FLGuardian: Defending Against Model Poisoning Attacks via Fine-Grained Detection in Federated Learning

Download PDF
Open Webpage

Xingjie Zhou, Xianzhang Chen, Shukan Liu, Xuehong Fan, Qiao Sun, Lin Chen, Meikang Qiu, Tao Xiang

Published: 2025, Last Modified: 25 May 2026IEEE Trans. Inf. Forensics Secur. 2025EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: Federated Learning (FL) is a collaborative machine learning paradigm allowing participants to train a global model collaboratively without sharing training data. The distributed nature makes FL vulnerable to the untargeted or backdoor model poisoning attacks (MPAs). Hence, lots of defense methods are proposed to secure FL. However, existing defenses are ineffective in defending against the emerging stealthy layer-space MPA, since the defenses either focus on the model space or ignore the disparities between the layers. In this paper, we propose a novel layer-space defense method called FLGuardian that can protect the global model from the state-of-the-art MPAs. FLGuardian first employs a new layer-wise detection to find out the benign clients for each layer through pairwise cosine distances and pairwise Euclidean distances combined with a clustering algorithm. Then, FLGuardian assigns a trust score for each client according to the detection results of all the layers, where a deeper layer in the model brings a higher weight in the scoring. Finally, we select several clients with the highest scores for updating the global model. Experimental results show that FLGuardian excels nine typical defense methods against seven state-of-the-art MPAs in most cases. Particularly, under LPattack, the emerging layer-space backdoor MPA, FLGuardian secures Backdoor Success Rate (BSR) below 3% while other defenses have over 93% BSRs on CIFAR-10. Moreover, FLGuardian remains robust against adaptive attacks tailored to FLGuardian.