based on measuring the error rate and loss function produced by updating the model to decide whether to reject the received model updates.¹⁴ More specifically, Krum and Trimmed Mean are two aggregation algorithms¹⁵ widely used in the literature to contrast model poisoning attacks. Although these two defense algorithms work quite well against many attacks, they are eluded by the Little is Enough (LIE) attack¹⁶ and the Fang attack.¹⁴ The idea of these attacks is to introduce an error in the model updates that is so little (this motivates the name of the LIE attack) to be undetected.

In this paper, we target the aforementioned Federated Learning scenario, aiming to enhance its security to enable the training of reliable global models, even in the presence of adversaries. To do so, we advance the detection of model poisoning attacks by proposing a new approach, named Control Network, which is driven by artificial intelligence. AI-driven approaches have been extensively investigated in the recent scientific literature to enhance system security.¹⁷ However, to the best of our knowledge, no AI-based approach has been proposed to contrast model poisoning attacks. Our defense approach leverages an AI-driven strategy to build a generalized solution, providing robust defense across diverse attack types. Instead of defining an ad-hoc solution tailored to a specific attack, our AI model learns from threat patterns, allowing it to adaptively contrast new tactics, thus allowing for proactive security against evolving threats. By incorporating an AI-driven mechanism, we strengthen our defense making it comprehensive and dynamic coverage across multiple threat scenarios. Differently from standard solutions for secure aggregation, our Control Network is based on a Long-Short Term Memory (LSTM) network. An LSTM network is a recurrent neural network that learns when to remember or forget information and has been applied to recognition, forecasting, machine translation, sentiment analysis, and healthcare.^18–22 In our solution, the LSTM network is trained to classify a gradient update received from a client as benign or malicious. We assume that in an initial phase, called safe period, no attack occurs and this period is used to train the model with data that are benign. Moreover, to generate malicious data, some clients are attacked artificially, and the resulting updates are also used for training.

After the training, the LSTM network can be used to classify a client update as benign or malicious. In case of malicious updates, these contributions are not used to update the global model. Moreover, once a client is detected as malicious, it is possible to apply federated unlearning techniques²³ to reverse the impact of its previous updates on the model.

It is important to remark that our approach does not introduce any communication overhead because the whole processing is done by the central server using only the information exchanged by the federated learning approach. Furthermore, our choice to implement the Control Network using a relatively small LSTM model, rather than a more complex deep model, is driven by the design requirement to keep our defense lightweight and thus deployable in diverse, resource-constrained decentralized settings.

Through an experimental evaluation, we show that the use of our solution is able to contrast both LIE and Fang attacks: indeed we measured that these attacks reduce the mean accuracy of the model from about 0.80 to 0.54, whereas with the use of our technique the mean accuracy is about 0.75 (thus, close to the mean accuracy in the absence of attacks).

The rest of this paper is organized as follows. Section 2 discusses related work. In Section 3, we present our proposal to contrast model poisoning attacks. Section 4 discusses the results of the experiments carried out to validate our proposal. Section 5 provides the conclusions of our study.

2. Related work

In this section, we focus on model poisoning attacks and possible countermeasures.

The aim of model poisoning attacks is to reduce the performance of a Federated Learning model, which is obtained by sending back model weight updates that are artificially and suitably modified.^24,25 In a Byzantine attack, malicious users (named Byzantine workers) modify trained models to corrupt the model²⁶: as proved in Blanchard et al.,²⁷ one baleful user can be sufficient to compromise the accuracy of the model. A poisoning attack can rely on a backdoor attack to alter the intermediate data or weights²⁸: indeed, in a backdoor attack, the label of attacker-specified classes is changed during training, in such a way that these classes are badly classified.²⁹

One of the first model poisoning attacks based on a backdoor was proposed in Dumford and Scheirer,³⁰ where the authors attacked a face recognition system in order to grant access to impostor faces. In the same period, the authors of Rakin et al.³¹ showed that it is sufficient to flip a very negligible number of bits (less than 100 of a net with 88 million neurons) to force the model to classify all inputs to a certain target class.

These attacks succeed because the algorithm used to merge the model update information sent from the workers with the global model is commonly a weighted mean computed separately on each dimension of the input, in which the weight depends on the size of the training data used by each worker.

Many poisoning attacks expect that the attackers own some knowledge of the local models of the other clients or can obtain real training samples for several classes. When this assumption is unreasonable, generative adversarial networks (GANs) have been proposed to overcome this need.^32–34 GANs are trained to mimic samples of other clients and then produce new samples with the aim of generating poisoned updates of the global model. A schema depicting this type of attack is reported in Figure 1, where the first client works following a correct federated learning task, whereas the second client trains the local model on fake data suitable generated by a GAN network composed of a generator and a discriminator.

Figure 1.

Example of a GAN-based poisoning attack.

To make the model robust against these attacks, robust aggregation protocols (AGRs) have been proposed.¹⁵ The state-of-the-art AGRs are based on Krum and Trimmed Mean. Given $n$ workers, Krum aims to find at least one honest worker in such a way that its contribution is used to update the global model, whereas the contributions of the other workers are discarded. The honest participant is selected as the worker that is closest to other $n - f - 2$ workers, where $f$ is a parameter.²⁷ In a variant of Krum called Multi-Krum, more participants are used for updating: they are selected as the workers closest to other $n - f - 2$ workers.²⁷ The main disadvantage of Krum is that working on distance is not very effective in detecting attacks on a single dimension.

In contrast, Trimmed Mean works on each dimension separately and is a defense in which the weighted mean used to aggregate the workers’ contributions is computed on a subset of the contributions. Specifically, given $n$ workers, this subset is obtained by removing the largest and smallest $m$ elements (regardless of median).³⁵ In a variant of Trimmed Mean, called Mean-Around-Median, this subset is obtained by removing the top $m$ contributions (computed for each dimension of the input) that are furthest from the median.³⁶

Bulyan is a combination of Krum and Trimmed Mean³⁷: first, Krum is used to find a set of candidate contributions and, then, the Trimmed Mean approach is applied to compute aggregation. However, Bulyan is not effective against an attack able to trick both Krum and Trimmed Mean (as in our case).

