Detection and Mitigation of Label Flipping Attacks on Compressed and Private Models in Federated Learning
Abstract
This paper proposes a technique to detect malicious clients performing label-flipping attacks while training compressed and privacy-preserving Federated Learning (FL) models through the application of differential privacy. The goal is identifying malicious clients manipulating data labels, even when local models are compressed and privacy-protected. The proposed technique uses the weight vector of the last activation layer of the neural network to detect these clients, preserving data privacy. We evaluated the proposal on different datasets, such as MNIST and Fashion-MNIST, using the MininetFed emulator. The proposed technique was able to detect and neutralize even when the network was made up of 40% malicious clients.
Keywords:
Federated Learning, Compression, Attack Detection, Security
References
Aloran, I. (2024). Defending federated learning against model poisoning attacks. Master’s thesis, University of Windsor. Electronic Theses and Dissertations, 9458.
Bastos, J., Sarmento, E., Villaça, R., and Mota, V. (2024). Mininetfed: Uma ferramenta para emulação e análise de aprendizado federado com dispositivos heterogêneos. In Anais Estendidos do XLII SBRC, Porto Alegre, RS, Brasil. SBC.
Dehghani, M., and Yazdanparast, Z. (2023). From distributed machine to distributed deep learning: A comprehensive survey. Journal of Big Data, 10(1), 158.
Dwork, C. (2006). Differential privacy. In M. Bugliesi, B. Preneel, V. Sassone, and I. Wegener (Eds.), Automata, Languages and Programming (pp. 1–12). Berlin, Heidelberg: Springer Berlin Heidelberg.
Elmahfoud, E., Hajla, S. E., Maleh, Y., Mounir, S., and Ouazzane, K. (2024). Label flipping attacks in hierarchical federated learning for intrusion detection in IoT. Information Security Journal: A Global Perspective.
He, X., Xu, Y., Zhang, S., Xu, W., and Yan, J. (2024). Enhance membership inference attacks in federated learning. Computers & Security, 136, 103535.
Iglewicz, B., and Hoaglin, D. C. (1993). How to detect and handle outliers (Vol. 16). American Society for Quality Control.
Jebreel, N. M., Domingo-Ferrer, J., Blanco-Justicia, A., and Sánchez, D. (2024a). Enhanced security and privacy via fragmented federated learning. IEEE Transactions on Neural Networks and Learning Systems, 35(5), 6703–6717.
Jebreel, N. M., Domingo-Ferrer, J., Sánchez, D., and Blanco-Justicia, A. (2024b). Lfighter: Defending against the label-flipping attack in federated learning. Neural Networks, 170, 111–126.
Jiang, Y., Zhang, W., and Chen, Y. (2023). Data quality detection mechanism against label flipping attacks in federated learning. IEEE Transactions on Information Forensics and Security, 18, 1625–1637.
Kolasa, D., Pilch, K., and Mazurczyk, W. (2024). Federated learning secure model: A framework for malicious clients detection. SoftwareX, 27, 101765.
LeCun, Y., et al. (1998). Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11), 2278–2324.
Li, D., Wong, W. E., Wang, W., Yao, Y., and Chau, M. (2021). Detection and mitigation of label-flipping attacks in federated learning systems with KPCA and K-means. In 2021 8th International Conference on Dependable Systems and Applications (DSA) (pp. 551–559). IEEE.
Li, Y., Chen, H., Bao, W., Xu, Z., and Yuan, D. (2023). Honest score client selection scheme: Preventing federated learning label flipping attacks in non-IID scenarios.
Manzoor, H. U., Shabbir, A., Chen, A., Flynn, D., and Zoha, A. (2024). A survey of security strategies in federated learning: Defending models, data, and privacy. Future Internet, 16(10).
McMahan, H. B., et al. (2016). Communication-efficient learning of deep networks from decentralized data. In International Conference on Artificial Intelligence and Statistics.
Sarmento, E., Mota, V., and Villaça, R. (2024). Privacidade e comunicação eficiente em aprendizado federado: Uma abordagem utilizando estruturas de dados probabilísticas e seleção de clientes. In Anais do XLII SBRC (pp. 85–98), Porto Alegre, RS, Brasil. SBC.
Shen, X., Liu, Y., Li, F., and Li, C. (2024). Privacy-preserving federated learning against label-flipping attacks on non-IID data. IEEE Internet of Things Journal, 11(1).
Tolpegin, V., Truex, S., Gursoy, M. E., and Liu, L. (2020). Data poisoning attacks against federated learning systems. In ESORICs 2020: 25th European Symposium on Research in Computer Security (pp. 480–501). Springer.
