Jiayin Li,Wenzhong Guo,Xingshuo Han,Jianping Cai,Ximeng Liu

DOI: https://doi.org/10.48550/arxiv.2209.06397

2022-01-01

Abstract: The rapidly expanding number of Internet of Things (IoT) devices is generating huge quantities of data, but the data privacy and security exposure in IoT devices, especially in the automatic driving system. Federated learning (FL) is a paradigm that addresses data privacy, security, access rights, and access to heterogeneous message issues by integrating a global model based on distributed nodes. However, data poisoning attacks on FL can undermine the benefits, destroying the global model's availability and disrupting model training. To avoid the above issues, we build up a hierarchical defense data poisoning (HDDP) system framework to defend against data poisoning attacks in FL, which monitors each local model of individual nodes via abnormal detection to remove the malicious clients. Whether the poisoning defense server has a trusted test dataset, we design the \underline{l}ocal \underline{m}odel \underline{t}est \underline{v}oting (LMTV) and \underline{k}ullback-\underline{l}eibler divergence \underline{a}nomaly parameters \underline{d}etection (KLAD) algorithms to defend against label-flipping poisoning attacks. Specifically, the trusted test dataset is utilized to obtain the evaluation results for each classification to recognize the malicious clients in LMTV. More importantly, we adopt the kullback leibler divergence to measure the similarity between local models without the trusted test dataset in KLAD. Finally, through extensive evaluations and against the various label-flipping poisoning attacks, LMTV and KLAD algorithms could achieve the $100\%$ and $40\%$ to $85\%$ successful defense ratios under different detection situations.

Run Yang,Hui He,Yulong Wang,Yue Qu,Weizhe Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103381

IF: 5.105

2023-01-01

Computers & Security

Abstract:Network intrusion detection methods based on federated learning (FL) and edge computing have great potential for protecting the cybersecurity of the Internet of Things. It overcomes the disadvantages of the traditional centralized method, such as high latency, overloaded network, and privacy leakage. At the same time, it can combine private data from multiple participants to train models, and the rich data can train more effective models. However, the inherent security vulnerabilities of the FL framework do not ensure the robustness of the global models trained collaboratively. Towards FL, each participant has access to model parameters and training data, and malicious participants can affect the global model by tampering with data or weights. This paper studies label-flipping attacks in FL-based IoT intrusion detection. We propose a lightweight detection mechanism to mitigate the impact of poisoning attacks on FL-based intrusion detection methods in IoT networks. The detection mechanism on a central server filters anomalous participants and excludes their uploaded models from the global model aggregation. Specifically, we propose a scoring mechanism for evaluating participants based on the loss of the local model and the training dataset size. Afterwards, the Manhattan similarity between each participant will be calculated according to the scores. Finally, the anomalous participants will be found by clustering algorithm for similarity cluster analysis. The experimental results show that our proposed detection method can defend against label-flipping attacks in FL. On the CIC-IDS-2017 dataset, our method can improve the accuracy of the intrusion detection model trained based on FL from 84.3% to 97.1%, while enhancing the protection of IoT network security.

Gaolei Li,Jun Wu,Shenghong Li,Wu Yang,Changlian Li

DOI: https://doi.org/10.1109/tii.2022.3173996

IF: 12.3

2022-12-17

IEEE Transactions on Industrial Informatics

Abstract:Software-defined industrial Internet of things (SD-IIoT) exploits federated learning to process the sensitive data at edges, while adaptive poisoning attacks threat the security of SD-IIoT. To address this problem, this article proposes a multi-tentacle federated learning (MTFL) framework, which is essential to guarantee the trustness of training data in SD-IIoT. In MTFL, participants with similar learning tasks are assigned to the same tentacle group. To identify adaptive poisoning attacks, a tentacle distribution-based efficient poisoning attack detection (TD-EPAD) algorithm is presented. And also, to minimize the impact of adaptive poisoning data, a stochastic tentacle data exchanging (STDE) protocol is also proposed. Simultaneously, to protect the tentacle's privacy in STDE, all exchanged data will be processed by differential privacy technology. A MTFL prototype system is implemented, which provides extensive ablation experiments and comparison experiments, demonstrating that the accuracy of the global model under attack scenario can be improved with 40%.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Chunyong Yin,Qingkui Zeng