However, the use of AGRs does not protect against model poisoning because numerous attacks are proposed in the literature.³⁸ Among them, one of the most significant and effective is the LIE attack.¹⁶ The Little is Enough (LIE) attack exploits the assumption done by most AGRs that the attacker chooses updates that are far away from the correct value of the update to corrupt the model (e.g., by returning a gradient that is opposite to the computed gradient, thus attacking the global model convergence). The basic idea of the attack is thus to find a suitable neighborhood of the correct gradient such that a gradient belonging to this neighborhood is not detected as malicious. The expected result is that, since some honest workers are farther away from the mean, they are detected as corrupted workers and skipped from the gradient computation.

Another relevant model poisoning attack is the Fang one.¹⁴ The underlying idea is to corrupt the global model by suitably crafting the local models sent from malicious workers at each iteration with the target of deviating the most towards the opposite of the direction that the global model would take in the absence of an attack. The attack is performed by solving an optimization problem aiming at finding the maximum local model crafts that are not detected by the standard countermeasures. By both a theoretical analysis and an experimental evaluation, the authors show that the Fang attack is able to elude both Krum and Trimmed Mean aggregation algorithms.

In this paper, we go a step ahead in improving model poisoning defense by proposing a new methodology that is very effective in contrasting both the LIE and the Fang attacks.

It is worth noting that there exist two techniques, namely Flame³⁹ and FoolsGold,⁴⁰ proposed to prevent these attacks. These strategies need, at each epoch, to calculate the pairwise cosine similarity between the updates, and for Flame, an additional step of clustering is required. Compared to this approach that achieves similar results our strategy has an advantage in terms of time complexity. Since both make use of cosine similarities, they have at least a time complexity of $O (n^{2} \cdot d)$ , where $n$ is the number of clients and $d$ is the dimension of the update’s vectors. Our control defense instead needs only to perform a forward pass of the network to classify the updates. Since we are using a simple LSTM the time complexity of a forward pass is given by the number of parameters⁴¹ that, like cosine similarity, depend on the size $d$ of the vectors’ updates. In this case, the time complexity is given by $O (W)$ , where $W$ is the number of parameters of the network. Our simple network has around $3 M$ parameters that are less compared to $n^{2} \cdot d = 7 M$ . Hence, $W < n^{2} \cdot d$ makes our solution less expensive in terms of complexity. Even more, the other solutions are dependent on the total number of clients $n$ where our approach always preserves the same complexity even with more clients.

3. Our proposal

This section is devoted to the definition of the proposed approach. We start by presenting a federated learning scenario, where a poisoning attack occurs.

3.1. Scenario

Consider a group of clients needing to solve a specific problem (typically, a classification or regression problem). Each client owns a dataset that can be used to train a machine learning model. Having the possibility to use the datasets of other clients to train the model would enhance the model performance but, in many situations, clients cannot share their datasets due to the need to keep confidential the dataset content (privacy).

For this reason, the clients decide to adopt federated learning to take advantage of their combined expertise while adhering to data privacy needs. The federated learning task is schematized in Figure 2, where, for the sake of simplicity, only two clients are considered.

Figure 2.

Federated learning scheme.

The process begins with the generation of an initial model, called the global model, which is handled by a server. Each client downloads the global model and trains it on its dataset. The obtained model is called the local model. Then, each client sends the updates of the local model (e.g., model parameters or gradients) to the server, which aggregates them to update the global model. At the next iteration, this new global model is distributed back to the clients for further refinement.

In this scenario, a poisoning attack is performed by a malicious client participating in the training of the model, which sends back to the server malicious updates to influence the model, ultimately aiming to disrupt the entire federated learning process.

3.2. Motivation and proposal overview

In the scenario described in the previous section, our strategy aims to detect malicious updates of the global model sent by adversaries, leveraging a deep learning model trained with both malicious and benign updates.

In the literature, many approaches have been devoted to the definition of solutions, typically referred to as AGRs, to inhibit attackers from obtaining advantages by altering the updates of targeted clients, during the training phase of a federated model. AGRs strategies typically adopt statistical information and suitable derived heuristics to filter or smooth out any anomalous update from involved clients. Although such approaches work reasonably well for untargeted attacks, researchers have demonstrated that the menaces can be refined to deceive such heuristics.^16,14,26

In general, this is due to the fact that existing protection strategies are grounded on the assumption that the attacker does not have background knowledge of the other clients’ behavior (non-omniscience assumption) and, therefore, the (blind) variation introduced by the attack on the statistics of the gradients updates, received by the clients during a training epoch, is not negligible. However, as discussed in Baruch et al.,¹⁶ in the case in which the experimented variance between clients’ gradients is high, a blind attack can be performed within the variance of the admissible gradient’s updates. This makes existing AGRs vulnerable, thus requiring more advanced defense approaches, possibly using knowledge from the history of gradient updates to detect the presence of attacks.

The use of historical data poses several issues that must be faced to build suitable data-driven protection strategies. Indeed, the gradient variances of the different clients during a training task strongly depend on several parameters, such as (i) the number of involved clients, (ii) the training task, and (iii) the distribution of the data batches across each client. Therefore, the information exploitable to build a protection mechanism should be related to the task specificity and, intuitively, cannot be derived from different ones.

Starting from this observation, in our approach we designed an AI-driven solution that exploits data from a Federated Learning task to feed the training of a control network to identify normal vs. altered gradient variations. Such a control network should learn the characteristics of benign updates from the clients, as well as the anomalies, even if slight, introduced in the case of an attack carried out by one or more clients. With this capability, the obtained defense mechanism could be deployed as a firewall on the central server orchestrating the construction of the global federated model. Once built, such a control network is used to protect the Federated Learning task. However, since the control network was trained on a specific scenario (number of clients, data distribution, etc.), its performance and reliability are contingent upon that scenario remaining consistent. If the scenario changes, the control network may no longer be effective because it was not trained to handle the new data patterns. This scenario is typical in industrial environments in which the model must be updated (and, hence, re-trained) periodically to include newly generated data from the sources. However, although the scenario above remains interesting and important, our solution faces a more general and ambitious task, i.e., building and deploying a control network to protect an on-going Federated Learning task.

One of the major problems in the design of such a solution is related to the construction of a training set containing balanced data of benign and malicious updates, strictly related to the specific (running) Federated Learning task. This requirement imposes that the training set cannot be obtained offline but must be built during the execution of the federated solution.

The control network solution is built in two steps, which are discussed in the next sections. The proposed solution is intended to build an ensemble model capable of detecting multiple attacks keeping the single models binary and lightweight.

