Yunlong Mao,Xinyu Yuan,Xinyang Zhao,Sheng Zhong

DOI: https://doi.org/10.1007/978-3-030-88418-5_23

2021-01-01

Abstract:Training a deep neural network requires substantial data and intensive computing resources. Unaffordable price holds back many potential applications of deep learning. Besides, it is risky to gather user's private data for training centrally. Then federated learning appears as a promising solution to having users learned jointly while keeping training data local. However, security issues keep coming up in federated learning applications. One of the most threatening attacks is the model poisoning attack which can manipulate the inference result of a jointly learned model. Some recent studies show that elaborate model poisoning approaches can even breach the existing Byzantine-robust federated learning solutions. Hence, it is critical to discuss alternative solutions to secure federated learning. In this paper, we propose to protect federated learning against model poisoning attacks by introducing a robust model aggregation solution named Romoa. Unlike previous studies, Romoa can deal with targeted and untargeted poisoning attacks with a unified approach. Moreover, Romoa achieves more precise attack detection and better fairness for federated learning participants by constructing a new similarity measurement. We conclude that through a comprehensive evaluation of standard datasets, Romoa can provide a satisfying defense effect against model poisoning attacks, including those attacks breaching Byzantine-robust federated learning solutions.

Chen Zhang,Boyang Zhou,Zhiqiang He,Zeyuan Liu,Yanjiao Chen,Wenyuan Xu,Baochun Li

DOI: https://doi.org/10.1109/infocom53939.2023.10228981

2023-01-01

Abstract:Federated learning is exposed to model poisoning attacks as compromised clients may submit malicious model updates to pollute the global model. To defend against such attacks, robust aggregation rules are designed for the centralized server to winnow out outlier updates, and to significantly reduce the effectiveness of existing poisoning attacks. In this paper, we develop an advanced model poisoning attack against defensive aggregation rules. In particular, we exploit the catastrophic forgetting phenomenon during the process of continual learning to destroy the memory of the global model. Our proposed framework, called Oblivion, features two special components. The first component prioritizes the weights that have the most influence on the model accuracy for poisoning, which induces a more significant degradation on the global model than equally perturbing all weights. The second component smooths malicious model updates based on the number of selected compromised clients in the current round, adjusting the degree of poisoning to suit the dynamics of each training round. We implement a fully-functional prototype of Oblivion in PLATO, a real-world scalable federated learning framework. Our extensive experiments over three datasets demonstrate that Oblivion can boost the attack performance of model poisoning attacks against unknown defensive aggregation rules.

Peihua Mai,Ran Yan,Yan Pang

2024-05-24

Abstract:Federated learning (FL) allows multiple devices to train a model collaboratively without sharing their data. Despite its benefits, FL is vulnerable to privacy leakage and poisoning attacks. To address the privacy concern, secure aggregation (SecAgg) is often used to obtain the aggregation of gradients on sever without inspecting individual user updates. Unfortunately, existing defense strategies against poisoning attacks rely on the analysis of local updates in plaintext, making them incompatible with SecAgg. To reconcile the conflicts, we propose a robust federated learning framework against poisoning attacks (RFLPA) based on SecAgg protocol. Our framework computes the cosine similarity between local updates and server updates to conduct robust aggregation. Furthermore, we leverage verifiable packed Shamir secret sharing to achieve reduced communication cost of $O(M+N)$ per user, and design a novel dot-product aggregation algorithm to resolve the issue of increased information leakage. Our experimental results show that RFLPA significantly reduces communication and computation overhead by over $75\%$ compared to the state-of-the-art method, BREA, while maintaining competitive accuracy.

Cryptography and Security,Artificial Intelligence

Yueqi Xie,Weizhong Zhang,Renjie Pi,Fangzhao Wu,Qifeng Chen,Xing Xie,Sunghun Kim

DOI: https://doi.org/10.48550/arXiv.2211.05554

IF: 5.414

2022-11-10

Machine Learning

Abstract:Non-IID data distribution across clients and poisoning attacks are two main challenges in real-world federated learning (FL) systems. While both of them have attracted great research interest with specific strategies developed, no known solution manages to address them in a unified framework. To universally overcome both challenges, we propose SmartFL, a generic approach that optimizes the server-side aggregation process with a small amount of proxy data collected by the service provider itself via a subspace training technique. Specifically, the aggregation weight of each participating client at each round is optimized using the server-collected proxy data, which is essentially the optimization of the global model in the convex hull spanned by client models. Since at each round, the number of tunable parameters optimized on the server side equals the number of participating clients (thus independent of the model size), we are able to train a global model with massive parameters using only a small amount of proxy data (e.g., around one hundred samples). With optimized aggregation, SmartFL ensures robustness against both heterogeneous and malicious clients, which is desirable in real-world FL where either or both problems may occur. We provide theoretical analyses of the convergence and generalization capacity for SmartFL. Empirically, SmartFL achieves state-of-the-art performance on both FL with non-IID data distribution and FL with malicious clients. The source code will be released.

