Robust Federated Learning Method gainst Data and Model Poisoning Attacks with Heterogeneous Data Distribution Ebtisaam Alharbi a,b; * , Leandro Soriano Marcolino a , Antonios Gouglidis a and Qiang Ni a a School of Computing and Communications, Lancaster University, United Kingdom b Department of Computer Science, Umm Al-Qura University, Saudi Arabia ORCiD ID: Ebtisaam Alharbi https://orcid.org/0000-0002-3969-3209, Leandro Soriano Marcolino https://orcid.org/0000-0002-3337-8611, Antonios Gouglidis https://orcid.org/0000-0002-4702-3942, Qiang Ni https://orcid.org/0000-0002-4593-1656 Abstract. Federated Learning (FL) is essential for building global models across distributed environments. However, it is significantly vulnerable to data and model poisoning attacks that can critically compromise the accuracy and reliability of the global model. These vulnerabilities become more pronounced in heterogeneous environ- ments, where clients’ data distributions vary broadly, creating a chal- lenging setting for maintaining model integrity. Furthermore, mali- cious attacks can exploit this heterogeneity, manipulating the learn- ing process to degrade the model or even induce it to learn incorrect patterns. In response to these challenges, we introduce RFCL, a novel Robust Federated aggregation method that leverages CLustering and cosine similarity to select similar cluster models, effectively defend- ing against data and model poisoning attacks even amidst high data heterogeneity. Our experiments assess RFCL’s performance against various attacker numbers and Non-IID degrees. The findings reveal that RFCL outperforms existing robust aggregation methods and demonstrates the capability to defend against multiple attack types. 1 Introduction Federated learning (FL) [15] is a recent collaborative machine learn- ing framework trained by widely distributed clients. In FL, clients train model updates based on local training data and the updated global model and then send these updates to the server. The server aggregates them to create a new global model, which is then sent back to the clients for the next training round. Since the training is distributed across several clients and conducted in parallel, FL pro- vides efficiency and scalability [4]. FL allows for sharing learning models while preserving the privacy of the client’s data [10]. Although FL can aggregate heterogeneous data across many clients to train a global model, it is a vulnerable structure. Data pro- cessing and local training procedures under client control may ex- pose the global aggregate model to attacks. FL is vulnerable to ma- licious clients; simply one adversarial client may compromise the entire performance of the global model [2]. Specifically, untargeted poisoning attacks, like random noise [3] or sign-flipping attacks [2], aims to push the global model in the wrong direction from the outset ∗ Corresponding Author. Emails: {e.alharbi, l.marcolino, a.gouglidis, q.ni}@lancaster.ac.uk of rounds. The result is a consistently high rate of test errors across all test sets, illustrating the damaging implications of the initial devi- ation in the model’s learning direction. Several robust FL aggregation methods are proposed in the liter- ature [3, 8, 23, 7]. However, recent studies have revealed that some of the robust FL aggregation methods are susceptible to new attacks. For instance, A Little Is Enough (ALIE) attack can exploit the empir- ical variance between client updates to bypass Median [23] and Krum [3], provided that the variance is high enough [1]. Similarly, the Inner Product Manipulation (IPM) attack can significantly threaten Me- dian [23] and Krum [3] by manipulating the inner product between the true gradient and the robust aggregated gradients to be negative [21]. Non-IID data can impact the robustness of the FL, particularly in the presence of adversarial attacks that exploit data heterogeneity. A small percentage of adversaries may be sufficient to launch a suc- cessful attack, making it even more critical to address Non-IID data in the context of potential attacks [1]. Existing defence methods try to distinguish between malicious and benign clients by analyzing the statistical differences in their model updates. However, these detection approaches demand many model updates to make reliable decisions. Consequently, malicious clients might have already poisoned the global model before being identi- fied, reducing the efficacy of these defence strategies [23, 8]. Current defences against poisoning attacks in FL are developed to prevent the global model from being compromised by a small num- ber of malicious clients. Even when trained with malicious clients, they ensure that the global model remains close to the one that would have been learned without them. Moreover, some aggregation meth- ods such as FLTrust [6], LearnDefend [14], and Zeno++ [22] require the server to access part of or all the private data. This assumption contradicts the FL framework’s zero server knowledge and privacy- preserving principle. The server implementing robust aggregator methods faces diffi- culty distinguishing between benign and adversarial clients. This challenge is aggravated by high-dimensional gradients, a higher pro- portion of attackers, and significant heterogeneity (Non-IID). We present RFCL, a novel Robust Federated aggregation CLuster- ing technique to address security issues arising from data and model poisoning attacks in heterogeneous data settings. The RFCL frame- A ECAI 2023 K. Gal et al. (Eds.) © 2023 The Authors. This article is published online with Open Access by IOS Press and distributed under the terms of the Creative Commons Attribution Non-Commercial License 4.0 (CC BY-NC 4.0). doi:10.3233/FAIA230257 85