3.3. Dataset derivation

The first objective of our solution is to build a training set, say $T S_{f}$ , that is representative of an on-going Federated Learning task $f$ and contains balanced information of both benign and malicious gradient updates from clients. Our approach assumes a “safe period” in which only controlled attacks can be performed during the training phases of the federated task. With controlled attacks we mean the deliberate introduction of adversarial behavior by trusted actors to simulated adversarial clients or compromised devices done only during the training of the model. Consequently, in our reference scenario, a possible attacker may take control of some of the clients (even one) only after the “safe period”. Moreover, the configuration of the clients is such that we can assume an Independent Identical Distribution of their data, which is, then, preserved also for the attacked clients. In any case, if this condition is not preserved by the maliciously controlled clients, then their local contribution would be different from those produced during the “safe period” and, hence, easily detected as anomalous.

The assumption of a “safe period” is realistic and can be obtained by applying standard practices during training, as briefly discussed in the following. In an industrial setting, devices are often deployed in controlled environments where physical security can be achieved by limiting to authorized and trusted personnel the access to the physical clients. Network security can be achieved by using IDPS (intrusion detection and prevention systems) and isolating the internal network from the external network to allow communication only between clients and servers. Each client device can be checked to ensure that it functions correctly and has not been compromised by validating firmware and software versions. Since the training phase goes over short time intervals, it is realistic to apply the combination of these protection strategies during the training, in such a way that the likelihood of a significant attack during such a limited period can be considered negligible.

In the safe period, only controlled attacks can be carried out. In the absence of attacks, the obtained data are used for training the model with benign samples. While the benign portion of the training data is derived directly from the monitored running federated task, the portion of the training set containing information about the possible attacks must be generated by introducing controlled attacks. To do so, our solution defines an “Attack Simulation” module that, starting from a set of benign clients’ updates, alters a portion of this set by simulating specific attacks on target clients of the federated system. This module can be configured to carry out attacks of the considered type and to simulate a variable number of attacked clients.

Figure 3 sketches the strategy described above for both the “safe period” and the “unsafe one”.

Figure 3.

A general representation of the strategy adopted in our solution.

Therefore, during the “safe period”, given an epoch $e_{j}$ of the Federated Learning task, let $U S_{f}^{e_{j}}$ be the set of updates received from the clients during $e_{j}$ . The “Attack Simulation” module extracts a subset $B S_{f}^{e_{j}} \subset U S_{f}^{e_{j}}$ , which is used for the benign training samples obtained from the epoch $e_{j}$ , and computes the set $M S_{f}^{e_{j}}$ of malign updates obtained by applying the simulated attacks on the remaining set of updates $U S_{f}^{e_{j}} ∖ B S_{f}^{e_{j}}$ of the epoch $e_{j}$ .

As will be explained later in this section, an important point in this configuration is that, because the gradient variations computed by the clients are related to the particular training epoch of the federated model, the control network must be aware of the evolution of the federated task to make decisions on the trustworthiness of received updates. Therefore, the updates alone are not sufficient to identify the correct evolution of the Federated Learning training. For this reason, at each epoch $e_{j}$ , also the current weights of the global federated model are maintained, which is denoted as the status of the model in the following. As a consequence, let $G M W_{f}^{e_{j}}$ be the current configuration of the global federated model (i.e., the weights of the model), the overall training set for the control network is:

T S_{f} = ⋃_{e_{j}}^{E S} {⟨ B S_{f}^{e_{j}} \cup M S_{f}^{e_{j}}, G M W_{f}^{e_{j}} ⟩}

where

E S

is the set of epochs occurring during the “safe period”. It is worth underling that, the set

T S_{f}

contains both benign updates, directly obtained by the involved clients, and malign ones, synthetically generated by our “Attack Simulation” module. Malicious updates are generated contextually during the “safe period” by replacing a balanced portion of benign updates with the crafted malicious ones. In practice, the “safe period” is used to carry out target attacks in a controlled environment and collects the generated data (both benign and malign updates) that will be used to train our Control Network. As a final remark, observe that malign updates generated during this phase and included in

T S_{f}

will not be delivered to the global model of the Federated Learning task.

An important point to underline is related to the choice of including information about the status of the global model in the training data for our control network. As said above, the reason behind this choice resides in the fact that, due to the oscillations in the loss optimization (during the initial phases, especially), gradients’ updates alone are not sufficient to understand whether their values may correspond to an attack attempt or not. Our control network needs baseline information allowing for the estimation of the deviance of the gradients from the expected values. Therefore, we include the weights of the global model at the current step as input to our control network, so that, measuring the variation in the global model weights between the previous status and the current one (recall that we are using an RNN to preserve, to some extent, a memory of the input sequence) can help our model distinguishing an expected variation in the gradients from an anomalous one.

We report in Algorithm 1 the pseudo-code implementing the procedure described above. In the setup, the model is randomly initialized and model weights are sent to all clients (Line 2). In the safe period (guaranteed by the assertion in Line 4), the updates from clients are collected and the model weights are updated and stored in $G M W_{b}$ (benign global model updates). Moreover, it is simulated that some clients act maliciously accordingly to the attack to contrast: the expected updates coming from attacked clients are included in the training dataset with the label “attack”, and the other updates with the label “no attack”. In both cases, the initial global model weights are also included in the dataset. Observe that updates received from clients during the attack simulation are neglected because the benign updates $G M W_{b}$ are sent to clients.

We conclude this section by observing that the time complexity of Algorithm 1 is linear in the number of samples (thus, if we double the number of samples for the training, the training time will take twice as long).

3.4. Control network building

In our proposal, the control network is built as a binary classifier capable of distinguishing between benign and malicious gradient updates from clients. The design of our control network is guided by three key requirements (which will be explored further in the following):

model poisoning attacks typically unfold over multiple training epochs through gradient alterations, necessitating a defense mechanism that can backtrace (through some memory capability) these sequences for effective detection;

during our initial architecture tests, we observed that using an ensemble of simple binary predictors outperformed more complex multi-label classifiers, providing better accuracy and robustness;

the need for a general lightweight solution that could be deployed in desperate, and even resource constrained environments such as the Internet of Things, led us to prioritize simpler, smaller models over deep, complex architectures to ensure efficiency without compromising performance.

A crucial point in the design of such a classifier is related to the condition in which the final control network will be deployed as a defense mechanism for the Federated Learning scenario. As stated before, the most general application context would require the availability of the control network as soon as possible during just the first federated training task.

