DEFEND: Poisoned Model Detection and Malicious Client Exclusion Mechanism for Secure Federated Learning-based Road Condition Classification

TL;DR

This work tackles the vulnerability of federated learning for road condition classification (RCC) to targeted label-flipping attacks by introducing DEFEND, a defense that detects poisoned updates through neuron-wise magnitude analysis of the output layer and clusters the affected parameter changes with a Gaussian Mixture Model. It then validates the global model using Source Recall and Attack Success Rate thresholds and enforces adaptive client exclusion based on per-client ratings. Extensive experiments across multiple RCC tasks and neural architectures demonstrate that DEFEND not only thwarts TLFA but also matches or surpasses attack-free performance, outperforming seven baselines by notable margins. The approach offers a practical, scalable security primitive for ITS deployments with privacy-preserving federated learning Cooperative RCC systems.

Abstract

Federated Learning (FL) has drawn the attention of the Intelligent Transportation Systems (ITS) community. FL can train various models for ITS tasks, notably camera-based Road Condition Classification (RCC), in a privacy-preserving collaborative way. However, opening up to collaboration also opens FL-based RCC systems to adversaries, i.e., misbehaving participants that can launch Targeted Label-Flipping Attacks (TLFAs) and threaten transportation safety. Adversaries mounting TLFAs poison training data to misguide model predictions, from an actual source class (e.g., wet road) to a wrongly perceived target class (e.g., dry road). Existing countermeasures against poisoning attacks cannot maintain model performance under TLFAs close to the performance level in attack-free scenarios, because they lack specific model misbehavior detection for TLFAs and neglect client exclusion after the detection. To close this research gap, we propose DEFEND, which includes a poisoned model detection strategy that leverages neuron-wise magnitude analysis for attack goal identification and Gaussian Mixture Model (GMM)-based clustering. DEFEND discards poisoned model contributions in each round and adapts accordingly client ratings, eventually excluding malicious clients. Extensive evaluation involving various FL-RCC models and tasks shows that DEFEND can thwart TLFAs and outperform seven baseline countermeasures, with at least 15.78% improvement, with DEFEND remarkably achieving under attack the same performance as in attack-free scenarios.

Figures (10)

• Figure 1: Illustration of TLFAs in FL-RCC. (A) Training Phase: Adversaries deliberately mislabel their data; their local models are poisoned after local training, and the global model is poisoned after global aggregation. (B) Inference Phase: Vehicles equipped with the learned model would predict wrong road conditions that threaten transportation safety.
• Figure 2: Workflow of DEFEND in round $t$. Steps (1) and (3) extract features and are executed in parallel for each local model. Step (2) identifies source and target neurons in TLFAs. Steps (4)-(6) execute the local model filtering, malicious client exclusion, and global model validation, respectively. Note that output layer parameters are marked in blue, while source and target neuron parameters are marked in red.
• Figure 3: Comparison between malicious and benign updates based on three kinds of features: (A) whole model parameters, (B) output layer parameters, and (C) neuron-wise parameters (with two more distinctive clusters).
• Figure 4: Image examples of the RSCD dataset.
• Figure 5: Confusion matrices of DEFEND with ResNet-18 in three RCC tasks.