Federated Learning Against Dynamic Mixed Poisoning Attack and Defense
摘要
Federated learning has gained widespread attention for its privacy protection and distributed training characteristics, but it is vulnerable to model poisoning attacks. Existing model poisoning attacks often rely on the local model parameters or training data of real clients and are significantly less effective when the server deploys a defense strategy. To address this, we propose a new model poisoning attack, Dynamic Mixed Poisoning Attack (DMPA), which improves the stealthiness of the attack by mixing benign and malicious model updates and dynamically adjusting the size of malicious updates. In addition, DMPA employs the strategy of injecting fake clients to launch the attack in a minimal-knowledge scenario to overcome the limitation of requiring real client information. We further propose a new defense, Median-Norm Credibility Defense (MNCD). MNCD normalizes the magnitudes of uploaded model updates and calculates credibility by comparing each model update’s similarity to the global optimization direction from the previous round, determining aggregation weights. Experimental results show that DMPA bypasses the baseline defense and outperforms the baseline poisoning attack. Compared with the baseline defense, MNCD can effectively resist DMPA and other baseline poisoning attacks. When the fraction of fake clients does not exceed 45%, MNCD maintains strong robustness.