Model poisoning is an integrity attack against federated learning where an adversary manipulates their local training data or model updates to corrupt the global model. Unlike Byzantine failures, which are random, poisoning is a deliberate, targeted assault designed to degrade overall accuracy or embed a backdoor trigger that causes misclassification only on attacker-chosen inputs.
Glossary
Model Poisoning

What is Model Poisoning?
A security attack on federated learning where a malicious participant uploads a deliberately crafted, corrupted model update to sabotage the global model's performance or introduce a backdoor.
Defenses against model poisoning rely on Byzantine-resilient aggregation rules, such as Krum or trimmed mean, which statistically filter out anomalous updates before they contaminate the global model. These mechanisms assume that malicious gradients will appear as outliers in the high-dimensional weight space, allowing the central server to discard them.
Types of Model Poisoning Attacks
Model poisoning attacks target the integrity of the federated learning process by injecting malicious updates. These attacks are broadly categorized by the adversary's goal: indiscriminate sabotage of model convergence or the stealthy insertion of a targeted backdoor.
Byzantine (Untargeted) Poisoning
A denial-of-service style attack aiming to destroy the global model's convergence or accuracy. The adversary uploads random noise, large-magnitude gradients, or deliberately false updates to maximize the deviation of the global model from its optimal state. This attack exploits the statistical heterogeneity of federated learning, making it difficult to distinguish a malicious update from a genuinely divergent one. Common methods include reversing the sign of gradients or scaling them by a large factor.
Backdoor (Targeted) Poisoning
A stealthy attack where the adversary trains a local model to perform normally on validation data but misclassify specific inputs with a trigger pattern. The goal is to embed a hidden functionality into the global model. In semantic backdoors, the trigger is a natural feature (e.g., a specific accent in voice recognition). In artificial backdoors, the trigger is a pixel pattern or a specific signal perturbation. The attack is often combined with model replacement, where the malicious update is scaled to overwrite the global model.
Sybil-Based Poisoning
An attack that amplifies the impact of a single adversary by creating multiple fake client identities (Sybil nodes). In federated learning, the server's aggregation rule is often weighted by the number of data points. An adversary controlling many Sybil clients can dominate the aggregation round, even with small per-client updates. This undermines secure aggregation protocols that assume each identity is a distinct, honest entity.
Data Poisoning at Source
While not an attack on the federated protocol itself, an adversary can poison the local dataset on a compromised edge device before training begins. This label flipping or clean-label poisoning causes the local model to learn a corrupted mapping. The resulting malicious update is then uploaded, appearing as a legitimate but poorly trained model. This is particularly dangerous in cross-device federated learning with millions of unmanaged endpoints.
Adaptive Poisoning Against Defenses
A sophisticated attack where the adversary has full knowledge of the aggregation defense mechanism (e.g., Krum, Trimmed Mean) and crafts updates specifically to evade it. The attacker analyzes the defense's rejection criteria and generates malicious updates that fall within the accepted statistical bounds while still corrupting the model. This cat-and-mouse dynamic requires defenses like Byzantine resilience to be continuously updated.
Frequently Asked Questions
Explore the mechanics, risks, and defenses against adversarial attacks that corrupt the federated learning process by injecting malicious model updates.
A model poisoning attack is a security exploit where a malicious participant in a federated learning system deliberately crafts and uploads a corrupted model update to sabotage the global model's performance or introduce a backdoor. Unlike data poisoning, which targets the training dataset, model poisoning directly manipulates the gradient or weight updates sent to the aggregation server. The attacker's goal is typically to cause the global model to misclassify specific inputs (a targeted backdoor) or to degrade overall model accuracy (an untargeted attack). Because the server cannot inspect raw client data, detecting these corrupted updates requires sophisticated Byzantine-resilient aggregation rules and anomaly detection on the parameter space itself.
