Defending Federated Learning from Collaborative Poisoning Attacks: A Clique-Based Detection Framework
Abstract
:1. Introduction
2. Related Work
3. Proposed Approach
3.1. Overview of the Detection Pipeline
- Local Training and Weight Collection: In each communication round, all clients independently train a local model and submit their updated weights to the central server.
- Pairwise Similarity Calculation: The central server computes the Euclidean distance between the final-layer weight updates of every pair of clients, quantifying their similarity.
- Top-K Similarity Tracking: For each client, the K most similar clients (i.e., with the smallest distance values) are identified and recorded in every round.
- Closeness Counter Construction: A matrix is maintained to count how frequently each pair of clients appears in each other’s top-K lists across all rounds, forming the basis for assessing persistent coordination.
- Threshold-Based Suspicion Marking: Clients that exceed a predefined coordination threshold based on their accumulated counts are flagged as potentially malicious.
- Graph Construction and Clique Detection: A graph is constructed in which each node represents a suspicious client, and edges indicate strong coordination. Clique detection is then applied to uncover tightly knit groups of potentially colluding clients.
- Adaptive Thresholding Based on Clique Size: To improve robustness, the threshold for confirming malicious behavior is adjusted dynamically based on the size of each detected clique. This prevents the misclassification of small random patterns as malicious while increasing sensitivity to larger coordinated groups.
3.2. Datasets and Experimental Setup
3.3. Detecting Malicious Clients
Algorithm 1 CBDF: Detect Synchronized Malicious Clients |
|
4. Results
4.1. Performance Evaluation
4.2. Statistical Significance Test
5. Discussion
6. Conclusions and Future Work
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- McMahan, H.; Moore, E.; Ramage, D.; Hampson, S.; Agüera y Arcas, B. Communication-efficient learning of deep networks from decentralized data. In Proceedings of the 20th International Conference on Artificial Intelligence and Statistics (AISTATS), PMLR, Fort Lauderdale, FL, USA, 20–22 April 2017. [Google Scholar]
- Kairouz, P.; McMahan, H.; Avent, B.; Bellet, A.; Bennis, M.; Bhagoji, A.; Bonawitz, K.; Charles, Z.; Cormode, G.; Cummings, R.; et al. Advances and Open Problems in Federated Learning; Now Foundations and Trends: Norwell, MA, USA, 2019. [Google Scholar]
- Xie, C.; Huang, K.; Chen, P.; Li, B. DBA: Distributed Backdoor Attacks against Federated Learning. In Proceedings of the International Conference on Learning Representations (ICLR), Addis Ababa, Ethiopia, 30 April 2020. [Google Scholar]
- Fung, C.; Yoon, C.; Beschastnikh, I. Mitigating Sybils in federated learning poisoning. arXiv 2018, arXiv:1808.04866. [Google Scholar]
- Sun, W.; Gao, B.; Xiong, K.; Wang, Y. A GAN-based data poisoning attack against federated learning systems and its countermeasure. arXiv 2024, arXiv:2405.11440. [Google Scholar]
- Anastasiadis, D.; Refanidis, I. Enhancing security in federated learning: Detection of synchronized data poisoning attacks. In Proceedings of the Artificial Intelligence: Methodology, Systems, and Applications; Lecture Notes in Computer Science; AIMSA 2024; Springer: Berlin/Heidelberg, Germany, 2024; Volume 15462. [Google Scholar] [CrossRef]
- Tolpegin, V.; Truex, S.; Gursoy, M.; Liu, L. Data poisoning attacks against federated learning systems. In Proceedings of the Computer Security–ESORICS 2020; Springer: Berlin/Heidelberg, Germany, 2020; pp. 480–501. [Google Scholar]
- Shejwalkar, V.; Houmansadr, A. Manipulating the Byzantine: Optimizing model poisoning attacks and defenses for federated learning. In Proceedings of the Network and Distributed System Security Symposium (NDSS), Virtual, 21–25 February 2021. [Google Scholar]
