Federated Learning (FL) is a promising technology that enables multiple actors to build a joint model without sharing their raw data. The distributed nature makes FL vulnerable to various poisoning attacks, including model poisoning attacks and data poisoning attacks. Today, many byzantine-resilient FL methods have been introduced to mitigate the model poisoning attack, while the effectiveness when defending against data poisoning attacks still remains unclear. In this paper, we focus on the most representative data poisoning attack - "label flipping attack" and monitor its effectiveness when attacking the existing FL methods. The results show that the existing FL methods perform similarly in Independent and identically distributed (IID) settings but fail to maintain the model robustness in Non-IID settings. To mitigate the weaknesses of existing FL methods in Non-IID scenarios, we introduce the Honest Score Client Selection (HSCS) scheme and the corresponding HSCSFL framework. In the HSCSFL, The server collects a clean dataset for evaluation. Under each iteration, the server collects the gradients from clients and then perform HSCS to select aggregation candidates. The server first evaluates the performance of each class of the global model and generates the corresponding risk vector to indicate which class could be potentially attacked. Similarly, the server evaluates the client's model and records the performance of each class as the accuracy vector. The dot product of each client's accuracy vector and global risk vector is generated as the client's host score; only the top p\% host score clients are included in the following aggregation. Finally, server aggregates the gradients and uses the outcome to update the global model. The comprehensive experimental results show our HSCSFL effectively enhances the FL robustness and defends against the "label flipping attack."

翻译：联邦学习（FL）是一项前景广阔的技术，允许多个参与方在不共享原始数据的情况下构建联合模型。其分布式特性使得FL易受各种投毒攻击，包括模型投毒攻击和数据投毒攻击。目前，已有多种拜占庭容错FL方法被提出以缓解模型投毒攻击，但这些方法防御数据投毒攻击的有效性仍不明确。本文聚焦最具代表性的数据投毒攻击——"标签翻转攻击"，并监测其对现有FL方法攻击的有效性。结果表明，现有FL方法在独立同分布（IID）设置下表现相近，但在非独立同分布（Non-IID）设置下无法保持模型鲁棒性。为弥补现有FL方法在Non-IID场景下的不足，我们提出了可信评分客户端选择（HSCS）方案及相应的HSCSFL框架。在HSCSFL中，服务器收集一个干净数据集用于评估。在每轮迭代中，服务器从客户端收集梯度，然后执行HSCS选择聚合候选对象。服务器首先评估全局模型每个类别的性能，并生成相应的风险向量以指示可能遭受攻击的类别。类似地，服务器评估客户端模型，并将每个类别的性能记录为准确率向量。将每个客户端的准确率向量与全局风险向量进行点积运算，得到该客户端的可信评分；仅前p%高评分的客户端被纳入后续聚合。最后，服务器聚合梯度并利用结果更新全局模型。全面实验结果表明，我们的HSCSFL有效增强了FL鲁棒性，并能抵御"标签翻转攻击"。