ML Security PapersFedTrident: Resilient Road Condition Classification Against Poisoning Attacks in Federated Learning
Sheng Liu , Panos Papadimitratos
Published on arXiv
2603.19101
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
Outperforms eight baseline countermeasures by 9.49% and 4.47% on two critical metrics, achieving performance comparable to attack-free scenarios
FedTrident
Novel technique introduced
FL has emerged as a transformative paradigm for ITS, notably camera-based Road Condition Classification (RCC). However, by enabling collaboration, FL-based RCC exposes the system to adversarial participants launching Targeted Label-Flipping Attacks (TLFAs). Malicious clients (vehicles) can relabel their local training data (e.g., from an actual uneven road to a wrong smooth road), consequently compromising global model predictions and jeopardizing transportation safety. Existing countermeasures against such poisoning attacks fail to maintain resilient model performance near the necessary attack-free levels in various attack scenarios due to: 1) not tailoring poisoned local model detection to TLFAs, 2) not excluding malicious vehicular clients based on historical behavior, and 3) not remedying the already-corrupted global model after exclusion. To close this research gap, we propose FedTrident, which introduces: 1) neuron-wise analysis for local model misbehavior detection (notably including attack goal identification, critical feature extraction, and GMM-based model clustering and filtering); 2) adaptive client rating for client exclusion according to the local model detection results in each FL round; and 3) machine unlearning for corrupted global model remediation once malicious clients are excluded during FL. Extensive evaluation across diverse FL-RCC models, tasks, and configurations demonstrates that FedTrident can effectively thwart TLFAs, achieving performance comparable to that in attack-free scenarios and outperforming eight baseline countermeasures by 9.49% and 4.47% for the two most critical metrics. Moreover, FedTrident is resilient to various malicious client rates, data heterogeneity levels, complicated multi-task, and dynamic attacks.
Key Contributions
- Neuron-wise analysis for poisoned local model detection tailored to TLFAs (attack goal identification, critical feature extraction, GMM-based clustering)
- Adaptive client rating system for excluding malicious vehicular clients based on historical behavior across FL rounds
- Machine unlearning mechanism to remediate already-corrupted global models after malicious client exclusion
🛡️ Threat Analysis
Defends against Targeted Label-Flipping Attacks (TLFAs), a data poisoning attack where malicious FL clients deliberately relabel training data (e.g., 'uneven road' → 'smooth road') to corrupt the global model.