XinTong You,Zhengqi Liu,Xu Yang,Xuyang Ding

DOI: https://doi.org/10.1109/confluence52989.2022.9734158

2022-01-01

Abstract:Federated learning has drawn widespread attention as privacy-preserving solution, which has a protective effect on data security and privacy. It has unique distributed machine learning mechanism, namely model sharing instead of data sharing. However, the mechanism also leads to the fact that malicious clients can easily train local model based on poisoned data and upload it to the server for contaminating the global model, thus severely hampering the development of federated learning. In this paper, we build a federated learning system and simulate heterogeneous data on each client for training. Although we cannot directly differentiate malicious customers by the uploaded model in a heterogeneous data environment, by experiments we found some features that are used to distinguish malicious customers from benign customers during training. Given above, we propose a federated learning poisoning attack detection method for detecting malicious clients and ensuring aggregation quality. The method can filter out anomaly models by comparing the similarity of the historical changes of clients and gradually identifying attacker clients through reputation mechanism. We experimentally demonstrate that the method significantly improves the performance of the global model even when the proportion of malicious clients is as high as one-third.

Chen Zhang,Boyang Zhou,Zhiqiang He,Zeyuan Liu,Yanjiao Chen,Wenyuan Xu,Baochun Li

DOI: https://doi.org/10.1109/infocom53939.2023.10228981

2023-01-01

Abstract:Federated learning is exposed to model poisoning attacks as compromised clients may submit malicious model updates to pollute the global model. To defend against such attacks, robust aggregation rules are designed for the centralized server to winnow out outlier updates, and to significantly reduce the effectiveness of existing poisoning attacks. In this paper, we develop an advanced model poisoning attack against defensive aggregation rules. In particular, we exploit the catastrophic forgetting phenomenon during the process of continual learning to destroy the memory of the global model. Our proposed framework, called Oblivion, features two special components. The first component prioritizes the weights that have the most influence on the model accuracy for poisoning, which induces a more significant degradation on the global model than equally perturbing all weights. The second component smooths malicious model updates based on the number of selected compromised clients in the current round, adjusting the degree of poisoning to suit the dynamics of each training round. We implement a fully-functional prototype of Oblivion in PLATO, a real-world scalable federated learning framework. Our extensive experiments over three datasets demonstrate that Oblivion can boost the attack performance of model poisoning attacks against unknown defensive aggregation rules.

Dazhong Rong,Qinming He,Jianhai Chen

DOI: https://doi.org/10.24963/ijcai.2022/306

2022-01-01

Abstract:Various attack methods against recommender systems have been proposed in the past years, and the security issues of recommender systems have drawn considerable attention. Traditional attacks attempt to make target items recommended to as many users as possible by poisoning the training data. Benifiting from the feature of protecting users' private data, federated recommendation can effectively defend such attacks. Therefore, quite a few works have devoted themselves to developing federated recommender systems. For proving current federated recommendation is still vulnerable, in this work we probe to design attack approaches targeting deep learning based recommender models in federated learning scenarios. Specifically, our attacks generate poisoned gradients for manipulated malicious users to upload based on two strategies (i.e., random approximation and hard user mining). Extensive experiments show that our well-designed attacks can effectively poison the target models, and the attack effectiveness sets the state-of-the-art.

Jiguang Lv,Shuchun Xu,Yi Ling,Dapeng Man,Shuai Han,Wu Yang

DOI: https://doi.org/10.1109/msn60784.2023.00074

2023-01-01

Abstract:Federated learning is designed to train models in a distributed scheme while keeping the clients' data stored locally. The aggregation server only receives local models from clients and does not require clients to upload their local data, in which way it protects the clients' privacy. However, federated learning is vulnerable. The federated learning models are sensitive to poisoning attacks. Existing data poisoning attack methods assume that the attacker and the client have the same data distribution and data volume, which is unpractical. In this paper, we first propose a privacy inference-based poisoning data generation method, FLPDG. FLPDG changes the relationship between data and labels, and uses the data of benign clients to launch poisoning attacks. This method relies on the global model of an iterative update to obtain the data and labels of benign clients. Second, a privacy inference-based data poisoning attack model Poi_PDG is proposed. This model uses the FLPDG method to launch a data poisoning attack under conditions of insufficient original data volume of the attacker. Meanwhile, a defense method PDG_DF is proposed for Poi_PDG. It splits the image data into variance regions and utilizes GANs to hide the visual features of each image region. It controls the degree of feature hiding by setting different thresholds to keep the classification features of the image while ensuring the accuracy of the training model. Finally, several experiments are conducted to evaluate the proposed attack and defense methods, and the experimental results indicate the effectiveness of the methods.