DOI: https://doi.org/10.1109/TCSS.2023.3296885

2024-04-01

IEEE Transactions on Computational Social Systems

Abstract:Federated learning (FL) is an emerging paradigm that allows participants to collaboratively train deep learning tasks while protecting the privacy of their local data. However, the absence of central server control in distributed environments exposes a vulnerability to data poisoning attacks, where adversaries manipulate the behavior of compromised clients by poisoning local data. In particular, data poisoning attacks against FL can have a drastic impact when the participant’s local data is non-independent and identically distributed (non-IID). Most existing defense strategies have demonstrated promising results in mitigating FL poisoning attacks, however, fail to maintain their effectiveness with non-IID data. In this work, we propose an effective defense framework, FL data augmentation (FLDA), which defends against data poisoning attacks through local data mixup on the clients. In addition, to mitigate the non-IID effect by exploiting the limited local data, we propose a gradient detection strategy to reduce the proportion of malicious clients and raise benign clients. Experimental results on datasets show that FLDA can effectively reduce the poisoning success rate and improve the global model training accuracy under poisoning attacks for non-IID data. Furthermore, FLDA can increase the FL accuracy by more than 12% after detecting malicious clients.

Computer Science

Vale Tolpegin,Stacey Truex,Mehmet Emre Gursoy,Ling Liu

DOI: https://doi.org/10.1007/978-3-030-58951-6_24

2020-01-01

Abstract:Federated learning (FL) is an emerging paradigm for distributed training of large-scale deep neural networks in which participants’ data remains on their own devices with only model updates being shared with a central server. However, the distributed nature of FL gives rise to new threats caused by potentially malicious participants. In this paper, we study targeted data poisoning attacks against FL systems in which a malicious subset of the participants aim to poison the global model by sending model updates derived from mislabeled data. We first demonstrate that such data poisoning attacks can cause substantial drops in classification accuracy and recall, even with a small percentage of malicious participants. We additionally show that the attacks can be targeted, i.e., they have a large negative impact only on classes that are under attack. We also study attack longevity in early/late round training, the impact of malicious participant availability, and the relationships between the two. Finally, we propose a defense strategy that can help identify malicious participants in FL to circumvent poisoning attacks, and demonstrate its effectiveness.

Z. H. Qin,Shuiguang Deng,Xin Yan,Schahram Dustdar,Albert Y. Zomaya

DOI: https://doi.org/10.48550/arxiv.2205.10568

2022-01-01

Abstract:Federated learning (FL) is a promising technical support to the vision of ubiquitous artificial intelligence in the sixth generation (6G) wireless communication network. However, traditional FL heavily relies on a trusted centralized server. Besides, FL is vulnerable to poisoning attacks, and the global aggregation of model updates makes the private training data under the risk of being reconstructed. What's more, FL suffers from efficiency problem due to heavy communication cost. Although decentralized FL eliminates the problem of the central dependence of traditional FL, it makes other problems more serious. In this paper, we propose BlockDFL, an efficient fully peer-to-peer (P2P) framework for decentralized FL. It integrates gradient compression and our designed voting mechanism with blockchain to efficiently coordinate multiple peer participants without mutual trust to carry out decentralized FL, while preventing data from being reconstructed according to transmitted model updates. Extensive experiments conducted on two real-world datasets exhibit that BlockDFL obtains competitive accuracy compared to centralized FL and can defend against poisoning attacks while achieving efficiency and scalability. Especially when the proportion of malicious participants is as high as 40 percent, BlockDFL can still preserve the accuracy of FL, which outperforms existing fully decentralized FL frameworks.

Jiale Xie,Libo Feng,Fake Fang,Zehui Yuan,Xian Deng,Junhong Liu,Peng Wu,Zhuo Li

DOI: https://doi.org/10.1109/cscwd61410.2024.10580432

2024-01-01

Abstract:Federated Learning (FL) has become an ideal privacy-preserving learning technique that can train a global model in a collaborative manner while preserving the privacy of local data. Federated learning in the Industrial Internet of Things (IIoT) faces the threat of data poisoning attacks. In this paper, we propose a blockchain-based federated learning framework in IIOT, which can defend against poisoning attacks. Moreover, we propose a robust aggregation algorithm to eliminate poisoned local model from malicious participants during training. Experimental results demonstrate the efficacy of the blockchain-based federated learning framework. When tested on the CIFAR-10 and Fashion-MNIST datasets, the framework achieves higher accuracy compared to the Krum algorithm by 3.57% and 0.84%, respectively.

