FedRDF: A Robust and Dynamic Aggregation Function against Poisoning Attacks in Federated Learning

TL;DR

The paper tackles poisoning attacks in federated learning by introducing FedRDF, an FFT-based robust aggregation that does not require prior knowledge of the number of attackers. Client updates are projected into the frequency domain via the discrete Fourier transform, and the high-density (high-frequency) components are used to form the aggregated model, effectively excluding malicious updates. A dynamic strategy uses a Kolmogorov–Smirnov test to decide whether to apply FedAvg or FFT in each round, enabling resilience across varying attack scenarios. Evaluations on FEMNIST show FedRDF outperforms standard robust aggregations (FedMedian, Trimmed Mean, Krumm) under random weights and min-max attacks, while maintaining FedAvg performance in clean settings; the dynamic approach with a 0.02 KS-threshold further improves robustness. The approach provides practical implications for secure FL by offering attacker-number agnosticism and adaptive defense with modest computational overhead from FFT.

Abstract

Federated Learning (FL) represents a promising approach to typical privacy concerns associated with centralized Machine Learning (ML) deployments. Despite its well-known advantages, FL is vulnerable to security attacks such as Byzantine behaviors and poisoning attacks, which can significantly degrade model performance and hinder convergence. The effectiveness of existing approaches to mitigate complex attacks, such as median, trimmed mean, or Krum aggregation functions, has been only partially demonstrated in the case of specific attacks. Our study introduces a novel robust aggregation mechanism utilizing the Fourier Transform (FT), which is able to effectively handling sophisticated attacks without prior knowledge of the number of attackers. Employing this data technique, weights generated by FL clients are projected into the frequency domain to ascertain their density function, selecting the one exhibiting the highest frequency. Consequently, malicious clients' weights are excluded. Our proposed approach was tested against various model poisoning attacks, demonstrating superior performance over state-of-the-art aggregation methods.

Figures (9)

• Figure 1: Visual description of how min-max attack works. The malicious weights (red points) separate from legitimate weights (green points), with the intention of degrading the overall system performance. The attack forces the legitimate weights to deviate from their true positions (indicated by light green), which they would naturally converge to in the absence of malicious entities.
• Figure 2: Scheme of our federated environment. Benign weights are presented as green packages. Malign clients cooperate to send malicious weights (red packages) to the server using a certain function $F_M$ (\ref{['eq:minmax']} in our case). The server aggregates the weights using a certain aggregation function $F$
• Figure 3: Visual description of our aggregation method
• Figure 4: Comparison of accuracy different aggregation functions for random weights attack
• Figure 5: Comparison of different aggregation functions for min-max attack