Protecting Federated Learning from Extreme Model Poisoning Attacks via Multidimensional Time Series Anomaly Detection

TL;DR

FLANDERS introduces a novel pre-aggregation filter for federated learning that leverages a matrix autoregressive (MAR) time-series model to forecast the next round of client updates and identify outliers. By treating the per-round, per-client updates as a d-by-m matrix, FLANDERS computes an anomaly score for each selected client and filters out the suspected malicious contributions before standard or robust aggregations. The method is designed to be attack-agnostic with respect to the number of adversarial clients and to exploit temporal dependencies between intra- and inter-client updates, offering strong robustness even when malicious participants dominate. Empirical results across non-IID data, multiple datasets, and several attack types show that FLANDERS improves the resilience of existing aggregation rules (e.g., FedAvg, Multi-Krum, Bulyan) and enables them to maintain high accuracy under extreme attack scenarios, albeit with a computational cost that can be mitigated via dimensionality reduction and sampling. The work also discusses practical limitations, including efficiency, privacy considerations, cross-device scalability, and the need for broader benchmarking, while providing a pathway to integrate FLANDERS into existing FL frameworks such as Flower.

Abstract

Current defense mechanisms against model poisoning attacks in federated learning (FL) systems have proven effective up to a certain threshold of malicious clients. In this work, we introduce FLANDERS, a novel pre-aggregation filter for FL resilient to large-scale model poisoning attacks, i.e., when malicious clients far exceed legitimate participants. FLANDERS treats the sequence of local models sent by clients in each FL round as a matrix-valued time series. Then, it identifies malicious client updates as outliers in this time series by comparing actual observations with estimates generated by a matrix autoregressive forecasting model maintained by the server. Experiments conducted in several non-iid FL setups show that FLANDERS significantly improves robustness across a wide spectrum of attacks when paired with standard and robust existing aggregation methods.

Figures (4)

• Figure 1: Empirical distributions of average TDMI computed between each pair of consecutive local models sent by the legitimate client $i$$(\bm{\theta}_i^{(t)}, \bm{\theta}_i^{(t+1)})$ and the malicious client $j$$(\bm{\theta}_j^{(t)}, \bm{\theta}_j^{(t+1)})$, when this runs one of the four attacks considered in this work, namely GAUSS, LIE, OPT, and AGR-MM.
• Figure 2: Overview of FLANDERS.
• Figure 3: FedAvg with FLANDERS (left) vs. "vanilla" FedAvg (right). Accuracy of the global model in each FL round under all attack strategies on the MNIST dataset, with $80\%$ of malicious clients. Attack starts at round $t=3$.
• Figure 4: Accuracy vs. total Training Time (in seconds) of FedAvg and Bulyan compared with their corresponding versions with FLANDERS as a filter for the MNIST (left) and CIFAR-10 (right) datasets.