GradCAM-AE: A New Shield Defense against Poisoning Attacks on Federated Learning
Ref: CISTER-TR-250803 Publication Date: 2025
GradCAM-AE: A New Shield Defense against Poisoning Attacks on Federated Learning
Ref: CISTER-TR-250803 Publication Date: 2025Abstract:
Recent poisoning attacks on federated learning (FL) generate malicious model updates that circumvent widely adopted Euclidean distance-based detection methods. This paper proposes a new defense mechanism, namely, GradCAM-AE, against model poisoning attacks on FL, which integrates Gradient-weighted Class Activation Mapping (GradCAM) and autoencoder (AE) to offer a substantially more powerful detection capability compared to existing Euclidean distance-based approaches. Particularly, GradCAM-AE generates a heat map for each uploaded local model update, transforming each local model update into a lower-dimensional, visual representation. An autoencoder further reprojects the GradCAM heat maps of all local module updates with improved distinguishability, thereby accentuating the hidden features of the heat maps and increasing the success rate of identifying anomalous heat maps and malicious local models. A comprehensive evaluation of the proposed GradCAM-AE framework is conducted using the CIFAR-10 and GTSRB datasets under both Independent and Identically Distributed (IID) and Non-IID settings. The ResNet-18 and MobileNetV3-Large models are tested. The results substantiate that GradCAM-AE offers superior detection rates and test accuracy of FL global model, juxtaposed with contemporary state-of-the-art methods. Our code is available at: https://github.com/jjzgeeks/GradCAM-AE.
Jingjing Zheng
Kai Li
Xin Yuan
Wei Ni
Eduardo TovarDocument:
View
DownloadPublished in ACM Transactions on Privacy and Security (TOPS) (TOPS), ACM.
Record Date: 25, Aug, 2025