Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FedNIA: Noise-Induced Activation Analysis for Mitigating Data Poisoning in FL

Ehsan Hallaji, Roozbeh Razavi-Far, Mehrdad Saif

TL;DR

FedNIA addresses the data poisoning challenge in non-iid federated learning by introducing a noise-induced activation analysis detector that operates without a central test dataset. By injecting random noise and analyzing layer-wise activations through a per-layer autoencoder, it identifies and filters malicious client updates before aggregation, achieving robustness against sample poisoning, label flipping, and backdoors, even with multiple attackers. The method preserves baseline performance in benign settings and demonstrates strong resilience across attack types, albeit with higher computational cost. The work offers a practical, dataset-agnostic defense framework with potential for broader applicability and efficiency improvements in secure FL systems.

Abstract

Federated learning systems are increasingly threatened by data poisoning attacks, where malicious clients compromise global models by contributing tampered updates. Existing defenses often rely on impractical assumptions, such as access to a central test dataset, or fail to generalize across diverse attack types, particularly those involving multiple malicious clients working collaboratively. To address this, we propose Federated Noise-Induced Activation Analysis (FedNIA), a novel defense framework to identify and exclude adversarial clients without relying on any central test dataset. FedNIA injects random noise inputs to analyze the layerwise activation patterns in client models leveraging an autoencoder that detects abnormal behaviors indicative of data poisoning. FedNIA can defend against diverse attack types, including sample poisoning, label flipping, and backdoors, even in scenarios with multiple attacking nodes. Experimental results on non-iid federated datasets demonstrate its effectiveness and robustness, underscoring its potential as a foundational approach for enhancing the security of federated learning systems.

FedNIA: Noise-Induced Activation Analysis for Mitigating Data Poisoning in FL

TL;DR

FedNIA addresses the data poisoning challenge in non-iid federated learning by introducing a noise-induced activation analysis detector that operates without a central test dataset. By injecting random noise and analyzing layer-wise activations through a per-layer autoencoder, it identifies and filters malicious client updates before aggregation, achieving robustness against sample poisoning, label flipping, and backdoors, even with multiple attackers. The method preserves baseline performance in benign settings and demonstrates strong resilience across attack types, albeit with higher computational cost. The work offers a practical, dataset-agnostic defense framework with potential for broader applicability and efficiency improvements in secure FL systems.

Abstract

Federated learning systems are increasingly threatened by data poisoning attacks, where malicious clients compromise global models by contributing tampered updates. Existing defenses often rely on impractical assumptions, such as access to a central test dataset, or fail to generalize across diverse attack types, particularly those involving multiple malicious clients working collaboratively. To address this, we propose Federated Noise-Induced Activation Analysis (FedNIA), a novel defense framework to identify and exclude adversarial clients without relying on any central test dataset. FedNIA injects random noise inputs to analyze the layerwise activation patterns in client models leveraging an autoencoder that detects abnormal behaviors indicative of data poisoning. FedNIA can defend against diverse attack types, including sample poisoning, label flipping, and backdoors, even in scenarios with multiple attacking nodes. Experimental results on non-iid federated datasets demonstrate its effectiveness and robustness, underscoring its potential as a foundational approach for enhancing the security of federated learning systems.

Paper Structure

This paper contains 33 sections, 13 equations, 5 figures, 2 algorithms.

Table of Contents

  1. Introduction
  2. Contributions
  3. Related Works
  4. Robust Aggregation
  5. Differential Privacy
  6. Threat Models
  7. Sample Poisoning
  8. Label Flipping
  9. Backdoor
  10. Noise Induced Activation Analysis
  11. Client Models
  12. Malicious Clients
  13. Server
  14. Detection Model
  15. Training Loss
  16. ...and 18 more sections

Figures (5)

  • Figure 1: Block diagram of FedNIA on the server. Dashed red lines indicate steps of the algorithm that should be undertaken once all steps specified with black solid lines are completed.
  • Figure 2: Performance of different aggregation techniques trained on benign data. 100 clients participated in the training process. $t$ denotes the FL iteration number.
  • Figure 3: Evaluation of aggregation mechanisms when the FL system is subjected to poisoning attacks. $\delta$ denotes the ratio of attackers to the total number of clients. Subplot (i) depicts the overall accuracy, averaged across all experiments. ASR is converted to accuracy for this subplot.
  • Figure 4: Averaged runtime comparison between the proposed method and the baseline, FedAvg. The time is recorded for one FL training round and averaged for EMNIST and Fashion MNIST experiments.
  • Figure 5: Critical difference diagram obtained from the post-hoc Friedman test. The significance level ($\alpha$) is set to $0.05$.