More formally, we denote by $t_{0}$ the time in which the training of the model starts, and let $[t_{0}, t_{s}]$ be the time interval of the “safe period”, when no external attack is performed. The construction of the control network is carried out in the time interval $[t_{0}, t_{s}]$ , whereas in the subsequent time $(t_{s}, \infty)$ , the defense mechanism is applied to the Federated Learning task.

Of course, once built, it might be applied also to any subsequent re-training activity of the same Federated Learning scenario. Such a design choice requires the development of an incremental learning strategy due to the online nature of the considered scenario. Roughly speaking, because the training of the control network must consider the gradient updates reported by the clients at each epoch, it can be seen as a sequence of learning tasks each focused on an epoch of the Federated Learning approach. Incremental learning has been thoroughly studied in the recent scientific literature and is still an open issue, especially in contexts in which new classes can be added during the different sequential increments. In fact, learning new classes might cause a detriment to the old class knowledge, thus resulting in the well-known “catastrophic forgetting” problem.^42–44 In our context, at each epoch, the number of involved classes is constant (binary classification) and, therefore, the “catastrophic forgetting” is not likely to happen. In addition, from a preliminary experimentation having an ensemble of multiple binary classifiers dedicated to each attack achieves better results than having a single multi-class classifier. However, a memory of the previous tasks can still be crucial to assess the admissibility of specific ranges of gradient fluctuations during a stage of the Federated Learning process. Finally, an important requirement for our approach design is related to the need for a lightweight defense solution that can be deployed also in low-resource environments, such as the Internet of Things, often leveraging Federated Learning.^45,46

Following this reasoning, we implement the control network as a Long-Short Term Memory (LSTM, for short) network.⁴⁷ As for the model architecture, our final configuration consists of an LSTM layer with $10$ units, a fully connected layer, and a sigmoid activation function trained for $10$ epochs with a learning rate of $0.01$ , binary cross-entropy loss, Adam optimizer, and a batch size 32. As we will prove in the experiments, this simple network is a capable countermeasure against different attacks of different natures (i.e., adversarial or backdoor). Indeed, our approach does not derive benefits from a more complex network allowing the implementation of it on devices with limited computational capabilities. Hence, the inputs of this network are the gradient updates of each client during an epoch $e_{j}$ and the status of the global federated model $G M W_{f}^{e_{j}}$ (i.e., the aggregated weights obtained during the previous epochs – see Section 3.3 for the details about the training set). During the inference, a weight is considered benign or malicious choosing the class label with the highest probability.

4. Experiments

This section is devoted to the experiments we carried out to validate our proposal. For our experiments, we used a machine with an AMD Ryzen 5800X CPU paired with 32GB of RAM and an RTX 3070ti with 8GB of VRAM. The techniques have been developed using Python and Tensorflow library. All the experiments have been run more than 10 times for each setting and the average results have been reported.

We start by describing the datasets and the scenarios used in the experiments. Then, in Section 4.2, we describe how the model used to detect malicious updates is built and trained. Finally, in Section 4.3, we analyze the results obtained by applying our proposal to various attack scenarios. Figure 4 presents the diagram block of the general workflow used to run the experiments. On the left side, the training of the control network is done by providing both benign samples and malicious samples (the latter obtained by simulated attacks). After the control network model is built, it is used to predict whether a real attack is carried out (on the right side of the figure).

Figure 4.

Diagram block of the experiment workflow.

4.1. Testbed

The testbed used in our experimental campaign has been chosen to reproduce exactly the original configurations and datasets used by the official attack implementations to compare our defense in the best-case scenario for the attacks. The setting of our experiments is presented in the next sections.

Dataset. We used three well-known datasets, which are:

MNIST, a dataset of 60,000 28–28 pixel grayscale images of handwritten single digits between 0 and 9⁴⁸;

FMNIST, a dataset of 60,000 28–28 pixel grayscale images of clothing articles labeled from 10 classes⁴⁹;

CIFAR10, a dataset of 60000 32x32 color images of means of transport and animals labeled from 10 classes.⁵⁰

As usual for these datasets, no pre-processing, augmentation, or noise reduction have been performed on the data. Moreover, the considered error metric is accuracy, which measures the fraction of predictions that the model got right.

Federated learning models. Following the approach used in Baruch et al.¹⁶ and Fang et al.,¹⁴ as models of the federated learning task, we used two different architectures for the three datasets: the first architecture is adopted for both the MNIST and for the MNIST and CIFAR10 datasets due to their dissimilarity; the second architecture is specific for the FMNIST dataset. Specifically, the classifier for the MNIST and FMNIST datasets is a neural network with a $28 \times 28$ input, a multi-perceptron layer, and a $10$ -classes output layer. The classifier for the CIFAR10 dataset is a convolutional neural network (CNN) with a $3 \times 32 \times 32$ input and a $10$ -classes output layer.

Robust aggregation algorithm (AGR). In the literature, a large effort has been devoted to the definition of gradient aggregation schemes. However, the adopted strategy has to strike a balance between performance and computational efficiency. To select the most suitable and common AGRs we leveraged the recent scientific literature^26,51 and identified the following:

Krum, which selects the gradient from the input gradients that is closest to the $n - m - 2$ gradients in the squared Euclidean norm space, where $n$ is the number of clients and $m$ is the number of malicious clients²⁷;

TrimmedMean, which aggregates each dimension of input gradients separately and removes the $m$ largest and smallest values of gradients, where $m$ is the number of malicious clients³⁵;

It is important to note that other AGR mechanisms exist that are built upon Krum and Trimmed Mean, mainly targeting specific contexts. Krum and Trimmed Mean are foundational, general-purpose AGR strategies that are widely regarded as baseline approaches for achieving robustness in federated learning.⁵²

Attacks. We considered two of the most known attacks that are capable of eluding or deceiving traditional AGR techniques and, for each attack, we adopted the best settings described by the authors in their original proposals. The considered attacks are:

Little Is Enough (LIE), where malicious clients send gradient vectors in which elements are modified by adding noise depending on the estimated coordinate-wise mean and standard deviation of the benign updates.¹⁶ We set the number of workers to $n = 50$ , the parameter $z^{m a x} = 1.5$ and the proportion of malicious clients to $m = 24 %$ (as done in Baruch et al.¹⁶).

