Current defense mechanisms against model poisoning attacks in federated learning (FL) systems have proven effective up to a certain threshold of malicious clients. In this work, we introduce FLANDERS, a novel pre-aggregation filter for FL resilient to large-scale model poisoning attacks, i.e., when malicious clients far exceed legitimate participants. FLANDERS treats the sequence of local models sent by clients in each FL round as a matrix-valued time series. Then, it identifies malicious client updates as outliers in this time series by comparing actual observations with estimates generated by a matrix autoregressive forecasting model maintained by the server. Experiments conducted in several non-iid FL setups show that FLANDERS significantly improves robustness across a wide spectrum of attacks when paired with standard and robust existing aggregation methods.

翻译：当前针对联邦学习（FL）系统中模型投毒攻击的防御机制已被证明在恶意客户端数量不超过一定阈值时是有效的。本研究提出FLANDERS，一种新颖的联邦学习预聚合过滤器，能够抵御大规模模型投毒攻击，即在恶意客户端数量远超合法参与者的情况下仍保持鲁棒性。FLANDERS将每轮联邦学习中客户端发送的本地模型序列视为矩阵值时间序列，通过将实际观测值与服务器维护的矩阵自回归预测模型生成的估计值进行比较，从而在该时间序列中识别恶意客户端更新作为异常点。在多种非独立同分布联邦学习场景中进行的实验表明，当FLANDERS与现有标准及鲁棒聚合方法结合使用时，能显著提升系统在广泛攻击类型下的鲁棒性。