FedCC: Robust Federated Learning against Model Poisoning Attacks

TL;DR

FedCC tackles the security challenges of privacy-preserving federated learning by introducing a kernel-based, representational approach to robust aggregation. It applies Centered Kernel Alignment to penultimate-layer representations to cluster clients and perform layer-wise, similarity-weighted aggregation, avoiding raw data sharing. Empirical results across IID and non-IID settings show FedCC significantly improves global accuracy against untargeted model poisoning (e.g., up to 66.27% improvement) and reduces backdoor confidence to near zero for targeted attacks (with a 65.5% reduction in average degradation), outperforming existing defenses. This representation-based, non-thresholding approach offers strong robustness against adaptive and distributed attacks, with practical privacy-preserving advantages for real-world FL deployments.

Abstract

Federated learning is a distributed framework designed to address privacy concerns. However, it introduces new attack surfaces, which are especially prone when data is non-Independently and Identically Distributed. Existing approaches fail to effectively mitigate the malicious influence in this setting; previous approaches often tackle non-IID data and poisoning attacks separately. To address both challenges simultaneously, we present FedCC, a simple yet effective novel defense algorithm against model poisoning attacks. It leverages the Centered Kernel Alignment similarity of Penultimate Layer Representations for clustering, allowing the identification and filtration of malicious clients, even in non-IID data settings. The penultimate layer representations are meaningful since the later layers are more sensitive to local data distributions, which allows better detection of malicious clients. The sophisticated utilization of layer-wise Centered Kernel Alignment similarity allows attack mitigation while leveraging useful knowledge obtained. Our extensive experiments demonstrate the effectiveness of FedCC in mitigating both untargeted model poisoning and targeted backdoor attacks. Compared to existing outlier detection-based and first-order statistics-based methods, FedCC consistently reduces attack confidence to zero. Specifically, it significantly minimizes the average degradation of global performance by 65.5\%. We believe that this new perspective on aggregation makes it a valuable contribution to the field of FL model security and privacy. The code will be made available upon acceptance.

Figures (6)

• Figure 1: LeNet (CNN) architecture and Penultimate Layer
• Figure 2: An Overview of FedCC. $k$, $n$, $a$, and $b$ indicate the kth layer, the number of participating clients, normalized similarity across all layers (i.e., across_cka), and normalized similarity within the cluster (i.e., within_cka), respectively.
• Figure 3: Cluster Distance of Each Layer
• Figure 4: Confidence of Backdoor Task for targeted attacks in Non-IID settings.
• Figure 5: Confidence of Backdoor Task for targeted attacks in IID settings.