Xingchen Zhou,Ming Xu,Yiming Wu,Ning Zheng

DOI: https://doi.org/10.3390/fi13030073

2021-01-01

Future Internet

Abstract:Federated learning is a novel distributed learning framework, which enables thousands of participants to collaboratively construct a deep learning model. In order to protect confidentiality of the training data, the shared information between server and participants are only limited to model parameters. However, this setting is vulnerable to model poisoning attack, since the participants have permission to modify the model parameters. In this paper, we perform systematic investigation for such threats in federated learning and propose a novel optimization-based model poisoning attack. Different from existing methods, we primarily focus on the effectiveness, persistence and stealth of attacks. Numerical experiments demonstrate that the proposed method can not only achieve high attack success rate, but it is also stealthy enough to bypass two existing defense methods.

Jiangang Shu,Xiaohua Jia,Guoxi Zhang

DOI: https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys57074.2022.00188

2022-12-01

Abstract:Recent studies have shown that federated learning is vulnerable to a new type of poisoning attack, called model poisoning attack. One or more malicious clients send crafted local model updates to the server to poison the global model. The training data between federated learning clients is non-IID, which makes the updates submitted by the clients various. The poisoned update from the malicious client can be hidden between various benign updates. Many anomaly detection mechanisms are limited. Client detection is a flexible detection method suitable for non-IID data distribution in federated learning. The core idea of client-side detection is to evaluate the model using various client-side data, which is used for training and detecting model poisoning attacks. However, the effectiveness of this scheme depends on the authenticity of the report returned by the client. Malicious clients can return false reports to evade detection. In this paper, we adopt the idea of group testing and use the COMP algorithm to improve the detection process. We conduct experiments in settings with different proportions of malicious clients. Experimental results show that our scheme can tolerate a higher proportion of malicious clients. In the CIFAR-10 based semantic backdoor attack, our scheme is effective when the proportion of malicious clients is 20%. In MNIST-based semantic backdoor attacks, our scheme is effective when the proportion of malicious clients is 25%.

Computer Science

Geming Xia,Jian Chen,Xinyi Huang,Chaodong Yu,Zhong Zhang

DOI: https://doi.org/10.1109/compsac57700.2023.00101

2023-01-01

Abstract:Federated learning allows participants to share models (gradients) rather than raw data to collaboratively train a global model, enhancing participants' privacy protection but making the global model more vulnerable to poisoning attacks. Poisoning attacks not only lead to the degradation of model performance but also cause a security risk. A mainstream defense strategy against poisoning attacks is that the server identifies malicious models by analyzing the models uploaded by participants. However, the attackers can use the models uploaded by the participants to recover their privacy data, leading to a privacy disclosure. Therefore, participants need to encrypt or perturb the models before uploading them so that all individuals, including the server, cannot access the model, which poses a great challenge for the defense against poisoning attacks. Moreover, many existing defense strategies against poisoning attacks only work well when the data distribution is non-independently and identically distributed. To address these issues, we propose a novel defense strategy for poisoning attacks of federated learning called FL-PTD, which can judge whether the global model is subjected to poisoning attacks without accessing the participant's local model. Besides, Our method incorporates a trust evaluation mechanism, which computes reputation scores based on the historical behavior of participants to identify malicious participants. Finally, we verify our proposed method on several real world datasets. The experimental results show that our method can effectively defend against poisoning attacks and accurately identify attackers without compromising the model's performance.