- Biggio, B.; Nelson, B.; Laskov, P. Poisoning attacks against support vector machines. In Proceedings of the International Conference on Machine Learning, Boca Raton, FL, USA, 12–15 December 2012. [Google Scholar]
- Fang, M.; Cao, X.; Jia, J.; Gong, N. Local model poisoning attacks to Byzantine-robust federated learning. In Proceedings of the USENIX Security Symposium, Boston, MA, USA, 12–14 August 2020. [Google Scholar]
- Bhagoji, A.; Chakraborty, S.; Mittal, P.; Calo, S. Analyzing federated learning through an adversarial lens. In Proceedings of the International Conference on Machine Learning (ICML), PMLR, Long Beach, CA, USA, 9–15 June 2019. [Google Scholar]
- Xie, C.; Koyejo, O.; Gupta, I. Fall of empires: Breaking Byzantine-tolerant SGD by inner product manipulation. In Proceedings of the Advances in Neural Information Processing Systems, Online, 6–12 December 2020. [Google Scholar]
- Sun, J.; Kairouz, P.; Suresh, A.; McMahan, H. Can you really backdoor federated learning? arXiv 2019, arXiv:1911.07963. [Google Scholar]
- Blanchard, P.; El Mhamdi, E.; Guerraoui, R.; Stainer, J. Machine learning with adversaries: Byzantine tolerant gradient descent. In Advances in Neural Information Processing Systems 30 (NIPS 2017); Curran Associates, Inc.: Long Beach, CA, USA, 2017. [Google Scholar]
- Zhang, G.; Liu, H.; Yang, B.; Feng, S. DWAMA: Dynamic weight-adjusted Mahalanobis defense algorithm for mitigating poisoning attacks in federated learning. Peer-to-Peer Netw. Appl. 2024, 17, 3750–3764. [Google Scholar] [CrossRef]
- Xu, H.; Shu, T. Defending against model poisoning attack in federated learning: A variance-minimization approach. J. Inf. Secur. Appl. 2024, 82, 103744. [Google Scholar] [CrossRef]
- Deng, J.; Liu, S.; Li, C. Detecting Diverse Poisoning Attacks in Federated Learning Based on Joint Similarity. In Proceedings of the 16th International Conference on Wireless Communications and Signal Processing (WCSP), Hefei, China, 24–26 October 2024; IEEE: New York, NY, USA, 2024; pp. 133–138. [Google Scholar] [CrossRef]
- Jiang, Y.; Zhang, W.; Chen, Y. Data Quality Detection Mechanism Against Label Flipping Attacks in Federated Learning. IEEE Trans. Inf. Forensics Secur. 2023, 18, 1625–1637. [Google Scholar] [CrossRef]
- Birchman, B.; Thamilarasu, G. Securing federated learning: Enhancing defense mechanisms against poisoning attacks. In Proceedings of the IEEE 33rd International Conference on Communications, Kailua-Kona, HI, USA, 29–31 July 2024. [Google Scholar]
- You, Y.; Yoon, J.; Lee, H. Breakwater: Securing federated learning from malicious model poisoning via self-debiasing. In Proceedings of the IEEE International Conference on Communications, Denver, CO, USA, 9–13 June 2024. [Google Scholar]
- Yan, H.; Zheng, C.; Chen, Q.; Li, X.; Wang, B.; Li, H.; Lin, X. A Proactive Defense Against Model Poisoning Attacks in Federated Learning. IEEE Trans. Dependable Secur. Comput. 2025; Early Access. [Google Scholar]
- Purohit, K.; Das, S.; Bhattacharya, S.; Rana, S. A data-driven defense against edge-case model poisoning attacks on federated learning. arXiv 2024, arXiv:2305.02022v2. [Google Scholar]
- Yue, G.; Han, X. FedDefense: A Defense Mechanism for Dishonest Client Attacks in Federated Learning. Neural Process. Lett. 2025, 57, 28. [Google Scholar] [CrossRef]
- Yin, D.; Chen, Y.; Ramchandran, K.; Bartlett, P. Byzantine-robust distributed learning: Towards optimal statistical rates. In Proceedings of the 35th International Conference on Machine Learning, Stockholm, Sweden, 10–15 July 2018; pp. 5650–5659. [Google Scholar]
- Fedesoriano. Stroke Prediction Dataset. 2021. Available online: https://www.kaggle.com/datasets/fedesoriano/stroke-prediction-dataset (accessed on 9 April 2025).
- Manchanda, C. Fraudulent Transactions Data. 2022. Available online: https://www.kaggle.com/datasets/chitwanmanchanda/fraudulent-transactions-data (accessed on 9 April 2025).
