An Optimal Two-Step Approach for Defense Against Poisoning Attacks in Federated Learning

An Optimal Two-Step Approach for Defense Against Poisoning Attacks in Federated Learning

Federated learning (FL) has gained widespread adoption for training artificial intelligence (AI) models while ensuring the confidentiality of client data. However, this privacy-preserving nature of FL also makes it vulnerable to poisoning attacks. To counter these attacks, several defense methods ha...

Full description

Saved in:
Bibliographic Details
Main Authors: Yasir Ali, Kyung Hyun Han, Abdul Majeed, Joon S. Lim, Seong Oun Hwang
Format: Article
Language:English
Published: IEEE 2025-01-01
Series:IEEE Access
Subjects:
Defense method
federated learning
global model
local model
poisoning attacks
Online Access:https://ieeexplore.ieee.org/document/10946885/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Federated learning (FL) has gained widespread adoption for training artificial intelligence (AI) models while ensuring the confidentiality of client data. However, this privacy-preserving nature of FL also makes it vulnerable to poisoning attacks. To counter these attacks, several defense methods have been developed to identify and filter out poisoned local models before the aggregation process. Nevertheless, these defense methods demonstrate sub-optimal performance in retaining benign local models while discarding poisoned local models, primarily due to inadequate filtering strategies. Consequently, these defense methods filter out large proportions of benign local models that are not poisoned, resulting in high false rejection rates or low detection accuracy, which leads to test accuracy degradation of the global model as well. In this paper, we propose the Two-step Defense Framework for Poisoning Attacks Detection (TDF-PAD), which first identifies the obvious-poisoned, obvious-benign, and ambiguous local models by utilizing the inter-quartile range method. The second step employs the Z-score method to classify ambiguous local models into benign or poisoned local models based on their performance history. Through extensive experimentation on three real-world benchmark datasets, we demonstrate that TDF-PAD outperforms state-of-the-art defense methods by achieving a 0% false positive rate on these benchmark datasets, showing it is generally applicable to any dataset.
ISSN:2169-3536

Similar Items