Detection and defense mechanism for poisoning attacks to federated learning

doi:10.11772/j.issn.1001-9081.2025020146

Journal of Computer Applications ›› 2026, Vol. 46 ›› Issue (2): 445-457.DOI: 10.11772/j.issn.1001-9081.2025020146

• Cyber security • Previous Articles

Detection and defense mechanism for poisoning attacks to federated learning

Qi ZHONG¹^,²^,³, Shufen ZHANG¹^,²^,³(), Zhenbo ZHANG¹^,²^,³, Yinlong JIAN¹^,²^,³, Zhongrui JING¹^,²^,³

^1.College of Sciences，North China University of Science and Technology，Tangshan Hebei 063210，China
^2.Hebei Province Key Laboratory of Data Science and Application （North China University of Science and Technology），Tangshan Hebei 063210，China
^3.Tangshan Key Laboratory of Data Science （North China University of Science and Technology），Tangshan Hebei 063210，China

Received:2025-02-17 Revised:2025-03-19 Accepted:2025-03-24 Online:2025-04-24 Published:2026-02-10
Contact: Shufen ZHANG
About author:ZHONG Qi， born in 1999， M. S. candidate. Her research interests include data security， privacy protection.
ZHANG Shufen， born in 1972， M. S.， professor. Her research interests include cloud computing， data security， privacy protection. Email:zhsf@ncst.edu.cn
ZHANG Zhenbo， born in 1999， M. S. candidate. His research interests include data security， privacy protection.
JIAN Yinlong， born in 2001， M. S. candidate. His research interests include data security， privacy protection.
JING Zhongrui， born in 2000， M. S. candidate. His research interests include data security， privacy protection.
Supported by:
National Natural Science Foundation of China(U20A20179)

面向联邦学习的投毒攻击检测与防御机制

钟琪¹^,²^,³, 张淑芬¹^,²^,³(), 张镇博¹^,²^,³, 菅银龙¹^,²^,³, 景忠瑞¹^,²^,³

^1.华北理工大学理学院，河北唐山 063210
^2.河北省数据科学与应用重点实验室（华北理工大学），河北唐山 063210
^3.唐山市数据科学重点实验室（华北理工大学），河北唐山 063210

通讯作者: 张淑芬
作者简介:钟琪（1999—），女，河北张家口人，硕士研究生，CCF会员，主要研究方向：数据安全、隐私保护
张淑芬（1972—），女，河北唐山人，教授，硕士，CCF高级会员，主要研究方向：云计算、数据安全、隐私保护 Email:zhsf@ncst.edu.cn
张镇博（1999—），男，山东济南人，硕士研究生，CCF会员，主要研究方向：数据安全、隐私保护
菅银龙（2001—），男，河南商丘人，硕士研究生，CCF会员，主要研究方向：数据安全、隐私保护
景忠瑞（2000—），男，山西临汾人，硕士研究生，CCF会员，主要研究方向：数据安全、隐私保护。
基金资助:
国家自然科学基金资助项目(U20A20179)

Abstract

Abstract:

In order to solve the problem that malicious clients in federated learning destroy the reliability of the global model by uploading malicious updates， a poisoning attack detection and defense algorithm for federated learning， FedDyna， was proposed. Firstly， an abnormal client detection scheme was designed to use the historical standard deviation of cosine similarity and Euclidean distance to detect abnormal updates preliminarily， and a multi-view model evaluation mechanism was combined to further detect suspicious clients. Then， an adaptive adjustment strategy was proposed to reduce the participation weights of abnormal clients gradually according to the weight adjustment factor until the malicious updates were removed from the model training process. The defense performance of FedDyna in different attack scenarios was evaluated on the EMNIST and CIFAR-10 datasets， and the algorithm was compared with the existing advanced defense algorithms. Experimental results show that， under the condition of a fixed attack frequency， a comparison of the effectiveness between the FedDyna algorithm and the Scope algorithm is conducted： When faced with three attack types， namely Projected Gradient Descent （PGD）， Model Replacement （MR）， and PGD+MR， FedDyna achieves the best results， reducing the Attack Success Rate （ASR） by 1.07 and 0.53， 1.49 and 1.45， 10.55 and 1.25 percentage points respectively； Under the EMNIST dataset subjected to Cosine Constraint Attack （CCA）， although FedDyna experiences a slight decrease in ASR， it still achieves the second-best results. Additionally， when evaluated against comparison algorithms in different attacker pools， FedDyna’s ASR performs optimally under most conditions and ranks second-best under the remaining conditions. Notably， in scenarios with varying attack intensities， FedDyna achieves an impressive average global Model Accuracy （MA） of up to 98.5%. It can be seen that FedDyna has shown significant robustness against poisoning attacks in different attack scenarios and can detect and eliminate poisoning models effectively.