Model Poisoning Defense Strategies
Comparison of defense mechanisms against malicious model updates in federated learning systems
| Defense Strategy | Krum | Trimmed Mean | Federated Averaging with Differential Privacy |
|---|---|---|---|
Primary Mechanism | Selects single update closest to geometric median of all updates | Discards extreme values per coordinate before averaging | Clips per-client updates and adds calibrated Gaussian noise |
Byzantine Tolerance | Up to 33% malicious clients | Up to 25% malicious clients | Mitigates but does not guarantee Byzantine resilience |
Computational Overhead | O(n²) pairwise distance computation | O(n log n) per coordinate sorting | O(n) clipping and noise generation |
Convergence Impact on Clean Data | Moderate slowdown vs. standard FedAvg | Minimal slowdown with correct trim threshold | Accuracy degradation proportional to privacy budget ε |
Backdoor Attack Resistance | |||
Targeted Model Replacement Defense | |||
Preserves Non-IID Performance | |||
Communication Overhead vs. Standard FedAvg | Identical | Identical | Identical |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding model poisoning requires familiarity with the broader ecosystem of adversarial attacks and defense mechanisms in federated learning.
Byzantine Resilience
The property of a distributed system that enables it to reach a correct consensus despite the presence of arbitrarily faulty or malicious participants. In the context of model poisoning, Byzantine-resilient aggregation rules—such as Krum, Trimmed Mean, or Median—replace simple averaging to filter out anomalous model updates that deviate significantly from the group. These algorithms operate on the assumption that a bounded fraction of clients are adversaries.
- Krum: Selects the single update that is closest to its neighbors in vector space
- Trimmed Mean: Discards extreme values for each parameter coordinate before averaging
- Multi-Krum: Extends Krum to select multiple updates for aggregation
Backdoor Attack
A targeted form of model poisoning where an adversary injects a hidden, malicious functionality into the global model that is triggered only by specific input patterns or triggers. Unlike untargeted poisoning that aims to degrade overall accuracy, a backdoor attack preserves performance on clean samples to evade detection while causing a pre-defined misclassification when the trigger is present.
- Semantic backdoors: Triggered by natural features (e.g., a specific word in text)
- Artificial backdoors: Triggered by pixel patterns or signal perturbations
- Edge-case backdoors: Exploit rare inputs that are naturally misclassified
Secure Aggregation
A cryptographic protocol that allows a central server to compute the sum of encrypted model updates from multiple clients without being able to inspect any individual contribution in plaintext. While secure aggregation protects privacy, it paradoxically complicates poisoning defense because the server cannot inspect individual updates for anomalies. This creates a fundamental tension between confidentiality and integrity in federated systems.
- Relies on secret sharing or pairwise masking
- Server only sees the final aggregated result
- Requires integration with out-of-band anomaly detection for poisoning defense
Differential Privacy
A mathematical framework that provides a provable guarantee of privacy by injecting calibrated statistical noise into model updates. When applied at the client level (local differential privacy), it bounds the influence of any single data point on the model. This noise can inadvertently mask poisoning attempts by making malicious updates appear statistically plausible, or conversely, the clipping step in DP-SGD can limit the magnitude of poisoned updates.
- ε (epsilon): Privacy loss parameter; lower values mean stronger privacy
- Clipping threshold: Bounds the L2 norm of individual gradients
- Trade-off: Stronger privacy guarantees can reduce Byzantine resilience
Model Inversion Attack
A privacy attack where an adversary exploits access to a trained model to reconstruct sensitive features or representative samples of the private training data. While distinct from poisoning, model inversion is often a secondary objective of a malicious participant who first poisons the model to weaken its generalization, making it more susceptible to leaking training data. A poisoned model with overfitted decision boundaries leaks more information.
- Gradient inversion: Reconstructs training inputs from shared gradients
- Membership inference: Determines if a specific record was in the training set
- Attribute inference: Recovers sensitive attributes of training subjects
Gradient Compression
A communication efficiency technique that reduces the size of model updates transmitted from clients by applying lossy compression such as sparsification or quantization. While primarily designed to save bandwidth, gradient compression can inadvertently act as a defense against poisoning by stripping away the subtle, high-precision perturbations that adversaries rely on to craft stealthy poisoned updates.
- Top-k sparsification: Transmits only the largest gradient values
- Random sparsification: Randomly selects a fraction of gradient elements
- Quantization: Reduces gradient precision to 8-bit or 1-bit representations

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us