Dung Thuy Nguyen,Ziyan An,Taylor T. Johnson,Meiyi Ma,Kevin Leach

2024-11-06

Abstract:Federated Learning (FL) offers a promising solution to the privacy concerns associated with centralized Machine Learning (ML) by enabling decentralized, collaborative learning. However, FL is vulnerable to various security threats, including poisoning attacks, where adversarial clients manipulate the training data or model updates to degrade overall model performance. Recognizing this threat, researchers have focused on developing defense mechanisms to counteract poisoning attacks in FL systems. However, existing robust FL methods predominantly focus on computer vision tasks, leaving a gap in addressing the unique challenges of FL with time series data. In this paper, we present FLORAL, a defense mechanism designed to mitigate poisoning attacks in federated learning for time-series tasks, even in scenarios with heterogeneous client data and a large number of adversarial participants. Unlike traditional model-centric defenses, FLORAL leverages logical reasoning to evaluate client trustworthiness by aligning their predictions with global time-series patterns, rather than relying solely on the similarity of client updates. Our approach extracts logical reasoning properties from clients, then hierarchically infers global properties, and uses these to verify client updates. Through formal logic verification, we assess the robustness of each client contribution, identifying deviations indicative of adversarial behavior. Experimental results on two datasets demonstrate the superior performance of our approach compared to existing baseline methods, highlighting its potential to enhance the robustness of FL to time series applications. Notably, FLORAL reduced the prediction error by 93.27\% in the best-case scenario compared to the second-best baseline. Our code is available at \url{<a class="link-external link-https" href="https://anonymous.4open.science/r/FLORAL-Robust-FTS" rel="external noopener nofollow">this https URL</a>}.

Cryptography and Security,Artificial Intelligence,Distributed, Parallel, and Cluster Computing,Logic in Computer Science

Du Bowen,Wang Haiquan,Li Yuxuan,Jiejie Zhao,Yanbo Ma,Huang Runhe

DOI: https://doi.org/10.1145/3673656

2024-06-17

ACM Transactions on Sensor Networks

Abstract:As an emerging learning paradigm, Federated Learning (FL) enables data owners to collaborate training a model while keeps data locally. However, classic FL methods are susceptible to model poisoning attacks and Byzantine failures. Despite several defense methods proposed to mitigate such concerns, it is challenging to balance adverse effects while allowing that each credible node contributes to the learning process. To this end, a Fair and Robust FL method is proposed for defense against model poisoning attack from malicious nodes, namely FRFL. FRFL can learn a high-quality model even if some nodes are malicious. In particular, we first classify each participant into three categories: training node, validation node, and blockchain node. Among these, blockchain nodes replace the central server in classic FL methods while enabling secure aggregation. Then, a fairness-aware role rotation method is proposed to periodically alter the sets of training and validation nodes in order to utilize the valuable information included in local datasets of credible nodes. Finally, a decentralized and adaptive aggregation mechanism cooperating with blockchain nodes is designed to detect and discard malicious nodes and produce a high-quality model. The results show the effectiveness of FRFL in enhancing model performance while defending against malicious nodes.

computer science, information systems,telecommunications

Yujing Wang,Hainan Zhang,Sijia Wen,Wangjie Qiu,Binghui Guo

2024-06-20

Abstract:Federated learning is highly susceptible to model poisoning attacks, especially those meticulously crafted for servers. Traditional defense methods mainly focus on updating assessments or robust aggregation against manually crafted myopic attacks. When facing advanced attacks, their defense stability is notably insufficient. Therefore, it is imperative to develop adaptive defenses against such advanced poisoning attacks. We find that benign clients exhibit significantly higher data distribution stability than malicious clients in federated learning in both CV and NLP tasks. Therefore, the malicious clients can be recognized by observing the stability of their data distribution. In this paper, we propose AdaAggRL, an RL-based Adaptive Aggregation method, to defend against sophisticated poisoning attacks. Specifically, we first utilize distribution learning to simulate the clients' data distributions. Then, we use the maximum mean discrepancy (MMD) to calculate the pairwise similarity of the current local model data distribution, its historical data distribution, and global model data distribution. Finally, we use policy learning to adaptively determine the aggregation weights based on the above similarities. Experiments on four real-world datasets demonstrate that the proposed defense model significantly outperforms widely adopted defense models for sophisticated attacks.

