Exploring the Limitations of Federated Learning: A Novel Wasserstein Metric-Based Poisoning Attack on Traffic Sign Classification

Exploring the Limitations of Federated Learning: A Novel Wasserstein Metric-Based Poisoning Attack on Traffic Sign Classification

Federated Learning (FL) enhances privacy but remains vulnerable to model poisoning attacks, where an adversary manipulates client models to upload <italic>poisoned</italic> updates during training, thereby compromising the overall FL model. Existing attack models often assume adversaries...

Full description

Saved in:
Bibliographic Details
Main Authors: Suzan Almutairi, Ahmed Barnawi
Format: Article
Language:English
Published: IEEE 2025-01-01
Series:IEEE Access
Subjects:
Federated learning
poisoning attack
model security
Wasserstein metric
Online Access:https://ieeexplore.ieee.org/document/11062639/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Federated Learning (FL) enhances privacy but remains vulnerable to model poisoning attacks, where an adversary manipulates client models to upload <italic>poisoned</italic> updates during training, thereby compromising the overall FL model. Existing attack models often assume adversaries have full knowledge of the FL procedure, including server aggregation algorithms. In contrast, we consider a more practical attack scenario in which the adversary has access only to local client data and the FL model. To address this security gap, we propose a novel attack called the Wasserstein Metric-based Model Poisoning Attack (WMPA). In this approach, adversaries embed malicious updates within aggregated ones without detection, posing a significant threat to FL applications. WMPA leverages historical information from the FL process to forecast the next round&#x2019;s global model as a reference. This reference model is then used to generate an adversarial local model characterized by low accuracy but minimal perturbation. We explore the use of the Wasserstein distance in place of traditional metrics such as Euclidean distance to better disguise malicious updates. Extensive experiments show that WMPA outperforms existing model poisoning attacks and can compromise robust aggregation methods. For example, in a cross-silo setting using Krum, WMPA reduces the FL model&#x2019;s accuracy from 70% to 30.1%. In a cross-device setting, it reduces accuracy from 68% to 32.6%. Furthermore, we demonstrate that the Wasserstein metric is superior to other similarity metrics in capturing the underlying structure and shape of the provided distributions.
ISSN:2169-3536

Similar Items