An Empirical Analysis of Federated Learning Models Subject to Label-Flipping Adversarial Attack
Kunal Bhatnagar, Sagana Chattanathan, Angela Dang, Bhargav Eranki, Ronnit Rana, Charan Sridhar, Siddharth Vedam, Angie Yao, Mark Stamp
TL;DR
The paper tackles label-flipping adversarial attacks in federated learning by evaluating seven diverse models (MLR,SVC,MLP,CNN, RF,XGBoost,LSTM) under scenarios with 10 and 100 clients. Using FedAvg within the Flower framework, it varies the fraction of adversarial clients and the per-client label flip rate to map robustness via 3D accuracy surfaces and dominance curves. Key findings show model-dependent robustness: some models (e.g., MLR, SVC, MLP, LSTM) maintain substantial performance under certain attack configurations, while tree-based ensembles (RF, XGBoost) are more vulnerable as client counts rise and adversarial influence grows; CNNs exhibit mixed behavior, improving slightly with federation but degrading sharply with many clients. The results have practical implications for selecting FL models based on likely attack patterns and for informing defense strategies, with future work suggested on broader models, finer attack granularity, targeted attacks, and defensive analyses.
Abstract
In this paper, we empirically analyze adversarial attacks on selected federated learning models. The specific learning models considered are Multinominal Logistic Regression (MLR), Support Vector Classifier (SVC), Multilayer Perceptron (MLP), Convolution Neural Network (CNN), %Recurrent Neural Network (RNN), Random Forest, XGBoost, and Long Short-Term Memory (LSTM). For each model, we simulate label-flipping attacks, experimenting extensively with 10 federated clients and 100 federated clients. We vary the percentage of adversarial clients from 10% to 100% and, simultaneously, the percentage of labels flipped by each adversarial client is also varied from 10% to 100%. Among other results, we find that models differ in their inherent robustness to the two vectors in our label-flipping attack, i.e., the percentage of adversarial clients, and the percentage of labels flipped by each adversarial client. We discuss the potential practical implications of our results.