Machine Learning,Cryptography and Security

Yuxin Yang,Qiang Li,Chenfei Nie,Yuan Hong,Meng Pang,Binghui Wang

2024-07-25

Abstract:Federated Learning (FL) is a novel client-server distributed learning framework that can protect data privacy. However, recent works show that FL is vulnerable to poisoning attacks. Many defenses with robust aggregators (AGRs) are proposed to mitigate the issue, but they are all broken by advanced attacks. Very recently, some renewed robust AGRs are designed, typically with novel clipping or/and filtering strate-gies, and they show promising defense performance against the advanced poisoning attacks. In this paper, we show that these novel robust AGRs are also vulnerable to carefully designed poisoning attacks. Specifically, we observe that breaking these robust AGRs reduces to bypassing the clipping or/and filtering of malicious clients, and propose an optimization-based attack framework to leverage this observation. Under the framework, we then design the customized attack against each robust AGR. Extensive experiments on multiple datasets and threat models verify our proposed optimization-based attack can break the SOTA AGRs. We hence call for novel defenses against poisoning attacks to FL. Code is available at: <a class="link-external link-https" href="https://github.com/Yuxin104/" rel="external noopener nofollow">this https URL</a> BreakSTOAPoisoningDefenses.

Cryptography and Security

Minghong Fang,Zifan Zhang,Hairi,Prashant Khanduri,Jia Liu,Songtao Lu,Yuchen Liu,Neil Gong

2024-07-14

Abstract:Federated learning (FL) enables multiple clients to collaboratively train machine learning models without revealing their private training data. In conventional FL, the system follows the server-assisted architecture (server-assisted FL), where the training process is coordinated by a central server. However, the server-assisted FL framework suffers from poor scalability due to a communication bottleneck at the server, and trust dependency issues. To address challenges, decentralized federated learning (DFL) architecture has been proposed to allow clients to train models collaboratively in a serverless and peer-to-peer manner. However, due to its fully decentralized nature, DFL is highly vulnerable to poisoning attacks, where malicious clients could manipulate the system by sending carefully-crafted local models to their neighboring clients. To date, only a limited number of Byzantine-robust DFL methods have been proposed, most of which are either communication-inefficient or remain vulnerable to advanced poisoning attacks. In this paper, we propose a new algorithm called BALANCE (Byzantine-robust averaging through local similarity in decentralization) to defend against poisoning attacks in DFL. In BALANCE, each client leverages its own local model as a similarity reference to determine if the received model is malicious or benign. We establish the theoretical convergence guarantee for BALANCE under poisoning attacks in both strongly convex and non-convex settings. Furthermore, the convergence rate of BALANCE under poisoning attacks matches those of the state-of-the-art counterparts in Byzantine-free settings. Extensive experiments also demonstrate that BALANCE outperforms existing DFL methods and effectively defends against poisoning attacks.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Machine Learning

Zhi Lu,SongFeng Lu,YongQuan Cui,XueMing Tang,JunJun Wu

DOI: https://doi.org/10.1109/tifs.2024.3402993

IF: 7.231

2024-05-25

IEEE Transactions on Information Forensics and Security

Abstract:Federated Learning (FL), a distributed learning paradigm optimizing communication costs and enhancing privacy by uploading gradients instead of raw data, now confronts security challenges. It is particularly vulnerable to Byzantine poisoning attacks and potential privacy breaches via inference attacks. While homomorphic encryption and secure multi-party computation have been employed to design robust FL mechanisms, these predominantly rely on Euclidean distance or median-based metrics and often fall short in comprehensively defending against advanced poisoning attacks, such as adaptive attacks. Addressing this issue, our study introduces "Split-Aggregation", a lightweight privacy-preserving FL solution capable of withstanding adaptive attacks. This method maintains a computational complexity of and a communication overhead of , performing comparably to FedAvg when . Here, d represents the gradient dimension, N the number of users, and k the rank chosen during random singular value decomposition. Additionally, we utilize adaptive weight coefficients to mitigate gradient descent issues in honest users caused by non-independent and identically distributed (Non-IID) data. The proposed method's security and robustness are theoretically proven, with its complexity thoroughly analyzed. Experimental results demonstrate that at , this method surpasses the top-1 accuracy of current state-of-the-art robust privacy-preserving FL approaches. Moreover, opting for a smaller k significantly boosts efficiency with only marginal compromises in accuracy.