Key words: federated learning, poisoning attack, anomaly detection, multi-view model evaluation, adaptive adjustment

摘要：

为了解决联邦学习中恶意客户端通过上传恶意更新破坏全局模型可靠性的问题，提出一种面向联邦学习的投毒攻击检测与防御算法FedDyna。首先，设计一种异常客户端检测方案，利用余弦相似度与欧几里得距离的历史标准差初步检测异常更新，并结合多视角模型评估机制进一步检测可疑的客户端；其次，提出一种自适应调整策略，根据权重调整因子逐步降低被判定为异常客户端的参与权重，直至将恶意更新从模型训练过程中剔除。在EMNIST和CIFAR-10数据集上评估FedDyna在不同攻击场景下的防御性能，并与现有的先进防御算法进行对比。实验结果表明，在固定攻击频率的条件下，将FedDyna算法与Scope算法进行效果对比：面对投影梯度下降（PGD）、模型替换（MR）以及PGD+MR这3种攻击方式，FedDyna均取得了最优效果，攻击成功率（ASR）分别降低了1.07和0.53、1.49和1.45、10.55和1.25个百分点；在余弦约束攻击（CCA）攻击的EMNIST数据集下，FedDyna的ASR虽略有下降，但仍取得了次优结果。此外，当在不同攻击者池中与对比算法进行效果评估时，FedDyna的ASR在多数条件下表现最优，其余条件下也处于次优水平。尤为突出的是，在不同攻击强度的场景下，FedDyna的平均全局模型准确率（MA）高达98.5%。可见，FedDyna在不同攻击场景下表现出显著的抗投毒攻击稳健性，且能够有效检测并剔除投毒模型。

关键词: 联邦学习, 投毒攻击, 异常检测, 多视角模型评估, 自适应调整

CLC Number:

TP309.2

Qi ZHONG, Shufen ZHANG, Zhenbo ZHANG, Yinlong JIAN, Zhongrui JING. Detection and defense mechanism for poisoning attacks to federated learning[J]. Journal of Computer Applications, 2026, 46(2): 445-457.

钟琪, 张淑芬, 张镇博, 菅银龙, 景忠瑞. 面向联邦学习的投毒攻击检测与防御机制[J]. 《计算机应用》唯一官方网站, 2026, 46(2): 445-457.

Figures/Tables 18

Fig. 1 Targeted and untargeted poisoning attacks

Fig. 2 Detection and defense flow of FedDyna

Tab. 1 Main symbols

参数	含义
$N$	客户端总数
$G t$	模型更新梯度集合
$T 0$	历史迭代窗口大小
$T$	总迭代轮次
$σ c o s (g T 0 - 1, g i T 0)$	前 $T 0$ 轮内余弦相似度的标准差
$σ L 2 (g T 0 - 1, g i T 0)$	前 $T 0$ 轮内L2范数的标准差
$g i t$	第 $t$ 轮时第 $i$ 个客户端的模型梯度
$S i t$	第 $t$ 轮时第 $i$ 个客户端的偏离评分
$ω i t$	第 $t$ 轮时第 $i$ 个客户端的权重
$μ t$	第 $t$ 轮偏离评分的均值
$σ t$	第 $t$ 轮偏离评分的标准差
$∀ c o s (g t - 1, g i t)$	余弦梯度偏差
$∀ L 2 (g t - 1, g i t)$	L2范数梯度偏差
$δ$	权重调整因子
$γ 1, γ 2$	权重衰减系数