Xicong Shen,Ying Liu,Fu Li,Chunguang Li

DOI: https://doi.org/10.1109/jiot.2023.3288886

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) has attracted widespread attention in the Internet of Things domain recently. With FL, multiple distributed devices can cooperatively train a global model by transmitting model updates without disclosing the original data. However, the distributed nature of FL makes it vulnerable to data poisoning attacks. In practice, malicious clients can launch the label-flipping attack (LFA) by simply tampering with the labels of local data, thus causing the global model to misclassify the samples of a selected class as the target class. Although some defense mechanisms have been proposed, they rely on specific assumptions about data distribution, and their performance degrades significantly when the data on clients are non-IID. Besides, most existing methods require clients to upload model updates in plaintext so that the server can identify and remove the malicious updates. But, direct transmission of model updates may still reveal private information. Considering these issues, we develop a label-flipping-robust and privacy-preserving FL (LFR-PPFL) algorithm, which is applicable to both independent and identically distributed (IID) and non-IID data. We first propose a detection method based on temporal analysis on cosine similarity to distinguish malicious clients from benign clients. Then, we propose a privacy-preserving computation protocol based on homomorphic encryption to implement this detection method and perform federated aggregation while protecting the privacy of clients. Besides, a detailed theoretical analysis is given to demonstrate the privacy guarantee of the proposed protocol. Experimental results on real-world data sets show that the proposed algorithm can effectively defend against LFAs under various data distributions.

Jie Yang,Jun Zheng,Thar Baker,Shuai Tang,Yu-an Tan,Quanxin Zhang

DOI: https://doi.org/10.1111/exsy.13161

IF: 3.3

2023-01-01

Expert Systems

Abstract:Federated Learning (FL) is suitable for the application scenarios of distributed edge collaboration of the Internet of Things (IoT). It can provide data security and privacy, which is why it is widely used in the IoT applications such as Industrial IoT (IIoT). Latest research shows that the federated learning framework is vulnerable to poisoning attacks in the case of an active attack by the adversary. However, the existing backdoor attack methods are easy to be detected by the defence methods. To address this challenge, we focus on edge-cloud synergistic FL clean-label attacks. Unlike common backdoor attack, to ensure the attack's concealment, we add a small perturbation to realize the clean label attack by judging the cosine similarity between the gradient of the adversarial loss and the gradient of the normal training loss. In order to improve the attack success rate and robustness, the attack is implemented when the global model is about to converge. The experimental results verified that 1% of poisoned data could make an attack successful with a high probability. Our method maintains stealth while performing model poisoning attacks, and the average Peak Signal-to-Noise Ratio (PSNR) of poisoning images reaches over 30 dB, and the average Structural SIMilarity (SSIM) is close to 0.93. Most importantly, our attack method can bypass the Byzantine aggregation defence.

Gan Sun,Yang Cong,Jiahua Dong,Qiang Wang,Lingjuan Lyu,Ji Liu

DOI: https://doi.org/10.1109/jiot.2021.3128646

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Federated machine learning which enables resource-constrained node devices (e.g., Internet of Things (IoT) devices and smartphones) to establish a knowledge-shared model while keeping the raw data local, could provide privacy preservation, and economic benefit by designing an effective communication protocol. However, this communication protocol can be adopted by attackers to launch data poisoning attacks for different nodes, which has been shown as a big threat to most machine learning models. Therefore, we in this article intend to study the model vulnerability of federated machine learning, and even on IoT systems. To be specific, we here attempt to attacking a popular federated multitask learning framework, which uses a general multitask learning framework to handle statistical challenges in the federated learning setting. The problem of calculating optimal poisoning attacks on federated multitask learning is formulated as a bilevel program, which is adaptive to the arbitrary selection of target nodes and source attacking nodes. We then propose a novel systems-aware optimization method, called as attack on federated learning (AT2FL), to efficiently derive the implicit gradients for poisoned data, and further attain optimal attack strategies in the federated machine learning. This is an earlier work, to our knowledge, that explores attacking federated machine learning via data poisoning. Finally, experiments on several real-world data sets demonstrate that when the attackers directly poison the target nodes or indirectly poison the related nodes via using the communication protocol, the federated multitask learning model is sensitive to both poisoning attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Geming Xia,Jian Chen,Xinyi Huang,Chaodong Yu,Zhong Zhang