computer science, theory & methods,engineering, electrical & electronic

Hangtao Zhang,Zeming Yao,Leo Yu Zhang,Shengshan Hu,Chao Chen,Alan Liew,Zhetao Li

2024-09-26

Abstract:Federated learning (FL) is vulnerable to poisoning attacks, where adversaries corrupt the global aggregation results and cause denial-of-service (DoS). Unlike recent model poisoning attacks that optimize the amplitude of malicious perturbations along certain prescribed directions to cause DoS, we propose a Flexible Model Poisoning Attack (FMPA) that can achieve versatile attack goals. We consider a practical threat scenario where no extra knowledge about the FL system (e.g., aggregation rules or updates on benign devices) is available to adversaries. FMPA exploits the global historical information to construct an estimator that predicts the next round of the global model as a benign reference. It then fine-tunes the reference model to obtain the desired poisoned model with low accuracy and small perturbations. Besides the goal of causing DoS, FMPA can be naturally extended to launch a fine-grained controllable attack, making it possible to precisely reduce the global accuracy. Armed with precise control, malicious FL service providers can gain advantages over their competitors without getting noticed, hence opening a new attack surface in FL other than DoS. Even for the purpose of DoS, experiments show that FMPA significantly decreases the global accuracy, outperforming six state-of-the-art attacks.

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

He Yang,Wei Xi,Yuhao Shen,Canhui Wu,Jizhong Zhao

DOI: https://doi.org/10.1109/tifs.2024.3352415

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:Recent defense approaches against targeted model poisoning attacks aim to prevent specific prediction failures in federated learning (FL). However, these defenses remain susceptible to targeted collusion attacks, particularly under conditions of high proportions of malicious clients and attack density. To address these vulnerabilities, we propose RoseAgg, which dynamically identifies a plausible clean ingredient from local updates and leverages it to constrain the influence of poisoned updates. Firstly, RoseAgg recognizes and confines common characteristics found in poisoned updates, such as scaled-up magnitudes or similar directional contributions. Furthermore, RoseAgg dynamically extracts a plausible clean ingredient using a dimension-reduction method. This clean ingredient becomes the foundation for the server to bootstrap credit scores for each local update, ensuring the dominance of benign updates over poisoned ones. Ultimately, the server computes a weighted average of local updates based on credit scores, generating a global update for refining the global model. Comprehensive evaluations on four benchmark datasets showcase RoseAgg's effectiveness against seven advanced attacks. The code is available at https://github.com/SleepedCat/RoseAgg.

computer science, theory & methods,engineering, electrical & electronic

Sizai Hou,Songze Li,Tayyebeh Jahani-Nezhad,Giuseppe Caire

2024-07-12

Abstract:Federated learning (FL) has recently gained significant momentum due to its potential to leverage large-scale distributed user data while preserving user privacy. However, the typical paradigm of FL faces challenges of both privacy and robustness: the transmitted model updates can potentially leak sensitive user information, and the lack of central control of the local training process leaves the global model susceptible to malicious manipulations on model updates. Current solutions attempting to address both problems under the one-server FL setting fall short in the following aspects: 1) designed for simple validity checks that are insufficient against advanced attacks (e.g., checking norm of individual update); and 2) partial privacy leakage for more complicated robust aggregation algorithms (e.g., distances between model updates are leaked for multi-Krum). In this work, we formalize a novel security notion of aggregated privacy that characterizes the minimum amount of user information, in the form of some aggregated statistics of users' updates, that is necessary to be revealed to accomplish more advanced robust aggregation. We develop a general framework PriRoAgg, utilizing Lagrange coded computing and distributed zero-knowledge proof, to execute a wide range of robust aggregation algorithms while satisfying aggregated privacy. As concrete instantiations of PriRoAgg, we construct two secure and robust protocols based on state-of-the-art robust algorithms, for which we provide full theoretical analyses on security and complexity. Extensive experiments are conducted for these protocols, demonstrating their robustness against various model integrity attacks, and their efficiency advantages over baselines.

