Undermining Federated Learning Accuracy in EdgeIoT via Variational Graph Auto-Encoders

TL;DR

The paper addresses the vulnerability of federated learning in EdgeIoT to data-independent model manipulation by introducing an adversarial graph auto-encoder (AV-GAE) that exploits structural relationships among benign local models to craft malicious updates. The AV-GAE framework reconstructs a graph over devices and their model parameters, enabling the attacker to generate a manipulated update $\omega_a$ that maximizes the global loss $F(\omega_g^a)$ while maintaining proximity to benign updates via $\|\omega_a-\omega_n\|_2 \le D_{\rm thresh}$. Empirical results on CIFAR-10 and FashionMNIST show substantial degradation of federated learning performance (e.g., accuracy fluctuations between 50% and 70–80%) and stealthy behavior, as manipulated updates stay close to benign/global models, hindering detection. The work highlights a new, graph-structure-based threat in EdgeIoT FL and motivates development of graph-feature anomaly detection and robust aggregation defenses to mitigate such attacks.

Abstract

EdgeIoT represents an approach that brings together mobile edge computing with Internet of Things (IoT) devices, allowing for data processing close to the data source. Sending source data to a server is bandwidth-intensive and may compromise privacy. Instead, federated learning allows each device to upload a shared machine-learning model update with locally processed data. However, this technique, which depends on aggregating model updates from various IoT devices, is vulnerable to attacks from malicious entities that may inject harmful data into the learning process. This paper introduces a new attack method targeting federated learning in EdgeIoT, known as data-independent model manipulation attack. This attack does not rely on training data from the IoT devices but instead uses an adversarial variational graph auto-encoder (AV-GAE) to create malicious model updates by analyzing benign model updates intercepted during communication. AV-GAE identifies and exploits structural relationships between benign models and their training data features. By manipulating these structural correlations, the attack maximizes the training loss of the federated learning system, compromising its overall effectiveness.

Figures (6)

• Figure 1: Federated learning-enabled EdgeIoT involves IoT devices equipped with sensors and computational units that process data locally.
• Figure 2: Generating manipulated local models from the AV-GAE-based attack.
• Figure 3: The testing accuracy with CIFAR-10.
• Figure 4: The testing accuracy with FashionMNIST.
• Figure 5: The Euclidean distances under the AV-GAE attack, where three malicious devices are denoted by "Atker 1", "Atker 2", and "Atker 3", respectively.