Fang,¹⁴ where clients send malicious gradient vectors in such a way that the aggregated global model moves to the opposite of the direction along which the global model would go in the absence of attacks. We set the number of workers to $n = 50$ and we imposed a partial knowledge for the attacker (the attacker knows only the models of the controlled workers). This is the setting used in Fang et al.¹⁴

In the next section, we identify the configuration of the proposed control network that gives the best performance.

4.2. Control network tuning

In our proposal, we need to build a machine learning model able to classify whether a received gradient vector is malicious or not. As explained in Section 3, the control network leverages an LSTM network equipped with $10$ filters, a fully connected layer, and a sigmoid activation function. In this experimental campaign, we use the MNIST scenario to identify the best configuration for our control network model. The choice of this dataset is related to the simplicity of the corresponding classifier along with its overall higher performance.

4.2.1. Experiment description

We performed the following two experiments:

In the first experiment, we aim to identify the right balance between data from normal clients and data from malicious ones during the training. We injected a variable percentage of attackers introducing random noise (“random” attackers, hereafter) in the Federated Learning solution. We used the data generated in such a scenario to build a training set for our control model. Hence, we studied the percentage of malicious traffic needed to train our model with the best possible performance. To do so, both the traffic generated by the attackers and the normal clients have been suitably labeled.

The second experiment aims to identify the best number of epochs that must be used to build the training set for our control model. In our scenario, the training set is derived from the data exploited by the Federated Learning model during the training task. This task is composed of several training epochs, each characterized by a set of batches obtained from the global training set and, according to the Federated Learning strategy, distributed across the different clients. During each epoch, the result of the processing of the batches is returned from the workers to the central aggregating node. Therefore, during an epoch, the workers compute the corresponding parameter variations for the neural network model on the basis of the processed batches. In our approach, we use the variations produced during a sub-set of the epochs of the overall training as a training set of our control model (also injecting a percentage of malicious data).

4.2.2. Experiment results

In the following, we discuss the results obtained from each experiment.

The results of the first experiment are shown in Figure 5, where we report the accuracy of the Federated Learning approach (including our control model) against the percentage of “random” attackers. The curves are associated with configurations characterized by different numbers of workers (i.e., $50$ , $25$ , and $10$ ). In particular, in this figure, we plot the variation of the model accuracy for three different FL configurations (based on the number of workers) and for different percentages of nodes controlled by the attacker. Observe that, we start with a minimum of 10% controlled nodes to ensure that at least one node is attacked, and we do not exceed 50% to avoid unbalancing our training data with only attacked gradients.

Figure 5.

Accuracy of our solution versus attacker percentage.

By analyzing this figure, we can see that the higher the percentage of attackers the more balanced the corresponding training set for our control model and, hence, the better the performance of the Federated Learning solution. Indeed, better performance of our control model implies a higher capability to discard malicious training data in Federated Learning. In particular, we found that the minimum percentage to obtain the higher accuracy spans from about $15 %$ , for the configuration with $50$ workers, to about $40 %$ for the configuration with $10$ workers. A conservative value of $40 %$ could be used to maintain a stable accuracy for our solution across all the different configurations.

In the second experiment, we measured the accuracy obtained by the Federated Learning solution including our control model versus the variation of the percentage of epochs of the Federated Learning used to build the training set for our control model. The obtained results are reported in Figure 6.

Figure 6.

Accuracy of our solution versus training set size.

We can see that the accuracy negligibly varies when passing from $5 %$ to $25 %$ of the overall epochs for all the configurations. This is due to the fact that, during each epoch, our approach uses all the parameter variations produced by the workers as observations to build the training set for the control model. The overall number of parameters also depends on the size of the neural network targeted by the Federated Learning. For the adopted neural network, a single worker would return $77, 800$ updates for each epoch. With the minimum configuration of $10$ workers, an epoch will produce a training set of $778, 000$ samples (of which $311, 200$ will be altered according to an attack). Therefore, a consistent training set for our control model can be obtained with a very limited number of epochs.

Since our control network uses a limited number of epochs (we do not make any assumption on the global model targeted by the Federated Learning task), the scalability of our solution is only bounded by the scalability of Federated Learning task and does not add any additional scalability concerns.

In this experiment, we also analyzed the impact of our solution on the overall performance of the Federated Learning task. To do so, we focused on the execution times with and without our solution. Because the implementation of our approach does not impact the communication time between clients and the aggregator, we neglect such times in our measures. We distinguished between the training phase, in which our control network is trained, and the inference phase, in which our strategy is deployed and used as protection. The results are reported in Table 1.

Table 1.

The execution times of our solution.

	Epoch time (ms)
FL Only	3,229
FL + CN Training	3,542
FL + CN Inference	3,295

In this table, each row reports the mean execution times of the overall Federated Learning task for each training epoch, in three different cases: (i) without the adoption of our solution (FL Only), (ii) during the training of our solution (FL + CN Training), and (iii) with our solution deployed as a protection (FL + CN Inference).

The obtained results show that the time overhead introduced by our approach is negligible with respect to the baseline Federated Learning execution time. Indeed, such overhead does not exceed $10 %$ of the baseline.

4.3. Validation

In this section, we study the effectiveness of our strategy as a countermeasure against state-of-the-art attacks on Federated Learning. We describe the experiments carried out and the obtained results.

4.3.1. Experiment description

We performed the following three experiments for each dataset using the model architectures defined in Section 4.2:

In the first experiment, we tested the Convergence Prevention variant of the LIE attack presented in Baruch et al.¹⁶ The attack aims at impacting the overall performance of the global model built through Federated Learning. The main objective is to inhibit the model convergence by altering its capability to properly classify the input items. Although this attack works also in the absence of any secure aggregation algorithm (AGR), it has been specifically designed by targeting Krum and TrimmedMean secure AGRs.²⁶ For this reason, to avoid penalizing the attack performance, in our experiment, we do not consider the case in which our defense is the only available in the server. Therefore, for the target Federated Learning system, we considered three cases in our experiments: (i) no defense, in which no AGR is used, (ii) KR, when the Krum AGR is used, and (iii) KR+CN, when both Krum AGR and our control network are enabled.