Cryptography and Security

Yanli Li,Weiping Ding,Huaming Chen,Wei Bao,Dong Yuan

DOI: https://doi.org/10.1016/j.ins.2024.120475

IF: 8.1

2024-05-01

Information Sciences

Abstract:Federated learning (FL) is a promising approach that allows many clients to jointly train a model without sharing the raw data. Due to the clients&#x27; different preferences, the class imbalance issue frequently occurs in real-world FL problems and poses threats for poisoning attacks to the existing FL methods. In this work, we first propose a new attack called Class Imbalance Attack that can degrade the testing accuracy of a particular class(es) to even 0 under the state-of-the-art robust FL methods. To defend against such attacks, we further propose a Class-Balanced FL method with a novel contribution-wise Byzantine-robust aggregation rule. In the designed rule, an honest score and a contribution score will be assigned to each client dynamically according to the server model. The server itself will be initiated with a small dataset, and a model (called server model) will be maintained. These two scores will be subsequently used to calculate the weighted average of the client gradients for each training iteration. The experiments are conducted on five datasets against state-of-the-art poisoning attacks, including the Class Imbalance Attack. The empirical results demonstrate the effectiveness of the proposed Class-Balanced FL method.

computer science, information systems

Xia Feng,Wenhao Cheng,Chunjie Cao,Liangmin Wang,Victor S. Sheng

DOI: https://doi.org/10.1109/tsc.2024.3376255

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:Federated learning (FL) is vulnerable to data poisoning attacks when an adversary attempts to upload poison gradients with the intent to corrupt the global model of FL. Various approaches have been proposed to counter these risks. However, it becomes challenging when one tries to preserve the privacy of FL participants and ensure robustness against data poisoning attacks. In this paper, we propose DPFLA, a novel scheme that can detect poisoning attacks without revealing the actual gradients of participants. DPFLA is a lossless aggregation scheme delicately designed for adopting masks to protect private data while extracting poisoned data features. Specifically, we first apply removable masks to the gradients outputted by each participant. Second, we aggregate the masked data and decompose them using Singular Value Decomposition (SVD) to extract specific features as well as achieve dimensionality reduction. Third, we leverage a clustering paradigm to detect poison gradients from the low dimension and eliminate them in the following training rounds. We conducted extensive experiments to demonstrate that DPFLA can detect poison gradients effectively. Additionally, the comparisons of case studies demonstrate that DPFLA outperforms the state-of-the-art methods.

computer science, information systems, software engineering

Chang Xu,Yu Jia,Liehuang Zhu,Chuan Zhang,Guoxie Jin,Kashif Sharif

DOI: https://doi.org/10.1109/tpds.2022.3205714

IF: 5.3

2022-09-30

IEEE Transactions on Parallel and Distributed Systems

Abstract:Federated learning (FL) enables data owners to train a joint global model without sharing private data. However, it is vulnerable to Byzantine attackers that can launch poisoning attacks to destroy model training. Existing defense strategies rely on the additional datasets to train trustable server models or trusted execution environments to mitigate attacks. Besides, these strategies can only tolerate a small number of malicious users or resist a few types of poisoning attacks. To address these challenges, we design a novel federated learning method TDFL, Truth Discovery based Federated Learning, which can defend against multiple poisoning attacks without additional datasets even when the Byzantine users are ≥50%. Specifically, the TDFL considers different scenarios with different malicious proportions. For Honest-majority setting (Byzantine <50%), we design a special robust truth discovery aggregation scheme to remove malicious model updates, which can assign weights according to users' contribution; for Byzantine-majority setting (Byzantine ≥50%), w- use maximum clique-based filter to guarantee global model quality. To the best of our knowledge, this is the first study that uses truth discovery to defend against poisoning attacks. It is also the first scheme which can achieve strong robustness under multiple kinds of attacks launched by high proportion attackers without root datasets. Extensive comparative experiments are designed with five state-of-the-art aggregation rules under five types of classical poisoning attacks on different datasets. The experimental results demonstrate that TDFL is practical and achieves reasonable Byzantine-robustness.

