Researchers Show Poisoning Breaks LDP Federated Learning
Attacks
A new study demonstrates a practical and worrying fact: local differential privacy does not automatically stop model poisoning. The authors present adaptive attacks that obey local privacy noise yet are crafted to slip past robust aggregators like Multi-Krum and trimmed mean. In experiments on MNIST, Fashion-MNIST and CIFAR-10 the attacks degrade accuracy dramatically; in some settings as few as 10 to 20 percent of malicious clients can collapse the global model.
On one side, defenders point out that LDP and robust aggregation still raise the bar for attackers and preserve user privacy, and that production systems can combine multiple protections. On the other side, this research shows attackers can work within the DP constraints and use optimization tricks to evade those safeguards. That gap matters: privacy noise can mask anomalies and make classical anomaly detection fragile.
Here is the obvious middle path. This is serious but not a reason to panic or to assume all privacy-preserving FL is hopeless. We should stop treating LDP as a silver bullet and instead layer defenses. Practical steps include:
- Limit single-client influence via clipping and contribution bounds and tune clipping to realistic workloads.
- Adopt DP-aware anomaly detection and Byzantine-resilient aggregation designed for noisy updates.
- Enforce stronger governance: participant vetting, monitoring, and red-team poisoning tests before deployment.
- Use conservative privacy budgets and log stability metrics to detect divergence early.
Think of LDP as privacy insurance, not a security moat. Systems in health, finance or safety-critical settings need layered controls, audits and adversarial testing (NIST AI RMF; IEEE S&P and USENIX Security work on distributed ML threats) before you trust a federated model in production.
Additional analysis of the original ArXiv paper
📋 Original Paper Title and Abstract
On Evaluating the Poisoning Robustness of Federated Learning under Local Differential Privacy
🔍 ShortSpan Analysis of the Paper
Problem
Federated learning with local differential privacy (LDP) enables privacy preserving model training across decentralised data sources. However, the decentralised data management in LDP federated learning (LDPFL) leaves it vulnerable to participants with malicious intent. The robustness of LDPFL protocols against model poisoning attacks in which adversaries inject malicious updates to disrupt global model convergence has not been thoroughly studied. The paper investigates whether malicious clients can degrade the global model by submitting crafted LDP reports and whether common defence mechanisms such as robust aggregation can withstand such attacks while preserving DP guarantees.
Approach
The authors propose a novel and extensible model poisoning attack framework for LDPFL, with the objective of maximising global training loss while adhering to local privacy constraints. They introduce two primary attack strategies, the Local Loss Reversal Attack (LLRA) and the Targeted Model Manipulation Attack (TMMA), and an Adaptive Poisoning Attack (AdaPA) that enhances these strategies to evade robust aggregation. The attacks rely on local information or minimal global information and cover input and output poisoning scenarios. They evaluate against three representative LDPFL protocols, three benchmark datasets and two neural network architectures, while also examining data heterogeneity and privacy budgets. Attacks are considered under varying knowledge settings: global knowledge, local knowledge, and a partial knowledge extension. The protocols studied include LDPSGD, PrivateFL and LDP-FL, which differ in how DP is applied to updates and how a server handles perturbation and preprocessing layers. The evaluation uses robust aggregation methods such as Multi-Krum and trimmed mean as potential defences, and integrates constraint fitting to ensure malicious updates satisfy LDP and aggregation constraints. Datasets include MNIST, Fashion-MNIST and CIFAR-10, with models such as VGG-Mini for lightweight tasks and ResNet-18 for CIFAR-10. A Dirichlet based non IID data partitioning (alpha default 500) simulates near IID conditions, with analyses across varying heterogeneity. Privacy budgets are explored by adjusting noise scales and epsilon values, and attack effectiveness is measured by the resulting error rate of the global model. The authors provide code at a public repository to enable reproducibility.
Key Findings
- Adaptive model poisoning attacks can significantly degrade the global model performance and hinder convergence, even when LDP is in place and robust aggregation is used.
- Two main attack families are proposed: LLRA and TMMA, with input (I) and output (O) variants. AdaPA extends these attacks to account for robust aggregation constraints, enabling evasive poisoning under Multi-Krum and trimmed mean defenses.
- Across three LDPFL protocols, three datasets and two networks, attacks routinely outperform random poisoning baselines, with TMMA generally more effective than LLRA. TMMA on Output (TMMA-O) often yields stronger disruption than its input counterpart, and TMMA on Input (TMMA-I) frequently outperforms LLRA variants overall.
- Under Multi-Krum defences, sensitivity to data heterogeneity is evident. For LDPSGD and PrivateFL, as few as 10 per cent compromised clients can significantly degrade accuracy, with 15 per cent leading to substantial losses and 20 per cent bringing near collapse on some settings. For LDP-FL, higher complexity datasets or larger models raise the threshold for noticeable impact, with 20 to 25 per cent compromising required for strong disruption on MNIST and Fashion-MNIST, while CIFAR-10 thresholds vary by model (roughly 5 per cent for VGG-Mini and 10 per cent for ResNet).
- Under trimmed mean defences, AdaPA achieves high error rates even with modest compromises, with strong effects on MNIST and Fashion-MNIST; however, on CIFAR-10 with VGG-Mini the advantage of AdaPA over LLRA can be limited by low baseline accuracy in some cases.
- Data heterogeneity generally increases vulnerability under Multi-Krum, particularly for non IID distributions with low alpha. Trimmed mean shows varying robustness, and LDP-FL combined with Multi-Krum offers the most robust defence across heterogeneity levels, though some gains diminish with increased complexity.
- Privacy budgets influence attack effectiveness. Higher epsilon values (less noise) improve general model robustness to poisoning, whereas very small budgets can destabilise training. In LDP-FL, a critical epsilon threshold exists where the server model becomes unstable and fails to converge, illustrating DP budget as a practical defence limit.
- The study confirms the need for defence enhancements that are DP aware, including anomaly detection and aggregation strategies specifically designed to withstand poisoning under DP constraints.
Limitations
The study focuses on three LDPFL protocols, three datasets and two network architectures, which may limit generalisability to other protocols, tasks or production settings. Attacks assume adversaries can observe benign client reports or have some global information about the client population, which may not always hold. Constraint fitting for attack updates can add computational complexity and may not capture all real world constraints. The results depend on the specific Dirichlet data heterogeneity and chosen privacy budgets, so findings may vary under different data distributions or privacy configurations.
Why It Matters
The results reveal real world vulnerabilities in privacy preserving FL, showing that poisoning attacks can persist despite local differential privacy and defensive aggregation. This underscores the need for DP aware, Byzantine resilient aggregation and robust anomaly detection that account for DP constraints. The work highlights security implications for sensitive domains such as health and finance, where trusted deployment, governance and stronger protections are essential to prevent degraded models or misuse. The accompanying code enables reproducibility and further research into resilient, privacy preserving federated learning systems.