What problem does this paper attempt to address?

### Problems the paper attempts to solve The paper "FedMID: Using Intermediate Output as a Defense Mechanism Against Poisoning Attacks in Federated Learning" aims to address an important security threat in federated learning systems - **Poisoning Attacks**. Federated learning is a distributed machine - learning method that generates a global model by combining local updates from multiple clients. However, this decentralized nature makes federated learning systems vulnerable to malicious attackers, who disguise themselves as benign clients and send deceptive updates to the system, thereby disrupting the learning process and introducing malicious knowledge into the global model. ### Background and motivation Most existing defense strategies rely on projecting local update vectors from Euclidean space to detect malicious updates. However, these methods have the following two main limitations: 1. **Functional Inconsistency**: Local update vectors cannot fully represent changes in model functional mappings. Functional mapping refers to how a model converts input data into output predictions through its learned decision boundaries, which reflects the knowledge acquired by the model. Different parameter configurations may produce the same functional mapping, while similar parameter configurations may perform different functions. 2. **Structural Inconsistency**: Parameters cannot fully represent differences in model architecture and scale. Different types of layers (such as batch - normalization layers, convolutional layers, fully - connected layers) have different weight and bias scales when updated. Treating these parameters as a single vector ignores these scale differences, leading to performance inconsistencies. ### Solution To overcome the above limitations, the paper proposes a new defense mechanism - **FedMID** (Federated learning with Model’s Intermediate output - based Defense). FedMID directly utilizes the intermediate output of the model to measure the knowledge difference between benign and malicious local models, instead of comparing model parameters. The specific steps are as follows: 1. **Obtain intermediate output**: Use a synthetic dataset sampled from a standard normal distribution to obtain the intermediate output of each model. By adjusting the statistics of the batch - normalization layer, reduce the distribution shift of the intermediate output, making the intermediate output of the synthetic dataset closer to that of the actual training dataset. 2. **Measure the deviation of functional mapping**: Evaluate the functional differences between models by comparing the sample distance matrices of the models in the embedding space. Define the functional mapping difference between two models at the \( l \) - th layer as the mean absolute difference between the two distance matrices. 3. **Evaluate the normality score**: Assume that the attacked model has different knowledge from the normal model, calculate the anomaly score of each model at each layer, and calculate the normality score of each model through Min - Max normalization and negative average. 4. **Attack - tolerant aggregation**: Adjust the weight of each client according to the normality score to prevent malicious updates from being aggregated and ensure that the updates of benign users are incorporated into the global model. By minimizing and the inverse Sigmoid function of non - zero normality scores, further enhance the difference in normality scores while avoiding over - punishing benign clients with low normality scores. ### Experimental results The experimental results show that FedMID performs well under a variety of simulation settings (including non - independent and identically distributed data, different model architectures, different numbers of local training rounds, different attack strategies, etc.), and significantly outperforms other parameter - baseline methods. In particular, in advanced attack scenarios, FedMID can still maintain stable defense performance. ### Summary The paper effectively solves the consistency problems in function and structure of existing parameter - baseline methods by introducing a defense mechanism based on intermediate output, and improves the security of federated learning systems.