FedTrident: Resilient Road Condition Classification Against Poisoning Attacks in Federated Learning

FL has emerged as a transformative paradigm for ITS, notably camera-based Road Condition Classification (RCC). However, by enabling collaboration, FL-based RCC exposes the system to adversarial participants launching Targeted Label-Flipping Attacks (TLFAs). Malicious clients (vehicles) can relabel their local training data (e.g., from an actual uneven road to a wrong smooth road), consequently compromising global model predictions and jeopardizing transportation safety. Existing countermeasures against such poisoning attacks fail to maintain resilient model performance near the necessary attack-free levels in various attack scenarios due to: 1) not tailoring poisoned local model detection to TLFAs, 2) not excluding malicious vehicular clients based on historical behavior, and 3) not remedying the already-corrupted global model after exclusion. To close this research gap, we propose FedTrident, which introduces: 1) neuron-wise analysis for local model misbehavior detection (notably including attack goal identification, critical feature extraction, and GMM-based model clustering and filtering); 2) adaptive client rating for client exclusion according to the local model detection results in each FL round; and 3) machine unlearning for corrupted global model remediation once malicious clients are excluded during FL. Extensive evaluation across diverse FL-RCC models, tasks, and configurations demonstrates that FedTrident can effectively thwart TLFAs, achieving performance comparable to that in attack-free scenarios and outperforming eight baseline countermeasures by 9.49% and 4.47% for the two most critical metrics. Moreover, FedTrident is resilient to various malicious client rates, data heterogeneity levels, complicated multi-task, and dynamic attacks.

翻译：联邦学习（FL）已成为智能交通系统（ITS）的一种变革性范式，尤其在基于摄像头的路面状态分类（RCC）中。然而，通过启用协作，基于FL的路面状态分类使系统面临对抗性参与者发起的定向标签翻转攻击（TLFA）。恶意客户端（车辆）可篡改其本地训练数据的标签（例如，将实际不平整路面错误标注为平整路面），从而破坏全局模型预测并危及交通安全。现有针对此类毒性攻击的防御方法在多种攻击场景下，无法将模型性能维持在接近无攻击水平所需的弹性状态，原因在于：1）未针对定向标签翻转攻击（TLFA）定制本地中毒模型检测，2）未基于历史行为排除恶意车辆客户端，3）在排除恶意客户端后未修复已受损的全局模型。为弥补这一研究空白，我们提出FedTrident，其引入以下机制：1）基于神经元分析的本地模型异常行为检测（尤其包括攻击目标识别、关键特征提取及基于高斯混合模型（GMM）的模型聚类与过滤）；2）根据每轮联邦学习（FL）中的本地模型检测结果，采用自适应客户端评分机制进行客户端排除；3）在联邦学习过程中一旦排除恶意客户端，即采用机器遗忘技术对受损全局模型进行修复。跨多种FL-RCC模型、任务及配置的广泛评估表明，FedTrident能有效抵御定向标签翻转攻击（TLFA），在两项最关键指标上达到接近无攻击场景的性能，且相较于八种基线防御方法分别提升9.49%和4.47%。此外，FedTrident对各类恶意客户端比例、数据异质性水平、复杂多任务及动态攻击均具有弹性。