XFED: Non-Collusive Model Poisoning Attack Against Byzantine-Robust Federated Classifiers

TL;DR

This paper introduces XFED, a novel non-collusive model poisoning attack against federated learning that bypasses existing defenses, highlighting the need for more robust security measures.

Contribution

The paper formalizes a non-collusive attack model and presents XFED, the first attack of its kind that operates without client communication or server-side knowledge.

Findings

XFED bypasses 8 state-of-the-art defenses.

XFED outperforms 6 existing model poisoning attacks.

Federated Learning systems are more vulnerable than previously thought.

Abstract

Model poisoning attacks pose a significant security threat to Federated Learning (FL). Most existing model poisoning attacks rely on collusion, requiring adversarial clients to coordinate by exchanging local benign models and synchronizing the generation of their poisoned updates. However, sustaining such coordination is increasingly impractical in real-world FL deployments, as it effectively requires botnet-like control over many devices. This approach is costly to maintain and highly vulnerable to detection. This context raises a fundamental question: Can model poisoning attacks remain effective without any communication between attackers? To address this challenge, we introduce and formalize the \textbf{non-collusive attack model}, in which all compromised clients share a common adversarial objective but operate independently. Under this model, each attacker generates its malicious update without communicating with other adversaries, accessing other clients' updates, or relying on any knowledge of server-side defenses. To demonstrate the feasibility of this threat model, we propose \textbf{XFED}, the first aggregation-agnostic, non-collusive model poisoning attack. Our empirical evaluation across six benchmark datasets shows that XFED bypasses eight state-of-the-art defenses and outperforms six existing model poisoning attacks. These findings indicate that FL systems are substantially less secure than previously believed and underscore the urgent need for more robust and practical defense mechanisms.