Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AntiFLipper: A Secure and Efficient Defense Against Label-Flipping Attacks in Federated Learning

Aashnan Rahman, Abid Hasan, Sherajul Arifin, Faisal Haque Bappy, Tahrim Hossain, Tariqul Islam, Abu Raihan Mostofa Kamal, Md. Azam Hossain

TL;DR

AntiFLipper tackles label-flipping attacks in federated learning by decentralizing detection and using a trust-based weighted aggregation that shifts computation to clients. It combines local accuracy evaluation, dynamic trust inference, behavior profiling, anomaly-guided filtering, and weighted aggregation to detect and exclude malicious participants with minimal server burden. The approach achieves accuracy comparable to state-of-the-art defenses while significantly reducing aggregation time and maintaining robustness under non-IID distributions and dynamic attack scenarios. This has practical significance for privacy-preserving FL in resource-constrained environments, enabling scalable, secure collaboration without centralized data access or heavy server-side computation.

Abstract

Federated learning (FL) enables privacy-preserving model training by keeping data decentralized. However, it remains vulnerable to label-flipping attacks, where malicious clients manipulate labels to poison the global model. Despite their simplicity, these attacks can severely degrade model performance, and defending against them remains challenging. We introduce AntiFLipper, a novel and computationally efficient defense against multi-class label-flipping attacks in FL. Unlike existing methods that ensure security at the cost of high computational overhead, AntiFLipper employs a novel client-side detection strategy, significantly reducing the central server's burden during aggregation. Comprehensive empirical evaluations across multiple datasets under different distributions demonstrate that AntiFLipper achieves accuracy comparable to state-of-the-art defenses while requiring substantially fewer computational resources in server side. By balancing security and efficiency, AntiFLipper addresses a critical gap in existing defenses, making it particularly suitable for resource-constrained FL deployments where both model integrity and operational efficiency are essential.

AntiFLipper: A Secure and Efficient Defense Against Label-Flipping Attacks in Federated Learning

TL;DR

AntiFLipper tackles label-flipping attacks in federated learning by decentralizing detection and using a trust-based weighted aggregation that shifts computation to clients. It combines local accuracy evaluation, dynamic trust inference, behavior profiling, anomaly-guided filtering, and weighted aggregation to detect and exclude malicious participants with minimal server burden. The approach achieves accuracy comparable to state-of-the-art defenses while significantly reducing aggregation time and maintaining robustness under non-IID distributions and dynamic attack scenarios. This has practical significance for privacy-preserving FL in resource-constrained environments, enabling scalable, secure collaboration without centralized data access or heavy server-side computation.

Abstract

Federated learning (FL) enables privacy-preserving model training by keeping data decentralized. However, it remains vulnerable to label-flipping attacks, where malicious clients manipulate labels to poison the global model. Despite their simplicity, these attacks can severely degrade model performance, and defending against them remains challenging. We introduce AntiFLipper, a novel and computationally efficient defense against multi-class label-flipping attacks in FL. Unlike existing methods that ensure security at the cost of high computational overhead, AntiFLipper employs a novel client-side detection strategy, significantly reducing the central server's burden during aggregation. Comprehensive empirical evaluations across multiple datasets under different distributions demonstrate that AntiFLipper achieves accuracy comparable to state-of-the-art defenses while requiring substantially fewer computational resources in server side. By balancing security and efficiency, AntiFLipper addresses a critical gap in existing defenses, making it particularly suitable for resource-constrained FL deployments where both model integrity and operational efficiency are essential.

Paper Structure

This paper contains 22 sections, 1 equation, 2 figures, 2 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Problem Statement
  3. Label Flipping Attack
  4. Research Objectives
  5. Related Work
  6. Label Flipping-Specific Defense Mechanisms
  7. General Federated Learning Defenses Evaluated Against Label Flipping
  8. System Architecture
  9. M1: Local Evaluation Feedback Module
  10. M2: Trust Inference Module
  11. M3: Behavior Profiling Module
  12. M4: Anomaly-Guided Filtering Module
  13. M5: Weighted Aggregation Module
  14. Implementation and Evaluation
  15. Evaluation Metrics
  16. ...and 7 more sections

Figures (2)

  • Figure 1: System Workflow of AntiFLipper
  • Figure 2: Average Client Trust Over First 25 Rounds