Layer | Input Size | Neurons | Activation | Parameters |
---|---|---|---|---|
Input Layer | 12 | |||
Hidden Layer 1 | 32 | ReLU | 12 × 32 + 32 = 416 | |
Hidden Layer 2 | 16 | ReLU | 32 × 16 + 16 = 528 | |
Hidden Layer 3 | 8 | ReLU | 16 × 8 + 8 = 136 | |
Output Layer | 1 | Sigmoid | 8 × 1 + 1 = 9 | |
Total | 1089 |
K | Malicious Clients | Accuracy | Precision | Recall | F1-Score |
---|---|---|---|---|---|
4 | 3 | 0.87 | 0.43 | 1.00 | 0.60 |
5 | 3 | 0.93 | 0.60 | 1.00 | 0.75 |
6 | 3 | 0.93 | 0.60 | 1.00 | 0.75 |
7 | 3 | 0.86 | 0.43 | 1.00 | 0.60 |
8 | 3 | 0.93 | 0.60 | 1.00 | 0.75 |
4 | 4 | 0.96 | 0.80 | 1.00 | 0.89 |
5 | 4 | 0.87 | 0.50 | 1.00 | 0.67 |
6 | 4 | 0.87 | 0.50 | 1.00 | 0.67 |
7 | 4 | 0.77 | 0.36 | 1.00 | 0.53 |
8 | 4 | 0.73 | 0.33 | 1.00 | 0.50 |
4 | 5 | 1.00 | 1.00 | 1.00 | 1.00 |
5 | 5 | 0.86 | 0.55 | 1.00 | 0.71 |
6 | 5 | 0.80 | 0.45 | 1.00 | 0.63 |
7 | 5 | 0.80 | 0.45 | 1.00 | 0.63 |
8 | 5 | 0.80 | 0.45 | 1.00 | 0.63 |
4 | 6 | 0.97 | 1.00 | 0.83 | 0.90 |
5 | 6 | 1.00 | 1.00 | 1.00 | 1.00 |
6 | 6 | 0.90 | 0.67 | 1.00 | 0.80 |
7 | 6 | 0.93 | 0.75 | 1.00 | 0.86 |
8 | 6 | 0.66 | 0.38 | 1.00 | 0.55 |
4 | 7 | 0.77 | 0.50 | 0.29 | 0.37 |
5 | 7 | 1.00 | 1.00 | 1.00 | 1.00 |
6 | 7 | 1.00 | 1.00 | 1.00 | 1.00 |
7 | 7 | 0.77 | 0.50 | 1.00 | 0.67 |
8 | 7 | 0.60 | 0.37 | 1.00 | 0.54 |
K | Malicious Clients | Accuracy | Precision | Recall | F1-Score |
---|---|---|---|---|---|
4 | 3 | 1.00 | 1.00 | 1.00 | 1.00 |
5 | 3 | 1.00 | 1.00 | 1.00 | 1.00 |
6 | 3 | 0.90 | 0.50 | 1.00 | 0.67 |
7 | 3 | 0.93 | 0.60 | 1.00 | 0.75 |
8 | 3 | 0.93 | 0.60 | 1.00 | 0.75 |
4 | 4 | 1.00 | 1.00 | 1.00 | 1.00 |
5 | 4 | 1.00 | 1.00 | 1.00 | 1.00 |
6 | 4 | 1.00 | 1.00 | 1.00 | 1.00 |
7 | 4 | 1.00 | 1.00 | 1.00 | 1.00 |
8 | 4 | 1.00 | 1.00 | 1.00 | 1.00 |
4 | 5 | 0.90 | 1.00 | 0.40 | 0.57 |
5 | 5 | 1.00 | 1.00 | 1.00 | 1.00 |
6 | 5 | 1.00 | 1.00 | 1.00 | 1.00 |
7 | 5 | 1.00 | 1.00 | 1.00 | 1.00 |
8 | 5 | 0.86 | 0.56 | 1.00 | 0.71 |
4 | 6 | 0.90 | 1.00 | 0.50 | 0.67 |
5 | 6 | 0.93 | 0.75 | 1.00 | 0.86 |
6 | 6 | 0.90 | 1.00 | 0.50 | 0.67 |
7 | 6 | 1.00 | 1.00 | 1.00 | 1.00 |
8 | 6 | 0.83 | 0.55 | 1.00 | 0.70 |
4 | 7 | 0.87 | 0.71 | 0.71 | 0.71 |
5 | 7 | 1.00 | 1.00 | 1.00 | 1.00 |
6 | 7 | 1.00 | 1.00 | 1.00 | 1.00 |
7 | 7 | 1.00 | 1.00 | 1.00 | 1.00 |
8 | 7 | 0.93 | 0.78 | 1.00 | 0.86 |
Method | Accuracy | Precision | Recall | F1-Score |
---|---|---|---|---|
FLPD | 0.87 | 0.67 | 0.87 | 0.76 |
MCDFL | 0.90 | 0.83 | 0.71 | 0.76 |
CBDF | 0.91 | 0.76 | 0.95 | 0.84 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Anastasiadis, D.; Refanidis, I. Defending Federated Learning from Collaborative Poisoning Attacks: A Clique-Based Detection Framework. Electronics 2025, 14, 2011. https://doi.org/10.3390/electronics14102011
Anastasiadis D, Refanidis I. Defending Federated Learning from Collaborative Poisoning Attacks: A Clique-Based Detection Framework. Electronics. 2025; 14(10):2011. https://doi.org/10.3390/electronics14102011
Chicago/Turabian StyleAnastasiadis, Dimitrios, and Ioannis Refanidis. 2025. "Defending Federated Learning from Collaborative Poisoning Attacks: A Clique-Based Detection Framework" Electronics 14, no. 10: 2011. https://doi.org/10.3390/electronics14102011
APA StyleAnastasiadis, D., & Refanidis, I. (2025). Defending Federated Learning from Collaborative Poisoning Attacks: A Clique-Based Detection Framework. Electronics, 14(10), 2011. https://doi.org/10.3390/electronics14102011