DOI: https://doi.org/10.1109/compsac57700.2023.00101

2023-01-01

Abstract:Federated learning allows participants to share models (gradients) rather than raw data to collaboratively train a global model, enhancing participants' privacy protection but making the global model more vulnerable to poisoning attacks. Poisoning attacks not only lead to the degradation of model performance but also cause a security risk. A mainstream defense strategy against poisoning attacks is that the server identifies malicious models by analyzing the models uploaded by participants. However, the attackers can use the models uploaded by the participants to recover their privacy data, leading to a privacy disclosure. Therefore, participants need to encrypt or perturb the models before uploading them so that all individuals, including the server, cannot access the model, which poses a great challenge for the defense against poisoning attacks. Moreover, many existing defense strategies against poisoning attacks only work well when the data distribution is non-independently and identically distributed. To address these issues, we propose a novel defense strategy for poisoning attacks of federated learning called FL-PTD, which can judge whether the global model is subjected to poisoning attacks without accessing the participant's local model. Besides, Our method incorporates a trust evaluation mechanism, which computes reputation scores based on the historical behavior of participants to identify malicious participants. Finally, we verify our proposed method on several real world datasets. The experimental results show that our method can effectively defend against poisoning attacks and accurately identify attackers without compromising the model's performance.

Jianrong Lu,Shengshan Hu,Wei Wan,Minghui Li,Leo Yu Zhang,Lulu Xue,Hai Jin

DOI: https://doi.org/10.1109/tifs.2024.3360869

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning (FL) allows clients at the edge to learn a shared global model without disclosing their private data. However, FL is susceptible to poisoning attacks, wherein an adversary injects tainted local models that ultimately corrupt the global model. Despite various defensive mechanisms having been developed to combat poisoning attacks, they all fall short of securing practical FL scenarios with heterogeneous and unbalanced data distribution. Moreover, the cutting-edge defenses currently at our disposal demand access to a proprietary dataset that closely mirrors the distribution of clients’ data, which runs counter to the fundamental principle of privacy protection in FL. It is still challenging to devise an effective defense approach that applies to practical FL. In this work, we strive to narrow the divide between FL defense and its practical use. We first present a general framework to comprehend the effect of poisoning attacks in FL when the training data is not independent and identically distributed (non-IID). We then HeteroFL, a novel FL scheme that incorporates four complementary defensive strategies. These tactics are implemented in succession to refine the aggregated model toward approaching the global optimum. Ultimately, we devise an adaptive attack specifically for HeteroFL, aimed at offering a more thorough evaluation of its robustness. Our extensive experiments over heterogeneous datasets and models show that HeteroFL surpasses all state-of-the-art defenses in thwarting various poisoning attacks, i.e., HeteroFL achieves global model accuracies comparable to the baseline, whereas other defenses suffer a significant accuracy reduction ranging from 34% to 79%.

Yuchen Tian,Weizhe Zhang,Andrew Simpson,Yang Liu,Zoe Lin Jiang

DOI: https://doi.org/10.1093/comjnl/bxab192

2023-01-01

Abstract:Federated learning (FL), a variant of distributed learning (DL), supports the training of a shared model without accessing private data from different sources. Despite its benefits with regard to privacy preservation, FL's distributed nature and privacy constraints make it vulnerable to data poisoning attacks. Existing defenses, primarily designed for DL, are typically not well adapted to FL. In this paper, we study such attacks and defenses. In doing so, we start from the perspective of DL and then give consideration to a real-world FL scenario, with the aim being to explore the requisites of a desirable defense in FL. Our study shows that (i) the batch size used in each training round affects the effectiveness of defenses in DL, (ii) the defenses investigated are somewhat effective and moderately influenced by batch size in FL settings and (iii) the non-IID data makes it more difficult to defend against data poisoning attacks in FL. Based on the findings, we discuss the key challenges and possible directions in defending against such attacks in FL. In addition, we propose detect and suppress the potential outliers(DSPO), a defense against data poisoning attacks in FL scenarios. Our results show that DSPO outperforms other defenses in several cases.