In the second experiment, we considered a variant of the LIE attack, named Backdoor.¹⁶ The idea behind this attack is not to prevent the convergence of the model training but, instead, to train the model with a set of crafted samples obtained by adding a noise that follows a specific pattern on some of the involved input features. The goal of the attacker is to identify the correct features and corresponding “forged” noise so that, any input for which the target features have been jeopardized according to the established noise pattern, will be classified by the trained model as belonging to a specific target class. In summary, backdoor attacks are more stealthy strategies aiming to preserve the general behavior of the model and its performance and to create a backdoor that can be activated by the attacker through specific hidden patterns in the input data. Once the backdoor is activated the model alters its behavior by producing an unattended, controlled by the attacker, classification result.

In the third experiment, we considered the Fang attack.¹⁴ This attack can work in different configurations strictly related to the role of the workers in the network: we focus on the configuration in which the workers have a partial knowledge of the network.

4.3.2. Experiment results

In the following, we discuss in detail the results obtained from each scenario, in terms of accuracy. Note that we measured sensitivity equal to $1$ in all experiments (we recall that, in our experiments, sensitivity measures the proportion of attacks that are correctly identified by the model) and average specificity equal to $0.88$ . This shows that our solution prefers to misclassify a minority of benign clients as malicious instead of including compromised gradients in the aggregation of the new global model.

The results of the first experiment are reported in Table 2, where best performances is shown in bold (this occurs also in the next tables). First, we observe that the results obtained for KR (second row) are in line with those reported in Baruch et al.¹⁶

Table 2.
Accuracy against the convergence prevention attack using Krum AGR.

	MNIST		FMNIST		CIFAR10
	No attack	Attack	No attack	Attack	No attack	Attack
No defense	96.1%	88.0%	83.8%	75.4%	59.6%	29.7%
KR	92.7%	82.9%	81.2%	75.0%	44.1%	17.2%
KR+CN	90.5%	90.1%	81.5%	81.1%	43.5%	43.4%

We can see that, without the use of our control network, the convergence prevention attack is able to reduce the accuracy with a detriment of almost $30 %$ of performance in the case of CIFAR10. To motivate KR+CN seems to worsen the performance of the base model when no attack occurs, we observe that this effect is common to all existing defenses and arises because any defense mechanism adapts to the current scenario, aiming to filter out outlier contributions. When attacks are present, these outliers are typically malicious. In the absence of attacks, the defense may unintentionally impact the model’s performance slightly.

The relevant result is that when our control network is enabled, the accuracy in presence of attacks is about the same as for the scenarios without attacks. These results show how our model has successfully detected anomalous variations in the updates of the malicious workers.

We repeated the experiment by replacing the Krum AGR with the TrimmedMean AGR (TM in the table), and the obtained results are reported in Table 3. We observe that the use of TrimmedMean is more effective in contrasting the convergence prevention attack because the measured accuracy is always higher than that measured with Krum AGR. Also in this case, the use of our control network returns the best accuracy in all the compared scenarios. We measured that the attack reduced the mean accuracy of the model from about 0.80 to 0.59. The use of the Control Network limits the accuracy loss to 0.76.

The results of the second experiment when using Krum AGR are reported in Table 4, whereas the results when using TrimmedMean AGR are reported Table 5. Observe that since this attack only works when a secure AGR is active in the Federated Learning system, the cases in which a secure AGR is not enabled are not defined (n.d.) in the two tables. Moreover, because the goal of the attack is to misclassify a given class, we included in the table the success rate of the attack (i.e., the fraction of cases in which the attack was successful), which is shown in brackets.

Table 3.

Accuracy against the convergence prevention attack using TrimmedMean AGR.

	MNIST		FMNIST		CIFAR10
	No attack	Attack	No attack	Attack	No attack	Attack
No defense	96.1%	88.0%	83.8%	75.4%	59.6%	29.7%
TM	96.1%	86.0%	83.7%	72.2%	59.5%	20.7%
TM+CN	96.0%	95.8%	83.7%	83.7%	59.5%	59.6%

Table 4.

Accuracy against the backdoor attack using Krum AGR.

	MNIST		FMNIST		CIFAR10
	No attack	Attack	No attack	Attack	No attack	Attack
No defense	96.1%	n.d.	83.8%	n.d.	59.6%	n.d.
KR	92.7%	91.8% (100%)	81.2%	80.9% (99.76%)	44.1%	40.5% (92.5%)
KR+CN	90.5%	90.1% (9%)	81.5%	80.9% (11.1%)	43.5%	43.1% (4.6%)

Table 5.

Accuracy against the backdoor attack using TrimmedMean AGR.

	MNIST		FMNIST		CIFAR10
	No attack	Attack	No attack	Attack	No attack	Attack
No defense	96.1%	n.d.	83.8%	n.d.	59.6%	n.d.
TM	96.1%	95.3% (100%)	83.7%	83.6% (80.0%)	59.5%	55.3% (78.0%)
TM+CN	96.0%	95.6% (9.0%)	83.7%	83.7% (8.6%)	59.5%	59.5% (7.8%)

By looking at the results of these experiments, we see that the model accuracy in all the cases in which the attack is performed is only slightly decreased. In contrast, the attack success rate is very high (from 78 % to 100%) when our control network is not used, whereas it has a limited impact (less than about 11%) when our control network is enabled. These results show that our proposal has been effective against all the considered LIE attack variants.

The results of the third experiment are reported in Tables 6 and 7 considering the Krum AGR and the TrimmedMean AGR, respectively (the structure of these tables is the same as the previous ones).

Table 6.

Accuracy against the Fang attack using Krum AGR.

	MNIST		FMNIST		CIFAR10
	No attack	Attack	No attack	Attack	No attack	Attack
No defense	96.1%	93.4%	83.8%	81.4%	59.6%	54.0%
KR	92.7%	44.6%	81.2%	46.2%	44.1%	16.9%
KR+CN	90.5%	88.8%	81.5%	78.0%	43.5%	42.9%

Table 7.

Accuracy against the Fang attack using TrimmedMean AGR.

	MNIST		FMNIST		CIFAR10
	No attack	Attack	No attack	Attack	No attack	Attack
No defense	96.1%	93.4%	83.8%	81.4%	59.6%	54.0%
TM	96.1%	73.9%	83.7%	80.5%	59.5%	31.0%
TM+CN	96.0%	95.7%	83.7%	83.8%	59.5%	59.1%

Observe that the Fang attack has been designed to work against the Krum AGR strategy and, therefore, the best attack performance is obtained in scenarios in which such an AGR is enabled. Although with a smaller reduction in accuracy, also the TrimmedMean AGR suffers from this attack. At the same time, the introduction of our Control Network is able to filter malicious updates out and restore the performance very close to the original performance without attacks. Indeed, we measured that the attack reduces the mean accuracy of the model from about 0.80 to 0.49, whereas with the use of the Control Network, the mean accuracy is about 0.75. These results show that our solution has able to evade also the Fang attack.

