Nowroozi, Ehsan ORCID: https://orcid.org/0000-0002-5714-8378, Haider, Imran, Taheri, Rahim and Conti, Mauro (2025) Federated learning under attack: exposing vulnerabilities through data poisoning attacks in computer networks. IEEE Transactions on Network and Service Management. ISSN 1932-4537 (Online) (doi:10.1109/TNSM.2025.3525554)

Preview

PDF (Author's Accepted Manuscript) 49321 NOWROOZI_Federated_Learning_Under_Attack_Exposing_Vulnerabilities_Through_Data_Poisoning_Attacks_in_Computer_Networks_(AAM)_2025.pdf - Accepted Version Download (2MB) | Preview

Abstract

Federated Learning is an approach that enables multiple devices to collectively train a shared model without sharing raw data, thereby preserving data privacy. However, federated learning systems are vulnerable to data-poisoning attacks during the training and updating stages. Three data-poisoning attacks—label flipping, feature poisoning, and VagueGAN—are tested on FL models across one out of ten clients using the CIC and UNSW datasets. For label flipping, we randomly modify labels of benign data; for feature poisoning, we alter highly influential features identified by the Random Forest technique; and for VagueGAN, we generate adversarial examples using Generative Adversarial Networks. Adversarial samples constitute a small portion of each dataset. In this study, we vary the percentages by which adversaries can modify datasets to observe their impact on the Client and Server sides. Experimental findings indicate that label flipping and VagueGAN attacks do not significantly affect server accuracy, as they are easily detectable by the Server. In contrast, feature poisoning attacks subtly undermine model performance while maintaining high accuracy and attack success rates, highlighting their subtlety and effectiveness. Therefore, feature poisoning attacks manipulate the server without causing a significant decrease in model accuracy, underscoring the vulnerability of federated learning systems to such sophisticated attacks. To mitigate these vulnerabilities, we explore a recent defensive approach known as Random Deep Feature Selection, which randomizes server features with varying sizes (e.g., 50 and 400) during training. This strategy has proven highly effective in minimizing the impact of such attacks, particularly on feature poisoning.

Item Type:	Article
Uncontrolled Keywords:	Federated learning, Causative attacks, Adversarial machine learning, Corrupted training sets, Cybersecurity, Data poisoning
Subjects:	Q Science > Q Science (General) Q Science > QA Mathematics Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Faculty / School / Research Centre / Research Group:	Faculty of Engineering & Science Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS)
Last Modified:	09 Jan 2025 11:23
URI:	http://gala.gre.ac.uk/id/eprint/49321

Actions (login required)

View Item

Downloads