ML Security PapersDynamic Free-Rider Detection in Federated Learning via Simulated Attack Patterns
Published on arXiv
2604.04611
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
Achieves higher robustness than existing free-rider detection approaches across three datasets and five attack types including dynamic free-riders
S2-WEF
Novel technique introduced
Federated learning (FL) enables multiple clients to collaboratively train a global model by aggregating local updates without sharing private data. However, FL often faces the challenge of free-riders, clients who submit fake model parameters without performing actual training to obtain the global model without contributing. Chen et al. proposed a free-rider detection method based on the weight evolving frequency (WEF) of model parameters. This detection approach is a leading candidate for practical free-rider detection methods, as it requires neither a proxy dataset nor pre-training. Nevertheless, it struggles to detect ``dynamic'' free-riders who behave honestly in early rounds and later switch to free-riding, particularly under global-model-mimicking attacks such as the delta weight attack and our newly proposed adaptive WEF-camouflage attack. In this paper, we propose a novel detection method S2-WEF that simulates the WEF patterns of potential global-model-based attacks on the server side using previously broadcasted global models, and identifies clients whose submitted WEF patterns resemble the simulated ones. To handle a variety of free-rider attack strategies, S2-WEF further combines this simulation-based similarity score with a deviation score computed from mutual comparisons among submitted WEFs, and separates benign and free-rider clients by two-dimensional clustering and per-score classification. This method enables dynamic detection of clients that transition into free-riders during training without proxy datasets or pre-training. We conduct extensive experiments across three datasets and five attack types, demonstrating that S2-WEF achieves higher robustness than existing approaches.
Key Contributions
- Proposes S2-WEF detection method that simulates attack patterns server-side using previously broadcasted global models to identify free-riders
- Introduces adaptive WEF-camouflage attack that evades existing weight evolving frequency (WEF) detection methods
- Enables dynamic detection of clients that transition from honest to free-riding behavior during training without requiring proxy datasets or pre-training
🛡️ Threat Analysis
Free-rider attacks in federated learning are a form of data poisoning where malicious clients submit fake model updates without honest training, degrading the global model quality. The paper proposes S2-WEF defense to detect such poisoning behavior by analyzing weight evolving frequency patterns.