ML Security PapersOn Evaluating the Poisoning Robustness of Federated Learning under Local Differential Privacy
Zijian Wang , Wei Tong , Tingxuan Han , Haoyu Chen , Tianling Zhang , Yunlong Mao , Sheng Zhong
Published on arXiv
2509.05265
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
Adaptive attacks significantly degrade global model performance across all three LDPFL protocols, successfully evading robust aggregation defenses including Multi-Krum and trimmed mean.
LDPFL-Attack
Novel technique introduced
Federated learning (FL) combined with local differential privacy (LDP) enables privacy-preserving model training across decentralized data sources. However, the decentralized data-management paradigm leaves LDPFL vulnerable to participants with malicious intent. The robustness of LDPFL protocols, particularly against model poisoning attacks (MPA), where adversaries inject malicious updates to disrupt global model convergence, remains insufficiently studied. In this paper, we propose a novel and extensible model poisoning attack framework tailored for LDPFL settings. Our approach is driven by the objective of maximizing the global training loss while adhering to local privacy constraints. To counter robust aggregation mechanisms such as Multi-Krum and trimmed mean, we develop adaptive attacks that embed carefully crafted constraints into a reverse training process, enabling evasion of these defenses. We evaluate our framework across three representative LDPFL protocols, three benchmark datasets, and two types of deep neural networks. Additionally, we investigate the influence of data heterogeneity and privacy budgets on attack effectiveness. Experimental results demonstrate that our adaptive attacks can significantly degrade the performance of the global model, revealing critical vulnerabilities and highlighting the need for more robust LDPFL defense strategies against MPA. Our code is available at https://github.com/ZiJW/LDPFL-Attack
Key Contributions
- Novel extensible model poisoning attack framework for LDPFL that maximizes global training loss while satisfying local differential privacy constraints
- Adaptive attack variants that embed evasion constraints into a reverse training process to bypass Multi-Krum and trimmed mean robust aggregation defenses
- Systematic evaluation across 3 LDPFL protocols, 3 datasets, and 2 neural network architectures, with analysis of data heterogeneity and privacy budget effects on attack effectiveness
🛡️ Threat Analysis
The paper's primary contribution is a Byzantine model poisoning attack framework where malicious FL participants inject crafted model updates to maximize global training loss and degrade convergence — the canonical ML02 threat (untargeted, performance-degrading Byzantine attacks in federated learning). Adaptive variants specifically bypass robust aggregation defenses like Multi-Krum and trimmed mean.