5. Conclusion

In this paper, we proposed an Artificial-Intelligence-driven approach to contrast model poisoning attacks on a Federated Learning system. Researchers have designed several countermeasures to model poisoning attacks, such as Krum and Trimmed Mean, mostly based on heuristics targeting the aggregation phase on the server to suitably identify and remove anomalous gradient updates from clients. However, recent studies have proposed refined attacks capable of bypassing such protection strategies and inferring important damages to a Federated Learning task.

The main contribution of this paper is to contrast two attacks, namely the Little is Enough (LIE) and Fang attacks, by designing a deep-learning-based approach to build a Control Network. This Control Network is used as a firewall to filter out malicious gradient updates as generated by such attacks, and the proposal has been validated experimentally.

A second contribution of the paper is that the proposed solution is general and, therefore, could be extended to contrast other attacks with the same characteristics of these studied in this paper. Moreover, it is designed to be trained online, during a controlled initial set of training epochs of an on-going Federated Learning task, and deployed to protect the completion of the current task and any other subsequent re-training activity, typical of industrial contexts.

The research described in this paper must not be intended at its final stage because several other interesting development directions can be identified. First off, Federated Learning has been recently adopted in fully distributed scenarios, such as the Internet of Things, in which no central server can be exploited to execute our Control Network. In such a setting, the design of a distributed approach to build and include our solution is, for sure, an interesting objective that we are planning to pursue. Moreover, our future work includes the application of newer and sophisticated machine learning algorithms such as Neural Dynamic Classification,⁵³ Finite Element Machine for fast learning,⁵⁴ and self-supervised learning,⁵⁵ which have been successfully used in other application contexts.

Footnotes

Funding

This paper has been partially supported by the POS RADIOAMICA project funded by the Italian Minister of Health (CUP: H53C22000650006) and by the PRIN 2022 Project “HOMEY: a Human-centric IoE-based Framework for Supporting the Transition Towards Industry 5.0” (code: 2022NX7WKE, CUP: F53D23004340006) funded by the European Union - Next Generation EU.

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

References

McMahan

Richtarik

, et al. Federated learning: Strategies for improving communication efficiency. In: Proceedings of the 29th Conference on Neural Information Processing Systems (NIPS), Barcelona, Spain, 2016, pp.5–10.

Chen

Luo

, et al. A training-integrity privacy-preserving federated learning scheme with trusted execution environment. Inf Sci (Ny) 2020; 522: 69–79.

Jiang

Zhang

. PFLM: Privacy-preserving federated learning with membership proof. Inf Sci (Ny) 2021; 576: 288–311.

Lei

, et al. Federated continuous learning with broad network architecture. IEEE Trans Cybern 2021; 51: 3874–3888.

Demertzis

Iliadis

Kikiras

, et al. An explainable semi-personalized federated learning model. Integr Comput Aided Eng 2022; 29: 335–350.

Guzzo

Fortino

Greco

, et al. Data and model aggregation for radiomics applications: Emerging trend and open challenges. Inform Fusion 2023; 100: 101923.

Sahu

Talwalkar

, et al. Federated learning: Challenges, methods, and future directions. IEEE Signal Process Mag 2020; 37: 50–60.

Liu

James

Kang

, et al. Privacy-preserving traffic flow prediction: A federated learning approach. IEEE Internet Things J 2020; 7: 7751–7763.

Mammen

. Federated learning: opportunities and challenges. arXiv preprint arXiv:2101.05428, 2021.

10.

Malekijoo

Fadaeieslam

Malekijou

, et al. Fedzip: A compression framework for communication-efficient federated learning. arXiv preprint arXiv:2102.01593, 2021.

11.

Song

Wang

Zhang

, et al. Analyzing user-level privacy attack against federated learning. IEEE J Sel Area Commun 2020; 38: 2430–2444.

12.

Wei

Ding

, et al. Federated learning with differential privacy: Algorithms and performance analysis. IEEE Trans Inform Foren Secur 2020; 15: 3454–3469.

13.

Nuding

Mayer

. Data Poisoning in Sequential and Parallel Federated Learning. In: Proceedings of the 2022 ACM on international workshop on security and privacy analytics 2022, pp.24–34.

14.

Fang

Cao

Jia

, et al. Local model poisoning attacks to

{

Byzantine-Robust

}

federated learning. In: 29th USENIX security symposium (USENIX Security 20) 2020, pp.1605–1622.

15.

Karakoç

Önen

Bilgin

. Secure aggregation against malicious users. In: Proceedings of the 26th ACM symposium on access control models and technologies 2021, pp. 115–124.

16.

Baruch

Goldberg

. A little is enough: Circumventing defenses for distributed learning. Adv Neural Inf Process Syst 2019; 32: 1–16.

17.

Liu

Zhang

, et al. False data-injection attack detection in cyber–physical systems with unknown parameters: A deep reinforcement learning approach. IEEE Trans Cybern 2022; 53: 7115–7125.

18.

Yun

Park

. Modal identification of building structures under unknown input conditions using extended kalman filter and long-short term memory. Integr Comput Aided Eng 2023; 30: 185–201.

19.

Bui

K-TT

Torres

Gutiérrez-Avilés

, et al. Deformation forecasting of a hydropower dam by hybridizing a long short-term memory deep learning network with the coronavirus optimization algorithm. Comput-Aided Civil Infrastruct Eng 2022; 37: 1368–1386.

20.

Liu

Tian

Zhou

. Patient-independent seizure detection based on channel-perturbation convolutional neural network and bidirectional long short-term memory. Int J Neural Syst 2022; 32: 2150051.

21.

Haralabopoulos

Razis

Anagnostopoulos

. A modified long short-term memory cell. Int J Neural Syst 2023; 33: 2350039.

22.

Liu

Huang

Yang

, et al. An attention-aware long short-term memory-like spiking neural model for sentiment analysis. Int J Neural Syst 2023a; 33: 2350037.

23.