computer science, theory & methods,engineering, electrical & electronic

Bo Zhao,Peng Sun,Liming Fang,Tao Wang,Keyu Jiang

DOI: https://doi.org/10.48550/arXiv.2104.08020

2021-04-16

Abstract:Federated learning (FL) is a promising privacy-preserving distributed machine learning methodology that allows multiple clients (i.e., workers) to collaboratively train statistical models without disclosing private training data. Due to the characteristics of data remaining localized and the uninspected on-device training process, there may exist Byzantine workers launching data poisoning and model poisoning attacks, which would seriously deteriorate model performance or prevent the model from convergence. Most of the existing Byzantine-robust FL schemes are either ineffective against several advanced poisoning attacks or need to centralize a public validation dataset, which is intractable in FL. Moreover, to the best of our knowledge, none of the existing Byzantine-robust distributed learning methods could well exert its power in Non-Independent and Identically distributed (Non-IID) data among clients. To address these issues, we propose FedCom, a novel Byzantine-robust federated learning framework by incorporating the idea of commitment from cryptography, which could achieve both data poisoning and model poisoning tolerant FL under practical Non-IID data partitions. Specifically, in FedCom, each client is first required to make a commitment to its local training data distribution. Then, we identify poisoned datasets by comparing the Wasserstein distance among commitments submitted by different clients. Furthermore, we distinguish abnormal local model updates from benign ones by testing each local model's behavior on its corresponding data commitment. We conduct an extensive performance evaluation of FedCom. The results demonstrate its effectiveness and superior performance compared to the state-of-the-art Byzantine-robust schemes in defending against typical data poisoning and model poisoning attacks under practical Non-IID data distributions.

Machine Learning

Syed Irfan Ali Meerza,Jian Liu

DOI: https://doi.org/10.24963/ijcai.2024/51

2024-10-03

Abstract:Federated Learning (FL) is a technique that allows multiple parties to train a shared model collaboratively without disclosing their private data. It has become increasingly popular due to its distinct privacy advantages. However, FL models can suffer from biases against certain demographic groups (e.g., racial and gender groups) due to the heterogeneity of data and party selection. Researchers have proposed various strategies for characterizing the group fairness of FL algorithms to address this issue. However, the effectiveness of these strategies in the face of deliberate adversarial attacks has not been fully explored. Although existing studies have revealed various threats (e.g., model poisoning attacks) against FL systems caused by malicious participants, their primary aim is to decrease model accuracy, while the potential of leveraging poisonous model updates to exacerbate model unfairness remains unexplored. In this paper, we propose a new type of model poisoning attack, EAB-FL, with a focus on exacerbating group unfairness while maintaining a good level of model utility. Extensive experiments on three datasets demonstrate the effectiveness and efficiency of our attack, even with state-of-the-art fairness optimization algorithms and secure aggregation rules employed.

Machine Learning,Artificial Intelligence,Cryptography and Security

Minzhe Wu,Bowen Zhao,Yang Xiao,Congjian Deng,Yuan Liu,Ximeng Liu

DOI: https://doi.org/10.1109/tifs.2024.3461449

IF: 7.231

2024-10-02

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) is an emerging paradigm for privacy-preserving machine learning, in which multiple clients collaborate to generate a global model through training individual models with local data. However, FL is vulnerable to model poisoning attacks (MPAs) as malicious clients are able to destroy the global model by modifying local models. Although numerous model poisoning defense methods are extensively studied, they remain vulnerable to newly proposed optimized MPAs and are constrained by the necessity to presume a certain proportion of malicious clients. To this end, in this paper, we propose MODEL, a model poisoning defense framework for FL through truth discovery (TD). A distinctive aspect of MODEL is its ability to effectively prevent both optimized and byzantine MPAs. Furthermore, it requires no presupposed threshold for different settings of malicious clients (e.g., less than 33% or no more than 50%). Specifically, a TD-based metric and a clustering-based filtering mechanism are proposed to evaluate local models and avoid presupposing a threshold. Furthermore, MODEL is effective for non-independent and identically distributed (non-IID) training data. In addition, inspired by game theory, we incorporate a truthful and fair incentive mechanism in MODEL to encourage active client participation while mitigating the potential desire for attacks from malicious clients. Extensively comparative experiments demonstrate that MODEL effectively safeguards against optimized MPAs and outperforms the state-of-the-art.

computer science, theory & methods,engineering, electrical & electronic