Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FedTrident: Resilient Road Condition Classification Against Poisoning Attacks in Federated Learning

Sheng Liu, Panos Papadimitratos

Abstract

FL has emerged as a transformative paradigm for ITS, notably camera-based Road Condition Classification (RCC). However, by enabling collaboration, FL-based RCC exposes the system to adversarial participants launching Targeted Label-Flipping Attacks (TLFAs). Malicious clients (vehicles) can relabel their local training data (e.g., from an actual uneven road to a wrong smooth road), consequently compromising global model predictions and jeopardizing transportation safety. Existing countermeasures against such poisoning attacks fail to maintain resilient model performance near the necessary attack-free levels in various attack scenarios due to: 1) not tailoring poisoned local model detection to TLFAs, 2) not excluding malicious vehicular clients based on historical behavior, and 3) not remedying the already-corrupted global model after exclusion. To close this research gap, we propose FedTrident, which introduces: 1) neuron-wise analysis for local model misbehavior detection (notably including attack goal identification, critical feature extraction, and GMM-based model clustering and filtering); 2) adaptive client rating for client exclusion according to the local model detection results in each FL round; and 3) machine unlearning for corrupted global model remediation once malicious clients are excluded during FL. Extensive evaluation across diverse FL-RCC models, tasks, and configurations demonstrates that FedTrident can effectively thwart TLFAs, achieving performance comparable to that in attack-free scenarios and outperforming eight baseline countermeasures by 9.49% and 4.47% for the two most critical metrics. Moreover, FedTrident is resilient to various malicious client rates, data heterogeneity levels, complicated multi-task, and dynamic attacks.

FedTrident: Resilient Road Condition Classification Against Poisoning Attacks in Federated Learning

Abstract

FL has emerged as a transformative paradigm for ITS, notably camera-based Road Condition Classification (RCC). However, by enabling collaboration, FL-based RCC exposes the system to adversarial participants launching Targeted Label-Flipping Attacks (TLFAs). Malicious clients (vehicles) can relabel their local training data (e.g., from an actual uneven road to a wrong smooth road), consequently compromising global model predictions and jeopardizing transportation safety. Existing countermeasures against such poisoning attacks fail to maintain resilient model performance near the necessary attack-free levels in various attack scenarios due to: 1) not tailoring poisoned local model detection to TLFAs, 2) not excluding malicious vehicular clients based on historical behavior, and 3) not remedying the already-corrupted global model after exclusion. To close this research gap, we propose FedTrident, which introduces: 1) neuron-wise analysis for local model misbehavior detection (notably including attack goal identification, critical feature extraction, and GMM-based model clustering and filtering); 2) adaptive client rating for client exclusion according to the local model detection results in each FL round; and 3) machine unlearning for corrupted global model remediation once malicious clients are excluded during FL. Extensive evaluation across diverse FL-RCC models, tasks, and configurations demonstrates that FedTrident can effectively thwart TLFAs, achieving performance comparable to that in attack-free scenarios and outperforming eight baseline countermeasures by 9.49% and 4.47% for the two most critical metrics. Moreover, FedTrident is resilient to various malicious client rates, data heterogeneity levels, complicated multi-task, and dynamic attacks.
Paper Structure (33 sections, 14 equations, 9 figures, 9 tables, 1 algorithm)

This paper contains 33 sections, 14 equations, 9 figures, 9 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Federated Learning (FL)-based Road Condition Classification (RCC)
  4. Poisoning Attacks Against FL-RCC
  5. Defensive Mechanisms for FL-RCC
  6. System Model and Adversary Model
  7. System Model
  8. Adversary Model
  9. FedTrident: Our Scheme
  10. Scheme Overview
  11. Poisoned Local Model Detection
  12. Malicious Vehicular Client Exclusion
  13. Corrupted Global Model Remediation
  14. Complexity Analysis
  15. Advantage Analysis
  16. ...and 18 more sections

Figures (9)

  • Figure 1: Illustration of TLFAs in FL-RCC systems. (A) Training Phase: Malicious clients deliberately mislabel their data, e.g., from uneven to smooth; thus, their local models are poisoned after local training, and the global model is also poisoned after global aggregation. (B) Inference Phase: Vehicles equipped with the learned model would predict wrong road conditions that threaten transportation safety, e.g., consider actual uneven roads as smooth.
  • Figure 2: Overview of FedTrident in FL round $t$: (1) poisoned local model detection based on neuron-wise analysis, (2) malicious vehicular client exclusion based on adaptive rating, and (3) corrupted global model remediation based on machine unlearning.
  • Figure 3: Comparison of poisoned and benign models based on three kinds of features: (A) whole model parameters, (B) output layer parameters, and (C) neuron-wise parameters (with two more distinctive clusters).
  • Figure 4: Workflow of poisoned local model detection in round $t$. Steps (1) and (4) extract neuron-wise features and are executed in parallel for each local model. Steps (2) and (3) identify source and target neurons in TLFAs. Step (5) executes the local model clustering based on GMM. Output layer parameters are marked in blue, while identified source and target neuron parameters are marked in red.
  • Figure 5: Image examples of RSCD dataset: (A) Friction level, (B) Material level, and (C) Unevenness level.
  • ...and 4 more figures