Liu

Jiang

Shen

, et al. A survey on federated unlearning: Challenges, methods, and future directions. ACM Comput Surv 2023b; 57: 1–38.

24.

Mothukuri

Parizi

Pouriyeh

, et al. A survey on security and privacy of federated learning. Future Gener Comput Syst 2021; 115: 619–640.

25.

Kairouz

McMahan

Avent

, et al. Advances and open problems in federated learning. Found Trends® Mach Learn 2021; 14: 1–210.

26.

Shejwalkar

Houmansadr

. Manipulating the byzantine: Optimizing model poisoning attacks and defenses for federated learning. In: NDSS, 2021.

27.

Blanchard

El Mhamdi

Guerraoui

, et al. Machine learning with adversaries: Byzantine tolerant gradient descent. Adv Neural Inf Process Syst 2017; 30: 1–16.

28.

Wang

Sreenivasan

Rajput

, et al. Attack of the tails: Yes, you really can backdoor federated learning. Adv Neural Inf Process Syst 2020; 33: 16070–16084.

29.

Jiang

, et al. Backdoor learning: A survey. IEEE Trans Neural Netw Learn Syst 2022; 35: 5–22.

30.

Dumford

Scheirer

. Backdooring convolutional neural networks via targeted weight perturbations. In 2020 IEEE international joint conference on biometrics (IJCB), IEEE, 2020, pp.1–9.

31.

Rakin

Fan

. Tbt: Targeted neural network attack with bit trojan. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2020, pp.13198–13207.

32.

Zhang

Chen

, et al. Poisoning attack in federated learning using generative adversarial nets. In: 2019 18th IEEE international conference on trust, security and privacy in computing and communications/13th IEEE international conference on big data science and engineering (TrustCom/BigDataSE). IEEE, 2019, pp.374–380.

33.

Zhang

Chen

Cheng

, et al. PoisonGAN: Generative poisoning attacks against federated learning in edge computing systems. IEEE Internet Things J 2020; 8: 3310–3322.

34.

Gosselin

Vieu

Loukil

, et al. Privacy and security in federated learning: A survey. Appl Sci 2022; 12: 9901.

35.

Yin

Chen

Kannan

, et al. Byzantine-robust distributed learning: towards optimal statistical rates. In: International conference on machine learning. PMLR, 2018, pp.5650–5659.

36.

Xie

Koyejo

Gupta

. Generalized byzantine-tolerant SGD. arXiv preprint arXiv:1802.10116, 2018.

37.

Guerraoui

Rouault

. The hidden vulnerability of distributed learning in byzantium. In: International conference on machine learning, PMLR, 2018, pp.3521–3530.

38.

Tolpegin

Truex

Gursoy

, et al. Data poisoning attacks against federated learning systems. In: European symposium on research in computer security, Springer, 2020, pp.480–501.

39.

Nguyen

Rieger

De Viti

et al.

{

FLAME

}

: Taming backdoors in federated learning. In: 31st USENIX security symposium (USENIX Security 22) 2022, pp.1415–1432.

40.

Fung

Yoon

Beschastnikh

. The Limitations of Federated Learning in Sybil Settings. In: RAID, 2020, pp.301–316).

41.

Tsironi

Barros

Weber

, et al. An analysis of convolutional long short-term memory recurrent neural networks for gesture recognition. Neurocomputing 2017; 268: 76–86.

42.

Kirkpatrick

Pascanu

Rabinowitz

, et al. Overcoming catastrophic forgetting in neural networks. Proce Natl Acad Sci 2017; 114: 3521–3526.

43.

Mao

Shao

, et al. Incremental learning in online scenario. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2020, pp.13926–13935.

44.

Goodfellow

Mirza

Xiao

, et al. An empirical investigation of catastrophic forgetting in gradient-based neural networks. arXiv preprint arXiv:1312.6211, 2013.

45.

Rey

Sánchez

PMS

Celdrán

, et al. Federated learning for malware detection in ioT devices. Comput Netw 2022; 204: 108693.

46.

Arazzi

Nicolazzo

Nocera

. A fully privacy-preserving solution for anomaly detection in iot using federated learning and homomorphic encryption. Inform Syst Front 2023; 25: 1–24.

47.

Vong

C-M

Chen

. Novel efficient RNN and LSTM-like architectures: Recurrent and gated broad learning systems and their applications for text classification. IEEE Trans Cybern 2020; 51: 1586–1597.

48.

Deng

. The mnist database of handwritten digit images for machine learning research. IEEE Signal Process Mag 2012; 29: 141–142.

49.

Xiao

Rasul

Vollgraf

. Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747, 2017.

50.

Krizhevsky

Hinton

Vinod

. Learning multiple layers of features from tiny images. Citeseer. https://www.cs.toronto.edu/∼lowkriz/learning-features-2009-TR.pdf, 2009.

51.

Nabavirazavi

Taheri

Shojafar

, et al. Impact of aggregation function randomization against model poisoning in federated learning. In: 22nd IEEE international conference on trust, security and privacy in computing and communications, TrustCom 2023, Institute of Electrical and Electronics Engineers Inc., 2024, pp.165–172.

52.

Campos

Gonzalez-Vidal

Hernández-Ramos

, et al. FedRDF: A robust and dynamic aggregation function against poisoning attacks in federated learning. IEEE Trans Emerg Top Comput 2024; early access: 1–20.

53.

Rafiei

Adeli

. A new neural dynamic classification algorithm. IEEE Trans Neural Netw Learn Syst 2017; 28: 3074–3083.

54.

Pereira

Piteri

Souza

, et al. FEMa: A finite element machine for fast learning. Neural Comput Appl 2020; 32: 6393–6404.

55.

Rafiei

Gauthier

Adeli

, et al. Self-supervised learning for electroencephalography. IEEE Trans Neural Netw Learn Syst 2022; 35: 1457–1471.

Evading model poisoning attacks in federated learning by a long-short-term-memory-based approach

Abstract

Keywords

1. Introduction

2. Related work

3.1. Scenario

3.3. Dataset derivation

4. Experiments

4.2. Control network tuning

4.2.1. Experiment description

4.2.2. Experiment results

4.3.1. Experiment description

4.3.2. Experiment results

Table 2. Accuracy against the convergence prevention attack using Krum AGR.

Footnotes

Funding

Declaration of conflicting interests

References

Table 2.
Accuracy against the convergence prevention attack using Krum AGR.