Evaluating Adversarial Attacks on Federated Learning for Temperature Forecasting

TL;DR

This paper investigates the vulnerability of federated learning models for temperature forecasting to adversarial attacks, demonstrating how small-scale data poisoning can significantly distort predictions across large geographic regions and evaluating defense strategies.

Contribution

It is the first to analyze spatially-aware adversarial attacks on federated weather forecasting models and assesses the effectiveness of trimmed mean aggregation as a defense.

Findings

Global bias attacks can shift temperature predictions by up to -1.7 K.

Patch-based attacks more than triple mean squared error and cause regional anomalies exceeding +3.5 K.

Trimmed mean aggregation defends against global bias but fails against patch attacks.

Abstract

Deep learning and federated learning (FL) are becoming powerful partners for next-generation weather forecasting. Deep learning enables high-resolution spatiotemporal forecasts that can surpass traditional numerical models, while FL allows institutions in different locations to collaboratively train models without sharing raw data, addressing efficiency and security concerns. While FL has shown promise across heterogeneous regions, its distributed nature introduces new vulnerabilities. In particular, data poisoning attacks, in which compromised clients inject manipulated training data, can degrade performance or introduce systematic biases. These threats are amplified by spatial dependencies in meteorological data, allowing localized perturbations to influence broader regions through global model aggregation. In this study, we investigate how adversarial clients distort federated surface temperature forecasts trained on the Copernicus European Regional ReAnalysis (CERRA) dataset. We simulate geographically distributed clients and evaluate patch-based and global biasing attacks on regional temperature forecasts. Our results show that even a small fraction of poisoned clients can mislead predictions across large, spatially connected areas. A global temperature bias attack from a single compromised client shifts predictions by up to -1.7 K, while coordinated patch attacks more than triple the mean squared error and produce persistent regional anomalies exceeding +3.5 K. Finally, we assess trimmed mean aggregation as a defense mechanism, showing that it successfully defends against global bias attacks (2-13% degradation) but fails against patch attacks (281-603% amplification), exposing limitations of outlier-based defenses for spatially correlated data.