Jiaqi Zhao,Hui Zhu,Fengwei Wang,Yandong Zheng,Rongxing Lu,Hui Li

DOI: https://doi.org/10.1109/tsc.2024.3377931

2024-01-01

Abstract:The ever-growing data scale and increasingly strict privacy restraint have recently drawn extensive attention to federated learning (FL) as a multi-party machine learning paradigm for achieving high-quality model construction without data collection. Nevertheless, uploading local models in FL can still be exploited by adversaries to infer participants' sensitive data. Furthermore, it is possible for malicious participants to manipulate the global model by submitting poisonous local models. To tackle these challenges, this paper proposes an efficient and privacy-preserving federated learning framework against poisoning adversaries, namely ELFL, which can ensure the confidentiality of local models while effectively resisting data poisoning attacks. Specifically, we first design a grouped secure aggregation algorithm, through which the aggregation server can compute the summations of local models inside logic groups but cannot see individual ones. Then, based on grouped aggregations, our poisoning defense mechanism could detect and quickly phase out malicious participants from training candidates. Moreover, the computational complexity of participants is independent of their total number, so it is suitable for large-scale scenes. Detailed security analysis demonstrates the security of ELFL. Experimental results show that ELFL could maintain a high accuracy against representative data poisoning attacks, and its computational and communication overhead is indeed low.

Liyan Shen,Zhenhan Ke,Jinqiao Shi,Xi Zhang,Yanwei Sun,Jiapeng Zhao,Xuebin Wang,Xiaojie Zhao

DOI: https://doi.org/10.1109/jiot.2023.3339638

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is a distributed machine learning paradigm in the Internet of Things (IoT), which allows multiple devices to collaboratively train models without leaking local data. In the open scenario of IoT, malicious devices can launch poisoning attacks to compromise the final model by submitting crafted gradients. Some previous studies defend against poisoning attacks by analyzing the statistical characteristics of plaintext gradients. However, plaintext gradients would expose private information to malicious FL devices or servers. To simultaneously resist poisoning attacks and preserve privacy, cryptography technology can be utilized to obfuscate the gradients in defense methods, but the private calculation of resisting poisoning attack methods will cause efficiency problems, especially imposing unaffordable overhead on resource-limited IoT devices. Therefore, resisting poisoning attacks efficiently while protecting privacy remains a challenge. This paper proposes a secure and privacy-enhanced FL (SPEFL) framework for efficient privacy-preserving and poisoning-resistant federated learning in IoT. We design an efficient secure computation protocol based on a three-server architecture to facilitate the cryptographic computation of large linear and complex nonlinear operators in the method against poisoning attacks. In SPEFL, most of the calculations are efficiently performed on the servers, which will not impose too much burden on resource-limited IoT devices. In addition, we design a security-enhanced verifiable protocol to detect the malicious behavior of the server and guarantee the correctness of FL aggregation results. Experimental and theoretical results demonstrate that SPEFL can efficiently complete FL training meanwhile guaranteeing the accuracy of the model.

Ehsan Nowroozi,Imran Haider,Rahim Taheri,Mauro Conti

2024-03-05

Abstract:Federated Learning (FL) is a machine learning (ML) approach that enables multiple decentralized devices or edge servers to collaboratively train a shared model without exchanging raw data. During the training and sharing of model updates between clients and servers, data and models are susceptible to different data-poisoning attacks.

Cryptography and Security,Artificial Intelligence,Computers and Society,Machine Learning,Networking and Internet Architecture

Jianhua Li,Lingjuan Lyu,Ximeng Liu,Xuyun Zhang,Xixiang Lyu

DOI: https://doi.org/10.1109/TII.2021.3088938

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Due to resource constraints and working surroundings, many IIoT nodes are easily hacked and turn into zombies from which to launch attacks. It is challenging to detect such networked zombies rooted behind the Internet for any individual defender. In this article, we combine federated learning (FL) and fog/edge computing to combat malicious codes. Our protocol trains a global optimized model based on distributed datasets of collaborators while removing the data and communication constraints. The FL-based detection protocol maximizes the values of distributed data samples, resulting in an accurate model timely. On top of the protocol, we place mitigation intelligence in a distributed and collaborative manner. Our approach improves accuracy, eliminates mitigation time, and enlarges attackers' expense within a defense alliance. Comprehensive evaluations confirm that the cost incurred is 2.7 times larger, the mitigation response time is 72% lower, and the accuracy is 47% higher on average. Besides, the protocol evaluation shows the detection accuracy is approximately 98% in the FL, which is almost the same as centralized training.