Upreti, D., Kim, H., Yang, E., and Seo, C. (2024). Defending against label-flipping attacks in federated learning systems using uniform manifold approximation and projection. IAES International Journal of Artificial Intelligence (IJ-AI), 13(1), 459–466.
Bastos, J., Sarmento, E., Villaça, R., and Mota, V. (2024). Mininetfed: Uma ferramenta para emulação e análise de aprendizado federado com dispositivos heterogêneos. In Anais Estendidos do XLII SBRC, Porto Alegre, RS, Brasil. SBC.
Dehghani, M., and Yazdanparast, Z. (2023). From distributed machine to distributed deep learning: A comprehensive survey. Journal of Big Data, 10(1), 158.
Dwork, C. (2006). Differential privacy. In M. Bugliesi, B. Preneel, V. Sassone, and I. Wegener (Eds.), Automata, Languages and Programming (pp. 1–12). Berlin, Heidelberg: Springer Berlin Heidelberg.
Elmahfoud, E., Hajla, S. E., Maleh, Y., Mounir, S., and Ouazzane, K. (2024). Label flipping attacks in hierarchical federated learning for intrusion detection in IoT. Information Security Journal: A Global Perspective.
He, X., Xu, Y., Zhang, S., Xu, W., and Yan, J. (2024). Enhance membership inference attacks in federated learning. Computers & Security, 136, 103535.
Iglewicz, B., and Hoaglin, D. C. (1993). How to detect and handle outliers (Vol. 16). American Society for Quality Control.
Jebreel, N. M., Domingo-Ferrer, J., Blanco-Justicia, A., and Sánchez, D. (2024a). Enhanced security and privacy via fragmented federated learning. IEEE Transactions on Neural Networks and Learning Systems, 35(5), 6703–6717.
Jebreel, N. M., Domingo-Ferrer, J., Sánchez, D., and Blanco-Justicia, A. (2024b). Lfighter: Defending against the label-flipping attack in federated learning. Neural Networks, 170, 111–126.
Jiang, Y., Zhang, W., and Chen, Y. (2023). Data quality detection mechanism against label flipping attacks in federated learning. IEEE Transactions on Information Forensics and Security, 18, 1625–1637.
Kolasa, D., Pilch, K., and Mazurczyk, W. (2024). Federated learning secure model: A framework for malicious clients detection. SoftwareX, 27, 101765.
LeCun, Y., et al. (1998). Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11), 2278–2324.
Li, D., Wong, W. E., Wang, W., Yao, Y., and Chau, M. (2021). Detection and mitigation of label-flipping attacks in federated learning systems with KPCA and K-means. In 2021 8th International Conference on Dependable Systems and Applications (DSA) (pp. 551–559). IEEE.
Li, Y., Chen, H., Bao, W., Xu, Z., and Yuan, D. (2023). Honest score client selection scheme: Preventing federated learning label flipping attacks in non-IID scenarios.
Manzoor, H. U., Shabbir, A., Chen, A., Flynn, D., and Zoha, A. (2024). A survey of security strategies in federated learning: Defending models, data, and privacy. Future Internet, 16(10).
McMahan, H. B., et al. (2016). Communication-efficient learning of deep networks from decentralized data. In International Conference on Artificial Intelligence and Statistics.
Sarmento, E., Mota, V., and Villaça, R. (2024). Privacidade e comunicação eficiente em aprendizado federado: Uma abordagem utilizando estruturas de dados probabilísticas e seleção de clientes. In Anais do XLII SBRC (pp. 85–98), Porto Alegre, RS, Brasil. SBC.
Shen, X., Liu, Y., Li, F., and Li, C. (2024). Privacy-preserving federated learning against label-flipping attacks on non-IID data. IEEE Internet of Things Journal, 11(1).
Tolpegin, V., Truex, S., Gursoy, M. E., and Liu, L. (2020). Data poisoning attacks against federated learning systems. In ESORICs 2020: 25th European Symposium on Research in Computer Security (pp. 480–501). Springer.
Upreti, D., Kim, H., Yang, E., and Seo, C. (2024). Defending against label-flipping attacks in federated learning systems using uniform manifold approximation and projection. IAES International Journal of Artificial Intelligence (IJ-AI), 13(1), 459–466.
Published
2025-05-19
How to Cite
C. BATISTA, João Pedro; SCHMITZ BASTOS, Johann J.; DOS REIS FONTES, Ramon; CERQUEIRA, Eduardo; F. S. MOTA, Vinícius; S. VILLAÇA, Rodolfo.
Detection and Mitigation of Label Flipping Attacks on Compressed and Private Models in Federated Learning. In: BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 43. , 2025, Natal/RN.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 322-335.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2025.5915.
