Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Using Anomaly Detection to Detect Poisoning Attacks in Federated Learning Applications

Ali Raza, Shujun Li, Kim-Phuc Tran, Ludovic Koehl, Kim Duc Tran

TL;DR

This paper tackles poisoning attacks in federated learning by introducing an anomaly-detection framework that leverages a public dataset to train a reference model (RM) and an auditor model (AM). The core idea is to extract last-layer activations to form activation-based features, train an OC-SVM-based auditor, and use a poison-rate threshold to filter malicious updates, achieving $\,mathcal{O}(K)$ complexity. The approach is demonstrated on ECG classification and HAR tasks, showing high accuracy in distinguishing benign vs malicious updates and preserving global-model performance under multiple attack types, without requiring prior knowledge of the number of attackers. The framework offers a practical, scalable defense for FL deployments where public datasets and trusted audit components can be maintained, with potential for zero-trust extensions and broader attack-resilience analyses.

Abstract

Adversarial attacks such as poisoning attacks have attracted the attention of many machine learning researchers. Traditionally, poisoning attacks attempt to inject adversarial training data in order to manipulate the trained model. In federated learning (FL), data poisoning attacks can be generalized to model poisoning attacks, which cannot be detected by simpler methods due to the lack of access to local training data by the detector. State-of-the-art poisoning attack detection methods for FL have various weaknesses, e.g., the number of attackers has to be known or not high enough, working with i.i.d. data only, and high computational complexity. To overcome above weaknesses, we propose a novel framework for detecting poisoning attacks in FL, which employs a reference model based on a public dataset and an auditor model to detect malicious updates. We implemented a detector based on the proposed framework and using a one-class support vector machine (OC-SVM), which reaches the lowest possible computational complexity O(K) where K is the number of clients. We evaluated our detector's performance against state-of-the-art (SOTA) poisoning attacks for two typical applications of FL: electrocardiograph (ECG) classification and human activity recognition (HAR). Our experimental results validated the performance of our detector over other SOTA detection methods.

Using Anomaly Detection to Detect Poisoning Attacks in Federated Learning Applications

TL;DR

This paper tackles poisoning attacks in federated learning by introducing an anomaly-detection framework that leverages a public dataset to train a reference model (RM) and an auditor model (AM). The core idea is to extract last-layer activations to form activation-based features, train an OC-SVM-based auditor, and use a poison-rate threshold to filter malicious updates, achieving complexity. The approach is demonstrated on ECG classification and HAR tasks, showing high accuracy in distinguishing benign vs malicious updates and preserving global-model performance under multiple attack types, without requiring prior knowledge of the number of attackers. The framework offers a practical, scalable defense for FL deployments where public datasets and trusted audit components can be maintained, with potential for zero-trust extensions and broader attack-resilience analyses.

Abstract

Adversarial attacks such as poisoning attacks have attracted the attention of many machine learning researchers. Traditionally, poisoning attacks attempt to inject adversarial training data in order to manipulate the trained model. In federated learning (FL), data poisoning attacks can be generalized to model poisoning attacks, which cannot be detected by simpler methods due to the lack of access to local training data by the detector. State-of-the-art poisoning attack detection methods for FL have various weaknesses, e.g., the number of attackers has to be known or not high enough, working with i.i.d. data only, and high computational complexity. To overcome above weaknesses, we propose a novel framework for detecting poisoning attacks in FL, which employs a reference model based on a public dataset and an auditor model to detect malicious updates. We implemented a detector based on the proposed framework and using a one-class support vector machine (OC-SVM), which reaches the lowest possible computational complexity O(K) where K is the number of clients. We evaluated our detector's performance against state-of-the-art (SOTA) poisoning attacks for two typical applications of FL: electrocardiograph (ECG) classification and human activity recognition (HAR). Our experimental results validated the performance of our detector over other SOTA detection methods.
Paper Structure (20 sections, 2 theorems, 1 equation, 5 figures, 7 tables, 1 algorithm)

This paper contains 20 sections, 2 theorems, 1 equation, 5 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Federated Learning
  4. Stitching Connectivity
  5. Memorization in deep networks
  6. Byzantine attacks
  7. Existing defense mechanisms
  8. Distance-Based Mechanisms
  9. Performance-Based Mechanisms
  10. Statistical Mechanisms
  11. Target Optimization-Based Mechanisms
  12. Proposed Framework
  13. Threat Model
  14. Overview
  15. Performance Evaluation
  16. ...and 5 more sections

Key Result

Proposition 1

When a model is trained on noisy data (malicious/poisoned), the first half of the layers are similar to a model trained on good-quality data (benign).

Figures (5)

  • Figure 1: Overview of the proposed framework
  • Figure 2: Performance of the global model with and without our proposed framework under four different data poisoning attacks on ECG classification. Here GM is Global Model, LS is Label swapping attack, RLF is random Label Flipping, RL is random Label and FP is Feature poisoning.
  • Figure 3: Performance of the global model with and without proposed framework under four different data poisoning attacks on HAR.
  • Figure 4: Performance of the global model with and without proposed framework under four different model poisoning attacks on ECG classification. Here GM is Global Model,SF Sign Flip attack, SV is Same Value attack, AGA Additive Gaussian noise Attack, GA is Gradient Ascent attack
  • Figure 5: Performance of the global model with and without proposed framework under four different model poisoning attacks on HAR.

Theorems & Definitions (2)

  • Proposition 1
  • Proposition 2