Tab. 1 Main symbols

参数	含义
$N$	客户端总数
$G t$	模型更新梯度集合
$T 0$	历史迭代窗口大小
$T$	总迭代轮次
$σ c o s (g T 0 - 1, g i T 0)$	前 $T 0$ 轮内余弦相似度的标准差
$σ L 2 (g T 0 - 1, g i T 0)$	前 $T 0$ 轮内L2范数的标准差
$g i t$	第 $t$ 轮时第 $i$ 个客户端的模型梯度
$S i t$	第 $t$ 轮时第 $i$ 个客户端的偏离评分
$ω i t$	第 $t$ 轮时第 $i$ 个客户端的权重
$μ t$	第 $t$ 轮偏离评分的均值
$σ t$	第 $t$ 轮偏离评分的标准差
$∀ c o s (g t - 1, g i t)$	余弦梯度偏差
$∀ L 2 (g t - 1, g i t)$	L2范数梯度偏差
$δ$	权重调整因子
$γ 1, γ 2$	权重衰减系数

Fig. 3 MA of different defense schemes on different datasets in attack-free environment

Tab. 2 Comparison of ASR of different defense schemes on EMNIST and CIFAR-10 datasets

防御方案	EMNIST				CIFAR-10
防御方案	PGD	MR	CCA	PGD+MR	PGD	MR	CCA	PGD+MR
No-Defense	90.48	100.00	100.00	100.00	100.00	100.00	100.00	100.00
Multi-metrics	2.40	4.55	23.10	7.05	1.34	2.22	46.56	8.02
Multi-Krum	12.36	12.00	10.00	30.16	18.89	1.67	34.19	56.44
RFA	4.31	6.00	100.00	23.00	59.71	26.33	47.75	60.43
FL-Defender	90.58	89.14	100.00	91.35	7.56	15.91	65.72	20.72
Scope	2.05	2.85	3.30	13.90	1.36	1.78	4.34	2.03
FedDyna	0.98	1.36	4.87	3.35	0.83	0.33	3.93	0.78

Fig. 4 MA of different defense schemes on EMNIST dataset

Fig. 5 MA of different defense schemes on CIFAR-10 dataset

Tab. 3 Defense performance of different defense schemes on EMNIST dataset with different attacker pools

防御方案	attacker pool为10		attacker pool为25		attacker pool为40		attacker pool为55
防御方案	MA	ASR	MA	ASR	MA	ASR	MA	ASR
No-Defense	98.20	100.00	97.67	100.00	97.60	100.00	94.86	100.00
Multi-metrics	97.74	14.00	97.81	14.05	97.93	19.90	97.39	20.35
Multi-Krum	98.15	11.00	98.09	13.60	98.07	13.00	98.16	13.95
RFA	97.32	100.00	97.22	100.00	96.77	100.00	96.37	100.00
FL-Defender	98.11	100.00	97.68	100.00	97.21	100.00	96.66	100.00
Scope	98.13	13.50	97.69	15.65	95.50	12.88	94.80	28.54
FedDyna	98.40	11.30	98.11	13.15	98.14	8.55	98.13	11.55

Tab. 4 Defense performance of different defense schemes on CIFAR-10 dataset with different attacker pools

防御方案	attacker pool为10		attacker pool为25		attacker pool为40		attacker pool为55
防御方案	MA	ASR	MA	ASR	MA	ASR	MA	ASR
No-Defense	86.15	100.00	84.89	100.00	84.61	100.00	81.56	100.00
Multi-metrics	85.06	15.22	83.43	3.58	82.22	60.64	82.86	74.36
Multi-Krum	84.56	1.50	83.55	2.08	83.67	2.06	83.62	68.14
RFA	83.36	10.81	83.65	65.17	82.57	68.03	82.13	69.42
FL-Defender	85.90	20.22	83.82	36.03	83.82	59.22	82.57	68.03
Scope	85.43	1.14	83.88	2.47	83.64	22.91	83.24	26.65
FedDyna	86.31	0.47	84.61	1.56	84.70	1.23	84.45	0.94

Fig. 6 MA of different defense schemes on EMNIST dataset with different attacker pools

Fig. 7 MA performance of different defense schemes on CIFAR-10 dataset with different attacker pools