Zaixi Zhang,Xiaoyu Cao,Jinyuan Jia,Neil Zhenqiang Gong

DOI: https://doi.org/10.48550/arXiv.2207.09209

2022-10-23

Abstract:Federated learning (FL) is vulnerable to model poisoning attacks, in which malicious clients corrupt the global model via sending manipulated model updates to the server. Existing defenses mainly rely on Byzantine-robust FL methods, which aim to learn an accurate global model even if some clients are malicious. However, they can only resist a small number of malicious clients in practice. It is still an open challenge how to defend against model poisoning attacks with a large number of malicious clients. Our FLDetector addresses this challenge via detecting malicious clients. FLDetector aims to detect and remove the majority of the malicious clients such that a Byzantine-robust FL method can learn an accurate global model using the remaining clients. Our key observation is that, in model poisoning attacks, the model updates from a client in multiple iterations are inconsistent. Therefore, FLDetector detects malicious clients via checking their model-updates consistency. Roughly speaking, the server predicts a client's model update in each iteration based on its historical model updates using the Cauchy mean value theorem and L-BFGS, and flags a client as malicious if the received model update from the client and the predicted model update are inconsistent in multiple iterations. Our extensive experiments on three benchmark datasets show that FLDetector can accurately detect malicious clients in multiple state-of-the-art model poisoning attacks. After removing the detected malicious clients, existing Byzantine-robust FL methods can learn accurate global <a class="link-external link-http" href="http://models.Our" rel="external noopener nofollow">this http URL</a> code is available at <a class="link-external link-https" href="https://github.com/zaixizhang/FLDetector" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Artificial Intelligence

Jiale Zhang,Di Wu,Chengyong Liu,Bing Chen

DOI: https://doi.org/10.1007/978-981-15-9739-8_7

2020-01-01

Abstract:Recently, federated learning has shown its significant advantages in protecting training data privacy by maintaining a joint model across multiple clients. However, its model security issues have not only been recently explored but shown that federated learning exhibits inherent vulnerabilities on the active attacks launched by malicious participants. Poisoning is one of the most powerful active attacks where an inside attacker can upload the crafted local model updates to further impact the global model performance. In this paper, we first illustrate how the poisoning attack works in the context of federated learning. Then, we correspondingly propose a defense method that mainly relies upon a well-researched adversarial training technique: pivotal training, which improves the robustness of the global model with poisoned local updates. The main contribution of this work is that the countermeasure method is simple and scalable since it does not require complex accuracy validations, while only changing the optimization objectives and loss functions. We finally demonstrate the effectiveness of our proposed mitigation mechanisms through extensive experiments.

Chong Yu,Zhenyu Meng,Wenmiao Zhang,Lei,Jianbing Ni,Kuan Zhang,Hai Zhao

DOI: https://doi.org/10.1109/tnnls.2024.3486028

IF: 14.255

2024-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:In distributed systems, data may partially overlap in sample and feature spaces, that is, horizontal and vertical data partitioning. By combining horizontal and vertical federated learning (FL), hybrid FL emerges as a promising solution to simultaneously deal with data overlapping in both sample and feature spaces. Due to its decentralized nature, hybrid FL is vulnerable to model poisoning attacks, where malicious devices corrupt the global model by sending crafted model updates to the server. Existing work usually analyzes the statistical characteristics of all updates to resist model poisoning attacks. However, training local models in hybrid FL requires additional communication and computation steps, increasing the detection cost. In addition, due to data diversity in hybrid FL, solutions based on the assumption that malicious models are distinct from honest models may incorrectly classify honest ones as malicious, resulting in low accuracy. To this end, we propose a secure and efficient hybrid FL against model poisoning attacks. Specifically, we first identify two attacks to define how attackers manipulate local models in a harmful yet covert way. Then, we analyze the execution time and energy consumption in hybrid FL. Based on the analysis, we formulate an optimization problem to minimize training costs while guaranteeing accuracy considering the effect of attacks. To solve the formulated problem, we transform it into a Markov decision process and model it as a multiagent reinforcement learning (MARL) problem. Then, we propose a malicious device detection (MDD) method based on MARL to select honest devices to participate in training and improve efficiency. In addition, we propose an alternative poisoned model detection (PMD) method considering model change consistency. This method aims to prevent poisoned models from being used in the model aggregation. Experimental results validate that under the random local model poisoning attack, the proposed MDD method can save over 50% training costs while guaranteeing accuracy. When facing the advanced adaptive local model poisoning (ALMP) attack, utilizing both the proposed MDD and PMD methods achieves the desired accuracy while reducing execution time and energy consumption.

