GShield: Mitigating Poisoning Attacks in Federated Learning

TL;DR

GShield is a novel defense mechanism for federated learning that detects and mitigates poisoning attacks by modeling benign gradient distributions, significantly improving robustness and targeted class accuracy.

Contribution

GShield introduces a clustering and Gaussian modeling approach to identify malicious updates in federated learning, especially under non-IID data conditions.

Findings

Significantly enhances model robustness against poisoning attacks.

Maintains high accuracy on tabular and image datasets.

Improves targeted class accuracy by 43% to 65%.

Abstract

Federated Learning (FL) has recently emerged as a revolutionary approach to collaborative training Machine Learning models. In particular, it enables decentralized model training while preserving data privacy, but its distributed nature makes it highly vulnerable to a severe attack known as Data Poisoning. In such scenarios, malicious clients inject manipulated data into the training process, thereby degrading global model performance or causing targeted misclassification. In this paper, we present a novel defense mechanism called GShield, designed to detect and mitigate malicious and low-quality updates, especially under non-independent and identically distributed (non-IID) data scenarios. GShield operates by learning the distribution of benign gradients through clustering and Gaussian modeling during an initial round, enabling it to establish a reliable baseline of trusted client behavior. With this benign profile, GShield selectively aggregates only those updates that align with the expected gradient patterns, effectively isolating adversarial clients and preserving the integrity of the global model. An extensive experimental campaign demonstrates that our proposed defense significantly improves model robustness compared to the state-of-the-art methods while maintaining a high accuracy of performance across both tabular and image datasets. Furthermore, GShield improves the accuracy of the targeted class by 43\% to 65\% after detecting malicious and low-quality clients.