Untargeted poisoning attack based on fake clients and its defense in federated learning

Abstract Untargeted poisoning attacks pose a serious threat to federated learning. However, existing untargeted poisoning attacks have limitations. Most attacks assume that the adversary can control a large number of real clients, which is difficult to achieve in practice. Although the poisoning attack based on fake clients overcomes dependence on real clients. It causes the model to classify all data into default categories, which limits the effectiveness of the attack. Additionally, the fake local model updates are consistent, making them easily detectable by existing defenses. the attack is less stealth. To address these issues, we propose an Untargeted Poisoning Attack based on Fake Clients called UPA-FC. The attack manipulates key model layers based on their importance to enhance its effectiveness. We also introduce a random flipping strategy to reduce similarity between fake local updates, enhancing the stealth of the attack. To defend against UPA-FC, we propose a clustering-based defense scheme called D-UPA-FC. This scheme analyzes the distance matrix using a clustering algorithm. It determines the optimal clusters by calculating Euclidean distances to aggregate the global model. Experimental results show that UPA-FC outperforms the existing poisoning attack in terms of both effectiveness and stealth, while D-UPA-FC effectively defends against the UPA-FC.