Jianping Wu,Jiahe Jin,Chunming Wu

DOI: https://doi.org/10.3390/math12060901

IF: 2.4

2024-03-20

Mathematics

Abstract:Federated learning is a distributed learning method used to solve data silos and privacy protection in machine learning, aiming to train global models together via multiple clients without sharing data. However, federated learning itself introduces certain security threats, which pose significant challenges in its practical applications. This article focuses on the common security risks of data poisoning during the training phase of federated learning clients. First, the definition of federated learning, attack types, data poisoning methods, privacy protection technology and data security situational awareness are summarized. Secondly, the system architecture fragility, communication efficiency shortcomings, computing resource consumption and situation prediction robustness of federated learning are analyzed, and related issues that affect the detection of data poisoning attacks are pointed out. Thirdly, a review is provided from the aspects of building a trusted federation, optimizing communication efficiency, improving computing power technology and personalized the federation. Finally, the research hotspots of the federated learning data poisoning attack situation prediction are prospected.

mathematics

Yupeng Jiang,Yong Li,Yipeng Zhou,Xi Zheng

DOI: https://doi.org/10.48550/arXiv.2010.10572

2020-10-20

Cryptography and Security

Abstract:In federated learning, machine learning and deep learning models are trained globally on distributed devices. The state-of-the-art privacy-preserving technique in the context of federated learning is user-level differential privacy. However, such a mechanism is vulnerable to some specific model poisoning attacks such as Sybil attacks. A malicious adversary could create multiple fake clients or collude compromised devices in Sybil attacks to mount direct model updates manipulation. Recent works on novel defense against model poisoning attacks are difficult to detect Sybil attacks when differential privacy is utilized, as it masks clients' model updates with perturbation. In this work, we implement the first Sybil attacks on differential privacy based federated learning architectures and show their impacts on model convergence. We randomly compromise some clients by manipulating different noise levels reflected by the local privacy budget epsilon of differential privacy on the local model updates of these Sybil clients such that the global model convergence rates decrease or even leads to divergence. We apply our attacks to two recent aggregation defense mechanisms, called Krum and Trimmed Mean. Our evaluation results on the MNIST and CIFAR-10 datasets show that our attacks effectively slow down the convergence of the global models. We then propose a method to keep monitoring the average loss of all participants in each round for convergence anomaly detection and defend our Sybil attacks based on the prediction cost reported from each client. Our empirical study demonstrates that our defense approach effectively mitigates the impact of our Sybil attacks on model convergence.

Ying Zhao,Junjun Chen,Jiale Zhang,Di Wu,Michael Blumenstein,Shui Yu

DOI: https://doi.org/10.1002/cpe.5906

2020-06-29

Concurrency and Computation: Practice and Experience

Abstract:<p>In the age of the Internet of Things (IoT), large numbers of sensors and edge devices are deployed in various application scenarios; Therefore, collaborative learning is widely used in IoT to implement crowd intelligence by inviting multiple participants to complete a training task. As a collaborative learning framework, federated learning is designed to preserve user data privacy, where participants jointly train a global model without uploading their private training data to a third party server. Nevertheless, federated learning is under the threat of poisoning attacks, where adversaries can upload malicious model updates to contaminate the global model. To detect and mitigate poisoning attacks in federated learning, we propose a poisoning defense mechanism, which uses generative adversarial networks to generate auditing data in the training procedure and removes adversaries by auditing their model accuracy. Experiments conducted on two well‐known datasets, MNIST and Fashion‐MNIST, suggest that federated learning is vulnerable to the poisoning attack, and the proposed defense method can detect and mitigate the poisoning attack.</p>

Tongsai Jin,Fu Zhihui,Dan Meng,Jun Wang,Yue Qi,Guitao Cao

DOI: https://doi.org/10.3233/faia230393

2023-01-01

Abstract:Federated learning breaks through the barrier of data owners by allowing them to collaboratively train a federated machine learning model without compromising the privacy of their own data. However, Federation Learning also faces the threat of poisoning attacks, especially from the client model updates, which may impair the accuracy of the global model. To defend against the poisoning attacks, previous work aims to identify the malicious updates in high dimensional spaces. However, we find that the distances in high dimensional spaces cannot identify the changes in a small subset of dimensions, and the small changes may affect the global models severely. Based on this finding, we propose an untargeted poisoning attack under the federated learning setting via the partial perturbations on a small subset of the carefully selected model parameters, and present two attack object selection strategies. We experimentally demonstrate that the proposed attack scheme achieves high attack success rate on five state-of-the-art defense schemes. Furthermore, the proposed attack scheme remains effective at low malicious client ratios and still circumvents three defense schemes with a malicious client ratio as low as 2%.

