Go to DBLP homepageAttacks and countermeasures on federated learning via historical knowledge modeling
Abstract: Federated learning has emerged as a promising paradigm for privacy-preserving multi-source data fusion. However, its distributed nature makes it vulnerable to poisoning attacks. Malicious clients inject poisoned noises into their local models, severely degrading the global model’s performance. While existing defense mechanisms attempt to mitigate these threats, they often overlook a critical vulnerability: historical knowledge can reveal clients’ training trajectories or data distributions, providing adversaries with new opportunities for attack. At the same time, the historical knowledge also serves as a tool for detecting and neutralizing malicious activities. In this paper, we address the challenge by proposing a novel attack method and a robust defense framework. First, we propose HisMSA, a stealthy, untargeted model poisoning attack based on historical information perception. HisMSA requires only a few compromised clients to significantly degrade global model accuracy while evading existing defenses. Second, we present DynHisFL, a versatile defense framework that enhances the global model’s robustness by identifying and filtering poisoned models through the analysis of divergence in historical model distributions, making it adaptable to various untargeted attacks. The experiment shows that with 10% malicious clients, the accuracy of HisMSA drops to 30%, approaching unavailability. Despite defenses like statistical feature analysis and topology distance detection, HisMSA still degrades performance by 5%-20%. DynHisFL improves accuracy by 71.3% even with a 20% attack ratio, while achieving an outstanding 98.7% poisoning detection accuracy. Ten model distribution metrics are evaluated, with Maximum Mean Discrepancy achieving a recall rate of 70%-100% across various poisoning strategies.
External IDs:dblp:journals/jksucis/ZhangJGGG25
Loading