Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Novel Defense Against Poisoning Attacks on Federated Learning: LayerCAM Augmented with Autoencoder

Jingjing Zheng, Xin Yuan, Kai Li, Wei Ni, Eduardo Tovar, Jon Crowcroft

TL;DR

This work addresses poisoning attacks in federated learning by introducing LayerCAM-AE, a server-side defense that converts high-dimensional local model updates into discriminative LayerCAM heat maps and refines them with an autoencoder to reveal anomalous patterns. A voting mechanism is used to stabilize decisions across communication rounds, reducing false positives. Empirical results on SVHN and CIFAR-100 under IID and non-IID settings show LayerCAM-AE achieving near-perfect detection metrics and superior global accuracy compared with ResNet-50 and REGNETY-800MF baselines, including under challenging heterogeneity. The approach leverages heat-map representations and learned latent features to overcome the limitations of Euclidean-distance-based defenses, offering robust, architecture-agnostic protection for FL deployments.

Abstract

Recent attacks on federated learning (FL) can introduce malicious model updates that circumvent widely adopted Euclidean distance-based detection methods. This paper proposes a novel defense strategy, referred to as LayerCAM-AE, designed to counteract model poisoning in federated learning. The LayerCAM-AE puts forth a new Layer Class Activation Mapping (LayerCAM) integrated with an autoencoder (AE), significantly enhancing detection capabilities. Specifically, LayerCAM-AE generates a heat map for each local model update, which is then transformed into a more compact visual format. The autoencoder is designed to process the LayerCAM heat maps from the local model updates, improving their distinctiveness and thereby increasing the accuracy in spotting anomalous maps and malicious local models. To address the risk of misclassifications with LayerCAM-AE, a voting algorithm is developed, where a local model update is flagged as malicious if its heat maps are consistently suspicious over several rounds of communication. Extensive tests of LayerCAM-AE on the SVHN and CIFAR-100 datasets are performed under both Independent and Identically Distributed (IID) and non-IID settings in comparison with existing ResNet-50 and REGNETY-800MF defense models. Experimental results show that LayerCAM-AE increases detection rates (Recall: 1.0, Precision: 1.0, FPR: 0.0, Accuracy: 1.0, F1 score: 1.0, AUC: 1.0) and test accuracy in FL, surpassing the performance of both the ResNet-50 and REGNETY-800MF. Our code is available at: https://github.com/jjzgeeks/LayerCAM-AE

A Novel Defense Against Poisoning Attacks on Federated Learning: LayerCAM Augmented with Autoencoder

TL;DR

This work addresses poisoning attacks in federated learning by introducing LayerCAM-AE, a server-side defense that converts high-dimensional local model updates into discriminative LayerCAM heat maps and refines them with an autoencoder to reveal anomalous patterns. A voting mechanism is used to stabilize decisions across communication rounds, reducing false positives. Empirical results on SVHN and CIFAR-100 under IID and non-IID settings show LayerCAM-AE achieving near-perfect detection metrics and superior global accuracy compared with ResNet-50 and REGNETY-800MF baselines, including under challenging heterogeneity. The approach leverages heat-map representations and learned latent features to overcome the limitations of Euclidean-distance-based defenses, offering robust, architecture-agnostic protection for FL deployments.

Abstract

Recent attacks on federated learning (FL) can introduce malicious model updates that circumvent widely adopted Euclidean distance-based detection methods. This paper proposes a novel defense strategy, referred to as LayerCAM-AE, designed to counteract model poisoning in federated learning. The LayerCAM-AE puts forth a new Layer Class Activation Mapping (LayerCAM) integrated with an autoencoder (AE), significantly enhancing detection capabilities. Specifically, LayerCAM-AE generates a heat map for each local model update, which is then transformed into a more compact visual format. The autoencoder is designed to process the LayerCAM heat maps from the local model updates, improving their distinctiveness and thereby increasing the accuracy in spotting anomalous maps and malicious local models. To address the risk of misclassifications with LayerCAM-AE, a voting algorithm is developed, where a local model update is flagged as malicious if its heat maps are consistently suspicious over several rounds of communication. Extensive tests of LayerCAM-AE on the SVHN and CIFAR-100 datasets are performed under both Independent and Identically Distributed (IID) and non-IID settings in comparison with existing ResNet-50 and REGNETY-800MF defense models. Experimental results show that LayerCAM-AE increases detection rates (Recall: 1.0, Precision: 1.0, FPR: 0.0, Accuracy: 1.0, F1 score: 1.0, AUC: 1.0) and test accuracy in FL, surpassing the performance of both the ResNet-50 and REGNETY-800MF. Our code is available at: https://github.com/jjzgeeks/LayerCAM-AE
Paper Structure (14 sections, 15 equations, 10 figures, 5 tables, 1 algorithm)

This paper contains 14 sections, 15 equations, 10 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Federated Learning
  3. Poisoning Attacks Against FL
  4. Proposed FL-LayerCAM against FL Poisoning Attacks
  5. LayerCAM-AE Architecture
  6. LayerCAM for Malicious Local Model Updates Identification
  7. Performance Evaluation
  8. Experiment Setup
  9. Evaluation under IID Datasets
  10. Performance under non-IID Datasets
  11. Scalability
  12. Ablation Studies
  13. Related Work
  14. Conclusion

Figures (10)

  • Figure 1: Illustration of the proposed LayerCAM-AE framework, where the server arbitrarily selects an image (e.g., an image with the label "butterfly") from the global model testing dataset to create LayerCAM heat maps for every uploaded model update. These LayerCAM heat maps flow into an autoencoder. Large reconstruction errors of heat maps are judged malicious.
  • Figure 2: ResNet-50 on IID SVHN and CIFAR100.
  • Figure 3: REGNETY-800MF on IID SVHN and CIFAR100.
  • Figure 4: ResNet-50 on non-IID SVHN and CIFAR100.
  • Figure 5: REGNETY-800MF on non-IID SVHN and CIFAR100.
  • ...and 5 more figures