Fig. 8 Defense performance of different defense schemes under PGD attack

Fig. 9 Defense performance of different defense schemes under MR attack

Fig. 10 Defense performance of different defense schemes under CCA attack

Fig. 11 Defense performance of different defense schemes under PGD+MR attack

Fig. 12 Comparison of computational overhead of different schemes

Tab. 5 Results of ablation experiments

消融方案	EMNIST		CIFAR-10
消融方案	MA	ASR	MA	ASR
A	98.13	100.00	84.59	100.00
B	98.14	39.40	85.87	13.55
C	98.20	14.24	86.17	9.72
D	98.31	41.00	85.13	37.50
E	99.16	3.35	86.32	0.49

Fig. 13 Comparison of model accuracy with different parameter values

References 37

[1]	BARTLETT M. Beyond privacy： protecting data interests in the age of artificial intelligence［J］. Law， Technology and Humans， 2021， 3（1）： 96-108.
[2]	LI J， GUO W， HAN X， et al. Federated learning based on defending against data poisoning attacks in IoT［EB/OL］. ［2024-10-25］..
[3]	McMAHAN H B， MOORE E， RAMAGE D， et al. Communication-efficient learning of deep networks from decentralized data［C］// Proceedings of the 20th International Conference on Artificial Intelligence and Statistics. New York： JMLR.org， 2017： 1273-1282.
[4]	LI L， FAN Y， TSE M， et al. A review of applications in federated learning［J］. Computers and Industrial Engineering， 2020， 149： No.106854.
[5]	陈学斌，屈昌盛. 面向联邦学习的后门攻击与防御综述［J］. 计算机应用， 2024， 44（11）： 3459-3469.
	CHEN X B， QU C S. Overview of backdoor attacks and defenses in federated learning［J］. Journal of Computer Applications， 2024， 44（11）： 3459-3469.
[6]	GONG X， CHEN Y， WANG Q， et al. Backdoor attacks and defenses in federated learning： state-of-the-art， taxonomy， and future directions［J］. IEEE Wireless Communications， 2023， 30（2）： 114-121.
[7]	XIA G， CHEN J， YU C， et al. Poisoning attacks in federated learning： a survey［J］. IEEE Access， 2023， 11： 10708-10722.
[8]	MA C， CHEN L， YONG J H. Simulating unknown target models for query-efficient black-box attacks［C］// Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2021： 11830-11839.
[9]	BAGDASARYAN E， VEIT A， HUA Y， et al. How to backdoor federated learning［C］// Proceedings of the 23rd International Conference on Artificial Intelligence and Statistics. New York： JMLR.org， 2020： 2938-2948.
[10]	NGUYEN T D， NGUYEN T， LE NGUYEN P， et al. Backdoor attacks and defenses in federated learning： survey， challenges and future research directions［J］. Engineering Applications of Artificial Intelligence， 2024， 127（Pt A）： No.107166.
[11]	CHEN H， CHEN X， PENG L， et al. FLRAM： robust aggregation technique for defense against byzantine poisoning attacks in federated learning［J］. Electronics， 2023， 12（21）： No.4463.
[12]	XU S， XIA H， ZHANG R， et al. FedNor： a robust training framework for federated learning based on normal aggregation［J］. Information Sciences， 2024， 684： No.121274.
[13]	ZHANG C， YANG S， MAO L， et al. Anomaly detection and defense techniques in federated learning： a comprehensive review［J］. Artificial Intelligence Review， 2024， 57（6）： No.150.
[14]	WANG Z， MA J， WANG X， et al. Threats to training： a survey of poisoning attacks and defenses on machine learning systems［J］. ACM Computing Surveys， 2022， 55（7）： No.134.
[15]	YIN D， CHEN Y， RAMCHANDRAN K， et al. Byzantine-robust distributed learning： towards optimal statistical rates［C］// Proceedings of the 35th International Conference on Machine Learning. New York： JMLR.org， 2018： 5650-5659.
[16]	XU J， GLICKSBERG B S， SU C， et al. Federated learning for healthcare informatics［J］. Journal of Healthcare Informatics Research， 2021， 5（1）： 1-19.
[17]	MOSHAWRAB M， ADDA M， BOUZOUANE A， et al. Reviewing federated learning aggregation algorithms； strategies， contributions， limitations and future perspectives［J］. Electronics， 2023， 12（10）： No.2287.
[18]	TOLPEGIN V， TRUEX S， GURSOY M E， et al. Data poisoning attacks against federated learning systems［C］// Proceedings of the 2020 European Symposium on Research in Computer Security， LNCS 12308. Cham： Springer， 2020： 480-501.