Xiaolong Xu,Haoyuan Li,Zheng Li,Xiaokang Zhou

DOI: https://doi.org/10.1109/tii.2022.3195896

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:With the increasing data scale in the Industrial Internet of Things, edge computing coordinated with machine learning is regarded as an effective way to raise the novel latency-sensitive services. To ensure the data privacy for frequent service access, federated learning (FL), as a privacy-preserving distributed framework, is integrated into edge computing, enabling user data invisible to the training process. However, sophisticated network attacks threaten deep learning (DL) models by data poison and malicious reasoning, making the DL-based system untrustworthy. To this end, a synergic data filtering method, named Safe, is proposed to deal with the poisoning attacks. Specifically, considering that the distributed support vector machine is at risk of being attacked due to its distribution and openness to communication, edge-cloud empowered FL framework is designed. Then, the alternating direction method of multipliers is deployed to detect attacked devices whose training processes will be interrupted. Moreover, due to the untrustworthiness of label data, the poisoned data in the attacked devices are figured out and filtered by clustering the trusted data with K -means clustering algorithm. Eventually, extensive experiment results proved that the Safe outperforms correlation methods in detection accuracy and trustworthiness.

Xiong Xiao,Zhuo Tang,Chuanying Li,Bin Xiao,Kenli Li

DOI: https://doi.org/10.1109/tii.2022.3172310

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:With the massive amounts of data generated by industrial Internet of Things (IIoT) devices at all moments, federated learning (FL) enables these distributed distrusted devices to collaborate to build machine learning model while maintaining data privacy. However, malicious participants still launch malicious attacks against the security vulnerabilities during model aggregation. This article is the first to propose Sybil-based collusion attacks (SCA) in the IIoT-FL system for the vulnerabilities mentioned above. The malicious participants use label flipping attacks to complete local poisoning training. Meanwhile, they can virtualize multiple Sybil nodes to make the local poisoning models aggregated with the greatest possibility during aggregation. They focus on making the joint model misclassify the selected attack class samples during the testing phase, while other nonattack classes kept the main task accuracy similar to the nonpoisoned state. Exhaustive experimental analysis demonstrates that our SCA has a superior performance on multiple aspects than the state-of-the-art.

Chong Yu,Zhenyu Meng,Wenmiao Zhang,Lei,Jianbing Ni,Kuan Zhang,Hai Zhao

DOI: https://doi.org/10.1109/tnnls.2024.3486028

IF: 14.255

2024-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:In distributed systems, data may partially overlap in sample and feature spaces, that is, horizontal and vertical data partitioning. By combining horizontal and vertical federated learning (FL), hybrid FL emerges as a promising solution to simultaneously deal with data overlapping in both sample and feature spaces. Due to its decentralized nature, hybrid FL is vulnerable to model poisoning attacks, where malicious devices corrupt the global model by sending crafted model updates to the server. Existing work usually analyzes the statistical characteristics of all updates to resist model poisoning attacks. However, training local models in hybrid FL requires additional communication and computation steps, increasing the detection cost. In addition, due to data diversity in hybrid FL, solutions based on the assumption that malicious models are distinct from honest models may incorrectly classify honest ones as malicious, resulting in low accuracy. To this end, we propose a secure and efficient hybrid FL against model poisoning attacks. Specifically, we first identify two attacks to define how attackers manipulate local models in a harmful yet covert way. Then, we analyze the execution time and energy consumption in hybrid FL. Based on the analysis, we formulate an optimization problem to minimize training costs while guaranteeing accuracy considering the effect of attacks. To solve the formulated problem, we transform it into a Markov decision process and model it as a multiagent reinforcement learning (MARL) problem. Then, we propose a malicious device detection (MDD) method based on MARL to select honest devices to participate in training and improve efficiency. In addition, we propose an alternative poisoned model detection (PMD) method considering model change consistency. This method aims to prevent poisoned models from being used in the model aggregation. Experimental results validate that under the random local model poisoning attack, the proposed MDD method can save over 50% training costs while guaranteeing accuracy. When facing the advanced adaptive local model poisoning (ALMP) attack, utilizing both the proposed MDD and PMD methods achieves the desired accuracy while reducing execution time and energy consumption.