Skip to main content

XFED: Non-Collusive Model Poisoning Attack Against Byzantine-Robust Federated Classifiers

AuthorsIsrat Jahan Mouri et al.
Year2026
FieldAI / ML
arXiv2604.09489
PDFDownload
Categoriescs.CR, cs.AI, cs.DC, cs.LG

Abstract

Model poisoning attacks pose a significant security threat to Federated Learning (FL). Most existing model poisoning attacks rely on collusion, requiring adversarial clients to coordinate by exchanging local benign models and synchronizing the generation of their poisoned updates. However, sustaining such coordination is increasingly impractical in real-world FL deployments, as it effectively requires botnet-like control over many devices. This approach is costly to maintain and highly vulnerable to detection. This context raises a fundamental question: Can model poisoning attacks remain effective without any communication between attackers? To address this challenge, we introduce and formalize the \textbf{non-collusive attack model}, in which all compromised clients share a common adversarial objective but operate independently. Under this model, each attacker generates its malicious update without communicating with other adversaries, accessing other clients' updates, or relying on any knowledge of server-side defenses. To demonstrate the feasibility of this threat model, we propose \textbf{XFED}, the first aggregation-agnostic, non-collusive model poisoning attack. Our empirical evaluation across six benchmark datasets shows that XFED bypasses eight state-of-the-art defenses and outperforms six existing model poisoning attacks. These findings indicate that FL systems are substantially less secure than previously believed and underscore the urgent need for more robust and practical defense mechanisms.


Engineering Breakdown

Plain English

This paper addresses a critical vulnerability in Federated Learning systems by introducing non-collusive model poisoning attacks—attacks where adversarial clients can degrade model performance without coordinating with each other. The authors formalize this attack model and demonstrate that effective poisoning is possible even when attackers cannot communicate or synchronize their malicious updates, which is a significant departure from prior work that required botnet-like coordination between compromised devices. This finding is important because it reveals that FL systems face poisoning threats from independent, uncoordinated attacks that are much harder to detect than collusive ones. The research exposes a fundamental gap in FL defenses and establishes a new threat model that security teams must account for.

Core Technical Contribution

The key novelty is formalizing and demonstrating the feasibility of model poisoning attacks without inter-attacker communication or synchronization—a non-collusive attack paradigm that fundamentally challenges prior assumptions in FL security. Previous attacks required adversaries to exchange benign models and coordinate poisoned updates, effectively requiring centralized control. The authors prove that individual, independent compromised clients can still mount effective poisoning attacks by exploiting inherent properties of the aggregation mechanism and model update distributions in federated settings. This shifts the threat model from requiring expensive botnet infrastructure to enabling attacks from minimally-coordinated, independently-operating adversarial clients that are far more realistic and difficult to defend against.

How It Works

The attack operates by having each compromised client independently craft poisoned model updates without knowledge of other attackers' strategies or updates. Each attacker uses only local information—their own benign training data and the global model received from the server—to generate updates that, when aggregated with many honest clients' updates, still move the global model toward the attacker's objective (e.g., model degradation or backdoor insertion). The core insight is that the aggregation mechanism itself (typically averaging) creates a statistical phenomenon where independent malicious updates, even without coordination, can accumulate or align sufficiently to affect the global model. The attack exploits the fact that in high-dimensional parameter spaces, many independent poisoned updates naturally push the model in similar directions toward vulnerabilities, requiring no explicit communication or prior agreement among attackers.

Production Impact

For engineers deploying Federated Learning systems, this research means that existing security assumptions and defenses are insufficient—you cannot assume that attacks require detectable inter-device communication or synchronized behavior patterns. You'll need to implement defenses that account for independent, uncoordinated poisoning, which may require: (1) stronger Byzantine-robust aggregation rules beyond simple averaging (e.g., trimmed means, geometric medians, or other robust statistics), (2) per-update validation mechanisms that can detect anomalies even from individual clients without comparing across clients, and (3) continuous monitoring of model behavior for subtle degradation or backdoor signatures. The computational overhead of robust aggregation increases server-side cost, potentially by 2-5x depending on the aggregation rule chosen. Integration complexity is moderate—most changes are server-side parameter aggregation logic—but validating that your chosen robust aggregation actually prevents these attacks requires careful threat modeling and extensive testing against adaptive adversaries.

Limitations and When Not to Use This

The paper assumes attackers have access to representative local data that reflects the global training distribution, which may not hold if the FL system uses highly non-IID (non-independent and identically distributed) data splits or if client data is carefully isolated. The analysis likely focuses on specific aggregation mechanisms (standard averaging) and may not fully address the robustness of more sophisticated aggregation rules that are already being deployed in production systems. The paper does not appear to address defenses comprehensively—it identifies the threat but may offer limited guidance on which practical mitigations are most effective in real deployments. Follow-up work is needed on: (1) how attack success degrades as the fraction of compromised clients decreases, (2) detection mechanisms that don't require strong assumptions about attacker knowledge or capabilities, and (3) how defenses scale in terms of computational and communication overhead for large-scale FL systems with thousands of clients.

Research Context

This work builds on the federated learning security literature, which has extensively studied Byzantine-robust aggregation and collusive poisoning attacks, but shifts focus to a more realistic and concerning threat model where attackers operate independently. Prior research (e.g., on Byzantine-robust methods like Krum, multi-Krum, and trimmed mean aggregation) assumed the primary defense challenge was handling coordinated attacks; this paper suggests independent attacks may be equally or more dangerous. The contribution advances the threat landscape for FL systems similar to how backdoor attack research advanced understanding of single-model poisoning—by removing assumptions about attacker coordination and showing that simpler, more distributed attacks are viable. This opens a new research direction: designing FL systems that are robust to both collusive and non-collusive poisoning simultaneously, and developing detection mechanisms that don't rely on identifying correlated attack patterns across clients.


:::tip Subscribe Get weekly breakdowns of papers like this in AI Letters - the newsletter for engineers building production AI systems. :::


Back to Research Lab → · Subscribe to AI Letters →

© 2026 EngineersOfAI. All rights reserved.