Go to OpenReview Public Article ORCID homepageDMPA: Durable Model Poisoning Attack Against Fairness and Robustness in Efficient Federated Learning Systems
Abstract: Federated Learning (FL) systems are increasingly deployed across multiple clients to efficiently train a shared model over local data, thereby effectively addressing data silos and reducing communication. However, FL systems are known to be susceptible to model poisoning attacks by malicious clients, who aim at deteriorating the global model accuracy through sending corrupted updates to the central server. Meanwhile, the local accuracy discrepancy among clients, called as performance fairness, could also be exacerbated, which is one of the major concerns of trustworthy FL systems. This paper proposes a novel attack framework called Durable Model Poisoning Attack (DMPA), targeting both fairness and robustness of efficient FL systems. To implement DMPA, we design the over-unlearning strategy, enabling the adversary to generate poisoned updates to compromise partial clients’ performance. Furthermore, we develop a dual projection mechanism to improve the durability of model poisoning attacks. Extensive experiments demonstrate that DMPA is powerful and effective even against robust aggregation rules. Particularly, DMPA achieves average $7.6\times$ higher reduction of accuracy while decreasing the performance fairness by $3.0\times$ compared with baselines. The experiments also indicated that DMPA extends the durability of attack impacts over baselines by $8.5\times$. In addition, experiments in efficient FL systems disclose their vulnerability.
External IDs:doi:10.1109/tdsc.2026.3657365
Loading