Graph Representation-based Model Poisoning on the Heterogeneous Internet of Agents

TL;DR

This paper introduces a graph-based model poisoning attack on federated fine-tuning in the Internet of Agents, demonstrating its ability to evade detection and significantly degrade LLM performance.

Contribution

It presents a novel graph representation-based attack method that exploits structural dependencies to generate malicious updates, highlighting a new security threat.

Findings

GRMP attack significantly reduces LLM accuracy.

The attack evades existing detection mechanisms.

Experimental results confirm the attack's effectiveness across models.

Abstract

Internet of Agents (IoA) envisions a unified, agent-centric paradigm where heterogeneous large language model (LLM) agents can interconnect and collaborate at scale. Within this paradigm, federated fine-tuning (FFT) serves as a key enabler that allows distributed LLM agents to co-train an intelligent global LLM without centralizing local datasets. However, the FFT-enabled IoA systems remain vulnerable to model poisoning attacks, where adversaries can upload malicious updates to the server to degrade the performance of the aggregated global LLM. This paper proposes a graph representation-based model poisoning (GRMP) attack, which exploits overheard benign updates to construct a feature correlation graph and employs a variational graph autoencoder to capture structural dependencies and generate malicious updates. A novel attack algorithm is developed based on augmented Lagrangian and subgradient descent methods to optimize malicious updates that preserve benign-like statistics while embedding adversarial objectives. Experimental results show that the proposed GRMP attack can substantially decrease accuracy across different LLM models while remaining statistically consistent with benign updates, thereby evading detection by existing defense mechanisms and underscoring a severe threat to the ambitious IoA paradigm.