[19]	JAGIELSKI M， OPREA A， BIGGIO B， et al. Manipulating machine learning： poisoning attacks and countermeasures for regression learning［C］// Proceedings of the 2018 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2018： 19-35.
[20]	LIANG J， WANG R， FENG C， et al. A survey on federated learning poisoning attacks and defenses［EB/OL］. ［2024-10-28］..
[21]	KUMAR K N， MOHAN C K， MACHIRY A. Precision guided approach to mitigate data poisoning attacks in federated learning［C］// Proceedings of the 14th ACM Conference on Data and Application Security and Privacy. New York： ACM， 2024： 233-244.
[22]	SUN G， CONG Y， DONG J， et al. Data poisoning attacks on federated machine learning［J］. IEEE Internet of Things Journal， 2022， 9（13）： 11365-11375.
[23]	ALHARBI E， MARCOLINO L S， GOUGLIDIS A， et al. Robust federated learning method against data and model poisoning attacks with heterogeneous data distribution［C］// Proceedings of the 26th European Conference on Artificial Intelligence/12th Conference on Prestigious Applications of Intelligent Systems. Amsterdam： IOS Press， 2023： 85-92.
[24]	CAO X， GONG N Z. MPAF： model poisoning attacks to federated learning based on fake clients［C］// Proceedings of the 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2022： 3395-3403.
[25]	陈学斌，任志强，张宏扬. 联邦学习中的安全威胁与防御措施综述［J］ . 计算机应用， 2024， 44（6）： 1663-1672.
	CHEN X B， REN Z Q， ZHANG H Y. Review on security threats and defense measures in federated learning［J］. Journal of Computer Applications， 2024， 44（6）： 1663-1672.
[26]	SUN J， LI A， DiVALENTIN L， et al. FL-WBC： enhancing robustness against model poisoning attacks in federated learning from a client perspective［C］// Proceedings of the 35th International Conference on Neural Information Processing Systems. Red Hook： Curran Associates Inc.， 2021： 12613-12624.
[27]	SUN S， SUGRIM S， STAVROU A， et al. Partner in crime： boosting targeted poisoning attacks against federated learning［J］. IEEE Transactions on Information Forensics and Security， 2025， 20： 4152-4166.
[28]	LIU T， ZHANG Y， FENG Z， et al. Beyond traditional threats： a persistent backdoor attack on federated learning［C］// Proceedings of the 38th AAAI Conference on Artificial Intelligence. Palo Alto： AAAI Press， 2024： 21359-21367.
[29]	WANG H， SREENIVASAN K， RAJPUT S， et al. Attack of the tails： yes， you really can backdoor federated learning［C］// Proceedings of the 34th International Conference on Neural Information Processing Systems. Red Hook： Curran Associates Inc.， 2020： 16070-16084.
[30]	HUANG S， LI Y， YAN X， et al. Scope： on detecting constrained backdoor attacks in federated learning［J］. IEEE Transactions on Information Forensics and Security， 2025， 20： 3302-3315.
[31]	WU J， JIN J， WU C. Challenges and countermeasures of federated learning data poisoning attack situation prediction［J］. Mathematics， 2024， 12（6）： No.901.
[32]	BLANCHARD P， MHAMDI E M EL， GUERRAOUI R， et al. Machine learning with adversaries： Byzantine tolerant gradient descent［C］// Proceedings of the 31st International Conference on Neural Information Processing Systems. Red Hook： Curran Associates Inc.， 2017： 118-128.
[33]	ZHANG G， LIU H， YANG B， et al. DWAMA： dynamic weight-adjusted Mahalanobis defense algorithm for mitigating poisoning attacks in federated learning［J］. Peer-to-Peer Networking and Applications， 2024， 17（6）： 3750-3764.
[34]	HUANG S， LI Y， CHEN C， et al. Multi-metrics adaptively identifies backdoors in federated learning［C］// Proceedings of the 2023 IEEE/CVF International Conference on Computer Vision. Piscataway： IEEE， 2023： 4629-4639.
[35]	JEBREEL N M， DOMINGO-FERRER J. FL-Defender： combating targeted attacks in federated learning［J］. Knowledge-Based Systems， 2023， 260： No.110178.
[36]	PILLUTLA K， KAKADE S M， HARCHAOUI Z. Robust aggregation for federated learning［J］. IEEE Transactions on Signal Processing， 2022， 70： 1142-1154.
[37]	LIU J， LI X， LIU X， et al. DefendFL： a privacy-preserving federated learning scheme against poisoning attacks［J］. IEEE Transactions on Neural Networks and Learning Systems， 2025， 36（5）： 9098-9111.