Jiaqi Zhao,Hui Zhu,Fengwei Wang,Yandong Zheng,Rongxing Lu,Hui Li

DOI: https://doi.org/10.1109/tsc.2024.3377931

2024-01-01

Abstract:The ever-growing data scale and increasingly strict privacy restraint have recently drawn extensive attention to federated learning (FL) as a multi-party machine learning paradigm for achieving high-quality model construction without data collection. Nevertheless, uploading local models in FL can still be exploited by adversaries to infer participants' sensitive data. Furthermore, it is possible for malicious participants to manipulate the global model by submitting poisonous local models. To tackle these challenges, this paper proposes an efficient and privacy-preserving federated learning framework against poisoning adversaries, namely ELFL, which can ensure the confidentiality of local models while effectively resisting data poisoning attacks. Specifically, we first design a grouped secure aggregation algorithm, through which the aggregation server can compute the summations of local models inside logic groups but cannot see individual ones. Then, based on grouped aggregations, our poisoning defense mechanism could detect and quickly phase out malicious participants from training candidates. Moreover, the computational complexity of participants is independent of their total number, so it is suitable for large-scale scenes. Detailed security analysis demonstrates the security of ELFL. Experimental results show that ELFL could maintain a high accuracy against representative data poisoning attacks, and its computational and communication overhead is indeed low.

Minzhe Wu,Bowen Zhao,Yang Xiao,Congjian Deng,Yuan Liu,Ximeng Liu

DOI: https://doi.org/10.1109/tifs.2024.3461449

IF: 7.231

2024-10-02

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) is an emerging paradigm for privacy-preserving machine learning, in which multiple clients collaborate to generate a global model through training individual models with local data. However, FL is vulnerable to model poisoning attacks (MPAs) as malicious clients are able to destroy the global model by modifying local models. Although numerous model poisoning defense methods are extensively studied, they remain vulnerable to newly proposed optimized MPAs and are constrained by the necessity to presume a certain proportion of malicious clients. To this end, in this paper, we propose MODEL, a model poisoning defense framework for FL through truth discovery (TD). A distinctive aspect of MODEL is its ability to effectively prevent both optimized and byzantine MPAs. Furthermore, it requires no presupposed threshold for different settings of malicious clients (e.g., less than 33% or no more than 50%). Specifically, a TD-based metric and a clustering-based filtering mechanism are proposed to evaluate local models and avoid presupposing a threshold. Furthermore, MODEL is effective for non-independent and identically distributed (non-IID) training data. In addition, inspired by game theory, we incorporate a truthful and fair incentive mechanism in MODEL to encourage active client participation while mitigating the potential desire for attacks from malicious clients. Extensively comparative experiments demonstrate that MODEL effectively safeguards against optimized MPAs and outperforms the state-of-the-art.

computer science, theory & methods,engineering, electrical & electronic

Xiaoyu Cao,Jinyuan Jia,Zaixi Zhang,Neil Zhenqiang Gong

DOI: https://doi.org/10.48550/arXiv.2210.10936

2022-10-20

Abstract:Federated learning is vulnerable to poisoning attacks in which malicious clients poison the global model via sending malicious model updates to the server. Existing defenses focus on preventing a small number of malicious clients from poisoning the global model via robust federated learning methods and detecting malicious clients when there are a large number of them. However, it is still an open challenge how to recover the global model from poisoning attacks after the malicious clients are detected. A naive solution is to remove the detected malicious clients and train a new global model from scratch, which incurs large cost that may be intolerable for resource-constrained clients such as smartphones and IoT devices. In this work, we propose FedRecover, which can recover an accurate global model from poisoning attacks with small cost for the clients. Our key idea is that the server estimates the clients' model updates instead of asking the clients to compute and communicate them during the recovery process. In particular, the server stores the global models and clients' model updates in each round, when training the poisoned global model. During the recovery process, the server estimates a client's model update in each round using its stored historical information. Moreover, we further optimize FedRecover to recover a more accurate global model using warm-up, periodic correction, abnormality fixing, and final tuning strategies, in which the server asks the clients to compute and communicate their exact model updates. Theoretically, we show that the global model recovered by FedRecover is close to or the same as that recovered by train-from-scratch under some assumptions. Empirically, our evaluation on four datasets, three federated learning methods, as well as untargeted and targeted poisoning attacks (e.g., backdoor attacks) shows that FedRecover is both accurate and efficient.

