ML Security PapersTemperature Scaling Attack Disrupting Model Confidence in Federated Learning
Kichang Lee 1, Jaeho Jin 1, JaeYeon Park 2, Songkuk Kim 1, JeongGil Ko 1
Published on arXiv
2602.06638
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
TSA increases Expected Calibration Error by 145% on CIFAR-100 with less than 2% accuracy change, remaining effective under robust aggregation (Krum, Trimmed Mean) and post-hoc calibration defenses.
Temperature Scaling Attack (TSA)
Novel technique introduced
Predictive confidence serves as a foundational control signal in mission-critical systems, directly governing risk-aware logic such as escalation, abstention, and conservative fallback. While prior federated learning attacks predominantly target accuracy or implant backdoors, we identify confidence calibration as a distinct attack objective. We present the Temperature Scaling Attack (TSA), a training-time attack that degrades calibration while preserving accuracy. By injecting temperature scaling with learning rate-temperature coupling during local training, malicious updates maintain benign-like optimization behavior, evading accuracy-based monitoring and similarity-based detection. We provide a convergence analysis under non-IID settings, showing that this coupling preserves standard convergence bounds while systematically distorting confidence. Across three benchmarks, TSA substantially shifts calibration (e.g., 145% error increase on CIFAR-100) with <2 accuracy change, and remains effective under robust aggregation and post-hoc calibration defenses. Case studies further show that confidence manipulation can cause up to 7.2x increases in missed critical cases (healthcare) or false alarms (autonomous driving), even when accuracy is unchanged. Overall, our results establish calibration integrity as a critical attack surface in federated learning.
Key Contributions
- Identifies confidence calibration as a distinct and under-studied attack objective in federated learning, separate from accuracy degradation or backdoor insertion
- Proposes Temperature Scaling Attack (TSA) using learning-rate–temperature coupling (β parameter) that preserves convergence bounds while systematically distorting calibration, evading accuracy-based and similarity-based detection
- Demonstrates real-world impact via case studies showing up to 7.2x increase in missed critical cases (healthcare) or false alarms (autonomous driving) even when accuracy is unchanged
🛡️ Threat Analysis
TSA is a Byzantine attack in federated learning: malicious FL participants manipulate their local training to inject poisoned model updates that degrade calibration globally. This directly matches the ML02 definition of Byzantine attacks — malicious clients sending manipulated updates to degrade model behavior — evaluated against robust aggregation defenses (Krum, FedAvg variants).