Detection and defense mechanism for poisoning attacks to federated learning

面向联邦学习的投毒攻击检测与防御机制

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 18

References 37

Related Articles 15

Recommended Articles

Metrics

[1]	Kejia ZHANG, Zhijun FANG, Nanrun ZHOU, Zhicai SHI. Personalized federated learning method based on model pre-assignment and self-distillation [J]. Journal of Computer Applications, 2026, 46(1): 10-20.
[2]	Hao YU, Jing FAN, Yihang SUN, Yadong JIN, Enkang XI, Hua DONG. Federated split learning optimization method under edge heterogeneity [J]. Journal of Computer Applications, 2026, 46(1): 33-42.
[3]	Yinlong JIAN, Xuebin CHEN, Zhongrui JING, Qi ZHONG, Zhenbo ZHANG. Data augmentation scheme based on conditional generative adversarial network in federated learning [J]. Journal of Computer Applications, 2026, 46(1): 21-32.
[4]	Hao YU, Jing FAN, Yihang SUN, Hua DONG, Enkang XI. Survey of statistical heterogeneity in federated learning [J]. Journal of Computer Applications, 2025, 45(9): 2737-2746.
[5]	Jintao SU, Lina GE, Liguang XIAO, Jing ZOU, Zhe WANG. Detection and defense scheme for backdoor attacks in federated learning [J]. Journal of Computer Applications, 2025, 45(8): 2399-2408.
[6]	Lina GE, Mingyu WANG, Lei TIAN. Review of research on efficiency of federated learning [J]. Journal of Computer Applications, 2025, 45(8): 2387-2398.
[7]	Hongyang ZHANG, Shufen ZHANG, Zheng GU. Federated learning algorithm for personalization and fairness [J]. Journal of Computer Applications, 2025, 45(7): 2123-2131.
[8]	Longbo YAN, Wentao MAO, Zhihong ZHONG, Lilin FAN. Robust unsupervised multi-task anomaly detection method for defect diagnosis of urban drainage pipe network [J]. Journal of Computer Applications, 2025, 45(6): 1833-1840.
[9]	Wenpeng WANG, Yinchang QIN, Wenxuan SHI. Review of unsupervised deep learning methods for industrial defect detection [J]. Journal of Computer Applications, 2025, 45(5): 1658-1670.
[10]	Zihe CHEN, Bin CHEN. Unsupervised point cloud anomaly detection based on multi-representation fusion [J]. Journal of Computer Applications, 2025, 45(5): 1677-1685.
[11]	Yazhou FAN, Zhuo LI. Node collaboration mechanism for quality optimization of hierarchical federated learning models under energy consumption constraints [J]. Journal of Computer Applications, 2025, 45(5): 1589-1594.
[12]	Yiming ZHANG, Tengfei CAO. Federated learning optimization algorithm based on local drift and diversity computing power [J]. Journal of Computer Applications, 2025, 45(5): 1447-1454.
[13]	Yufei XIANG, Zhengwei NI. Edge federation dynamic analysis for hierarchical federated learning based on evolutionary game [J]. Journal of Computer Applications, 2025, 45(4): 1077-1085.
[14]	Lihu PAN, Shouxin PENG, Rui ZHANG, Zhiyang XUE, Xuzhen MAO. Video anomaly detection for moving foreground regions [J]. Journal of Computer Applications, 2025, 45(4): 1300-1309.
[15]	Qingli CHEN, Yuanbo GUO, Chen FANG. Clustering federated learning algorithm for heterogeneous data [J]. Journal of Computer Applications, 2025, 45(4): 1086-1094.