FLAegis: A Two-Layer Defense Framework for Federated Learning Against Poisoning Attacks

TL;DR

FLAegis is a novel two-layer defense framework for federated learning that effectively detects Byzantine clients and enhances model robustness against various poisoning attacks using symbolic transformation, spectral clustering, and FFT-based aggregation.

Contribution

Introduces FLAegis, a two-stage defense framework combining symbolic time series transformation, spectral clustering, and FFT-based aggregation to detect and mitigate poisoning attacks in federated learning.

Findings

Outperforms state-of-the-art defenses in detection precision.

Maintains high model accuracy under strong poisoning attacks.

Effective against diverse poisoning strategies.

Abstract

Federated Learning (FL) has become a powerful technique for training Machine Learning (ML) models in a decentralized manner, preserving the privacy of the training datasets involved. However, the decentralized nature of FL limits the visibility of the training process, relying heavily on the honesty of participating clients. This assumption opens the door to malicious third parties, known as Byzantine clients, which can poison the training process by submitting false model updates. Such malicious clients may engage in poisoning attacks, manipulating either the dataset or the model parameters to induce misclassification. In response, this study introduces FLAegis, a two-stage defensive framework designed to identify Byzantine clients and improve the robustness of FL systems. Our approach leverages symbolic time series transformation (SAX) to amplify the differences between benign and malicious models, and spectral clustering, which enables accurate detection of adversarial behavior. Furthermore, we incorporate a robust FFT-based aggregation function as a final layer to mitigate the impact of those Byzantine clients that manage to evade prior defenses. We rigorously evaluate our method against five poisoning attacks, ranging from simple label flipping to adaptive optimization-based strategies. Notably, our approach outperforms state-of-the-art defenses in both detection precision and final model accuracy, maintaining consistently high performance even under strong adversarial conditions.