Cryptography and Security,Artificial Intelligence,Machine Learning

Jianrong Lu,Shengshan Hu,Wei Wan,Minghui Li,Leo Yu Zhang,Lulu Xue,Hai Jin

DOI: https://doi.org/10.1109/tifs.2024.3360869

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) allows clients at the edge to learn a shared global model without disclosing their private data. However, FL is susceptible to poisoning attacks, wherein an adversary injects tainted local models that ultimately corrupt the global model. Despite various defensive mechanisms having been developed to combat poisoning attacks, they all fall short of securing practical FL scenarios with heterogeneous and unbalanced data distribution. Moreover, the cutting-edge defenses currently at our disposal demand access to a proprietary dataset that closely mirrors the distribution of clients’ data, which runs counter to the fundamental principle of privacy protection in FL. It is still challenging to devise an effective defense approach that applies to practical FL. In this work, we strive to narrow the divide between FL defense and its practical use. We first present a general framework to comprehend the effect of poisoning attacks in FL when the training data is not independent and identically distributed (non-IID). We then HeteroFL, a novel FL scheme that incorporates four complementary defensive strategies. These tactics are implemented in succession to refine the aggregated model toward approaching the global optimum. Ultimately, we devise an adaptive attack specifically for HeteroFL, aimed at offering a more thorough evaluation of its robustness. Our extensive experiments over heterogeneous datasets and models show that HeteroFL surpasses all state-of-the-art defenses in thwarting various poisoning attacks, i.e., HeteroFL achieves global model accuracies comparable to the baseline, whereas other defenses suffer a significant accuracy reduction ranging from 34% to 79%.

Lei Shi,Zhen Chen,Yucheng Shi,Lin Wei,Yongcai Tao,Mengyang He,Qingxian Wang,Yuan Zhou,Yufei Gao

DOI: https://doi.org/10.1051/sands/2023006

2023-01-01

Abstract:Federated learning(FL) development has grown increasingly strong with the increased emphasis on data for individuals and industry. Federated learning allows individual participants to jointly train a global model without sharing local data, which significantly enhances data privacy. However, federated learning is vulnerable to poisoning attacks by malicious participants. Since federated learning does not have access to the participants’ training process, i.e. , attackers can compromise the global model by uploading elaborate malicious local updates to the server under the guise of normal participants. Current model poisoning attacks usually add small perturbations to the local model after it is trained to craft harmful local updates and the attacker finds the appropriate perturbation size to bypass robust detection methods and corrupt the global model as much as possible. In contrast, we propose a novel model poisoning attack based on the momentum of history information (MPHM), that is, the attacker makes new malicious updates by dynamically crafting perturbations using the historical information in the local training, which will make the new malicious updates more effective and stealthy. Our attack aims to indiscriminately reduce the testing accuracy of the global model with minimal information. Experiments show that in the classical defense case, our attack can significantly corrupt the accuracy of the global model compared to other advanced poisoning attacks.

Tao Jin,Fu Zhang,Dan Meng,Jim Wang,Yue Qi,Guitao Cao

2023-01-01

Abstract:Federated learning breaks through the barrier of data owners by allowing them to collaboratively train a federated machine learning model without compromising the privacy of their own data. However, Federation Learning also faces the threat of poisoning attacks, especially from the client model updates, which may impair the accuracy of the global model. To defend against the poisoning attacks, previous work aims to identify the malicious updates in high dimensional spaces. However, we find that the distances in high dimensional spaces cannot identify the changes in a small subset of dimensions, and the small changes may affect the global models severely. Based on this finding, we propose an untargeted poisoning attack under the federated learning setting via the partial perturbations on a small subset of the carefully selected model parameters, and present two attack object selection strategies. We experimentally demonstrate that the proposed attack scheme achieves high attack success rate on five state-of-the-art defense schemes. Furthermore, the proposed attack scheme remains effective at low malicious client ratios and still circumvents three defense schemes with a malicious client ratio as low as 2%.