LayerGuard: Poisoning-Resilient Federated Learning via Layer-Wise Similarity Analysis

Download PDF

Kaiqi Wang, Jiangang Shu, Qingfeng Tan, Bo Hu

11 May 2025 (modified: 29 Oct 2025)Submitted to NeurIPS 2025EveryoneRevisionsBibTeXCC BY-ND 4.0
Keywords: Federated Learning; Security; Model Poisoning Attacks; Robust Aggregation
TL;DR: A new FL defense achieves state-of-the-art robustness against advanced model poisoning attacks and effectively counters the emerging threat of Targeted Layer Poisoning (TLP) attacks.
Abstract: In recent years, model poisoning attacks have gradually evolved from conventional global parameter manipulations to more stealthy and strategic Targeted Layer Poisoning (TLP) attacks.These attacks achieve high attack success rates by selectively poisoning only a subset of layers. However, most existing defenses rely on evaluation of the entire network and are thus ineffective against TLP attacks, posing new challenges to the security of Federated Learning (FL).In this paper, we propose \textbf{LayerGuard}, a comprehensive defense framework featuring dynamic detection and adaptive aggregation to protect FL against advanced model poisoning attacks. Diverging from traditional methods that analyze the entire network collectively, \textbf{LayerGuard} performs layer-wise similarity analysis to detect anomalous clients and adaptively identifies layers under attack based on the clustering behavior of malicious updates, facilitating more precise threat detection. Building on this, we introduce a joint weighting mechanism in the aggregation process, which evaluates each client's credibility at the layer level from two complementary informational dimensions: inter-layer and intra-layer, balancing attack mitigation and benign contribution retention. Extensive experiments across various datasets and model architectures demonstrate that \textbf{LayerGuard} successfully reduces the average attack success rate of TLP attacks to around 5\%. Moreover, when confronted with other advanced model poisoning attacks, \textbf{LayerGuard} consistently maintains global model accuracy—even under high poisoning rates and severe non-IID conditions—comparable to that of FedAvg under no-attack settings, marking a significant improvement over existing defenses.
Supplementary Material: zip
Primary Area: Social and economic aspects of machine learning (e.g., fairness, interpretability, human-AI interaction, privacy, safety, strategic behavior)
Submission Number: 22914