Fighting Back Against Attacks in Federated Learning

Federated Learning (FL) is reshaping how AI models are trained. Instead of gathering data in one central place, each device trains locally and only shares model updates. This approach protects privacy and allows AI to run closer to where data is generated.

But spreading computation and data across many devices also opens the door to new threats. Malicious participants can influence training by manipulating their contributions, leading to biased results, hidden backdoors, or performance degradation.

A Technical Perspective on Threats

In FL, these threats often appear as:

  • Data poisoning: Clients inject corrupted or mislabeled training examples.
  • Model poisoning: Attackers alter weight updates to subtly bias the global model.

These attacks are especially tricky when the data across clients is non-IID, imbalanced, or when attackers join the training process late—scenarios that reflect real-world federations. Common defences like Multi-KRUM, Trimmed Mean, or Divide and Conquer help, but they can fail under these complex conditions.

Building a Multi-Node Simulator

To investigate defences, researchers developed a multi-node attack simulator built on the FEDn framework. It allows scaled, reproducible testing of different attack and defence strategies with hundreds or even thousands of simulated clients.

Key capabilities include:

  • Realistic client settings with IID or non-IID data splits.
  • Injection of common poisoning attacks such as Label Flipping and Little is Enough.
  • Integrated aggregation strategies for benchmarking (FedAvg, TrMean, Multi-KRUM, Divide and Conquer).
  • Flexible scaling, where all parameters can be controlled from a single configuration file.

The simulator is open-source and available for testing by both researchers and industry.

Defensive Strategies Evaluated

The study compared several aggregation rules:

  • FedAvg: Baseline averaging, highly vulnerable.
  • Trimmed Mean: Removes extreme parameter values, but can miss subtle manipulations.
  • Multi-KRUM: Selects the most “similar” updates, but struggles with data heterogeneity.
  • EE-Trimmed Mean (EE-TrMean): A new epsilon-greedy strategy that balances exploration of all clients with exploitation of trustworthy ones.

Experimental Insights

Across 180 experiments, results highlighted that static aggregation rules were often insufficient. In heterogeneous or imbalanced client setups, malicious updates could slip through, especially if attackers joined later in training.

EE-TrMean, however, adapted dynamically—scoring clients based on past reliability, selectively excluding low-quality updates, and occasionally re-testing others. This allowed it to reduce the impact of adversaries while keeping the model stable and accurate.

Why Adaptivity Matters

FL systems are complex, with clients joining and exiting, and data rarely being uniform. Static rules fail to account for this fluid reality. Adaptive strategies like EE-TrMean provide resilience not only to intended attacks but also to unintentional disruptions from faulty devices or misconfigured clients.

Conclusion

As federated learning scales to fleets of devices and real-world deployments, building adaptive defences becomes critical. Tools like the multi-node simulator and strategies such as EE-TrMean mark a step toward more secure, attack-resilient FL systems.

This article by Salman Toor and Sigvard Dackevall is an excerpt from the post "Fighting Back Against Attacks in Federated Learning" published on Towards Data Science.

Scaleout EdgeWorkshopPricingBlogAboutTerms