Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Graph Representation-based Model Poisoning on the Heterogeneous Internet of Agents

Hanlin Cai, Houtianfu Wang, Haofan Dong, Kai Li, Ozgur B. Akan

TL;DR

This work investigates the vulnerability of a federated-learning enabled Internet of Agents (IoA) to model-poisoning attacks that leverage higher-order dependencies among benign updates. It introduces GRMP, a graph representation-based attack that learns a latent parameter-correlation graph via a variational graph autoencoder and generates adversarial local models that mimic benign statistics while steering the global model. In experiments on AG News with DistilBERT across 20 rounds, GRMP achieves about 62% attack success while preserving global accuracy around 82%, and maintains similarity patterns that evade dynamic DiSim-defense thresholds. The findings highlight a critical resilience gap in IoA and motivate graph-aware secure aggregation and evaluation protocols that account for higher-order dependencies among updates.

Abstract

Internet of Agents (IoA) envisions a unified, agent-centric paradigm where heterogeneous large language model (LLM) agents can interconnect and collaborate at scale. Within this paradigm, federated learning (FL) serves as a key enabler that allows distributed LLM agents to co-train global models without centralizing data. However, the FL-enabled IoA system remains vulnerable to model poisoning attacks, and the prevailing distance and similarity-based defenses become fragile at billion-parameter scale and under heterogeneous data distributions. This paper proposes a graph representation-based model poisoning (GRMP) attack, which passively exploits observed benign local models to construct a parameter correlation graph and extends an adversarial variational graph autoencoder to capture and reshape higher-order dependencies. The GRMP attack synthesizes malicious local models that preserve benign-like statistics while embedding adversarial objectives, remaining elusive to detection at the server. Experiments demonstrate a gradual drop in system accuracy under the proposed attack and the ineffectiveness of the prevailing defense mechanism in detecting the attack, underscoring a severe threat to the ambitious IoA paradigm.

Graph Representation-based Model Poisoning on the Heterogeneous Internet of Agents

TL;DR

This work investigates the vulnerability of a federated-learning enabled Internet of Agents (IoA) to model-poisoning attacks that leverage higher-order dependencies among benign updates. It introduces GRMP, a graph representation-based attack that learns a latent parameter-correlation graph via a variational graph autoencoder and generates adversarial local models that mimic benign statistics while steering the global model. In experiments on AG News with DistilBERT across 20 rounds, GRMP achieves about 62% attack success while preserving global accuracy around 82%, and maintains similarity patterns that evade dynamic DiSim-defense thresholds. The findings highlight a critical resilience gap in IoA and motivate graph-aware secure aggregation and evaluation protocols that account for higher-order dependencies among updates.

Abstract

Internet of Agents (IoA) envisions a unified, agent-centric paradigm where heterogeneous large language model (LLM) agents can interconnect and collaborate at scale. Within this paradigm, federated learning (FL) serves as a key enabler that allows distributed LLM agents to co-train global models without centralizing data. However, the FL-enabled IoA system remains vulnerable to model poisoning attacks, and the prevailing distance and similarity-based defenses become fragile at billion-parameter scale and under heterogeneous data distributions. This paper proposes a graph representation-based model poisoning (GRMP) attack, which passively exploits observed benign local models to construct a parameter correlation graph and extends an adversarial variational graph autoencoder to capture and reshape higher-order dependencies. The GRMP attack synthesizes malicious local models that preserve benign-like statistics while embedding adversarial objectives, remaining elusive to detection at the server. Experiments demonstrate a gradual drop in system accuracy under the proposed attack and the ineffectiveness of the prevailing defense mechanism in detecting the attack, underscoring a severe threat to the ambitious IoA paradigm.

Paper Structure

This paper contains 11 sections, 14 equations, 6 figures, 1 algorithm.

Table of Contents

  1. Introduction
  2. Our Contributions
  3. Attacker Model and Problem Statement
  4. Proposed GRMP Attack on LLM Agents
  5. Adversarial VGAE Model
  6. Encoder of the VGAE
  7. Decoder of the VGAE
  8. Graph Signal Processing (GSP)
  9. Algorithm of the proposed GRMP Attack
  10. Performance Evaluation
  11. Conclusion

Figures (6)

  • Figure 1: (a) Training process of the FL-enabled IoA system, and (b) impact of the GRMP attack on the IoA training cycle.
  • Figure 2: Framework of the proposed GRMP attack.
  • Figure 3: Impact of the GRMP attack on global model learning accuracy and the attack success rate (ASR) over 20 communication rounds ($\times$10 times).
  • Figure 4: Temporal evolution of cosine similarity for each LLM agent with dynamic detection threshold over 20 communication rounds.
  • Figure 5: Learning accuracy of local LLM agents with no attack over 20 communication rounds.
  • ...and 1 more figures