Topology-Independent Robustness of the Weighted Mean under Label Poisoning Attacks in Heterogeneous Decentralized Learning

Robustness to malicious attacks is crucial for practical decentralized signal processing and machine learning systems. A typical example of such attacks is label poisoning, meaning that some agents possess corrupted local labels and share models trained on these poisoned data. To defend against malicious attacks, existing works often focus on designing robust aggregators; meanwhile, the weighted mean aggregator is typically considered a simple, vulnerable baseline. This paper analyzes the robustness of decentralized gradient descent under label poisoning attacks, considering both robust and weighted mean aggregators. Theoretical results reveal that the learning errors of robust aggregators depend on the network topology, whereas the performance of weighted mean aggregator is topology-independent. Remarkably, the weighted mean aggregator, although often considered vulnerable, can outperform robust aggregators under sufficient heterogeneity, particularly when: (i) the global contamination rate (i.e., the fraction of poisoned agents for the entire network) is smaller than the local contamination rate (i.e., the maximal fraction of poisoned neighbors for the regular agents); (ii) the network of regular agents is disconnected; or (iii) the network of regular agents is sparse and the local contamination rate is high. Empirical results support our theoretical findings, highlighting the important role of network topology in the robustness to label poisoning attacks.

Key Contributions

First theoretical analysis showing the weighted mean aggregator's robustness under label poisoning is topology-independent, while robust aggregators' robustness depends on network topology
Derives upper and lower bounds on learning errors for decentralized first-order algorithms under label poisoning, characterizing when weighted mean outperforms robust aggregators
Identifies three conditions (global < local contamination rate, disconnected regular-agent network, sparse network with high local contamination) under which weighted mean surpasses robust aggregators

🛡️ Threat Analysis

Data Poisoning Attack

The paper's central threat model is label poisoning — adversarial agents inject corrupted training labels into a decentralized gradient descent system to degrade global model performance. This is a direct data poisoning attack at training time. The paper derives theoretical learning error bounds for defenses (robust and weighted mean aggregators) against this poisoning threat.