Go to ICLR 2026 Conference homepageFLCatcher: Fingerprinting Poisoning Attack in Non-IID Federated Learning
Keywords: Federated learning, Poisoning attack, Non-IID, Defense strategy
Abstract: Currently, extensive efforts have been made to defend against poisoning attacks in Federated Learning (FL). However, most existing defenses fall short in a more general and practical scenario, i.e., Non-IID FL. The core problem of current defenses lies in the fact that they all basically identify poisoned gradients by observing the inter-client gradient distribution difference. However, the inherent data heterogeneity in Non-IID FL naturally induces such gradient variations, rendering malicious gradients indistinguishable from benign ones. To address this, we propose FLCatcher, a novel defense framework tailored to Non-IID poisoning attacks from a two-perspective consideration. First, we observe that despite the data heterogeneity of Non-IID FL, the gradient evolution trajectory of benign clients tends to follow a consistent direction over time, whereas malicious clients persistently generate gradients deviating from expected trajectories to degrade the global model. Leveraging this insight, FLCatcher designs an adaptive discriminative gap amplification mechanism, which dynamically calibrates per-client detection thresholds by tracking long-term behavioral biases. Second, FLCatcher proposes a Wasserstein distance-based distributional alignment strategy to quantify subtle, layer-wise gradient deviations, enabling the identification of malicious perturbations that may be obscured within normal client variability.Extensive experiments on standard FL benchmarks evaluate the effectiveness of FLCatcher. Specifically, under Non-IID settings, FLCatcher achieves an average TPR exceeding 94.47% and an average FPR below 0.72%, significantly outperforming state-of-the-art defenses.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 19078
Loading