Inferensys

Glossary

Model Poisoning

A security attack on federated learning where a malicious participant uploads a deliberately crafted, corrupted model update to sabotage the global model's performance or introduce a backdoor.
ML engineer managing model training cluster on laptop, GPU utilization visible, technical deep learning setup.
ADVERSARIAL ATTACK

What is Model Poisoning?

A security attack on federated learning where a malicious participant uploads a deliberately crafted, corrupted model update to sabotage the global model's performance or introduce a backdoor.

Model poisoning is an integrity attack against federated learning where an adversary manipulates their local training data or model updates to corrupt the global model. Unlike Byzantine failures, which are random, poisoning is a deliberate, targeted assault designed to degrade overall accuracy or embed a backdoor trigger that causes misclassification only on attacker-chosen inputs.

Defenses against model poisoning rely on Byzantine-resilient aggregation rules, such as Krum or trimmed mean, which statistically filter out anomalous updates before they contaminate the global model. These mechanisms assume that malicious gradients will appear as outliers in the high-dimensional weight space, allowing the central server to discard them.

ADVERSARIAL THREAT TAXONOMY

Types of Model Poisoning Attacks

Model poisoning attacks target the integrity of the federated learning process by injecting malicious updates. These attacks are broadly categorized by the adversary's goal: indiscriminate sabotage of model convergence or the stealthy insertion of a targeted backdoor.

01

Byzantine (Untargeted) Poisoning

A denial-of-service style attack aiming to destroy the global model's convergence or accuracy. The adversary uploads random noise, large-magnitude gradients, or deliberately false updates to maximize the deviation of the global model from its optimal state. This attack exploits the statistical heterogeneity of federated learning, making it difficult to distinguish a malicious update from a genuinely divergent one. Common methods include reversing the sign of gradients or scaling them by a large factor.

1%
Malicious clients required to break FedAvg
02

Backdoor (Targeted) Poisoning

A stealthy attack where the adversary trains a local model to perform normally on validation data but misclassify specific inputs with a trigger pattern. The goal is to embed a hidden functionality into the global model. In semantic backdoors, the trigger is a natural feature (e.g., a specific accent in voice recognition). In artificial backdoors, the trigger is a pixel pattern or a specific signal perturbation. The attack is often combined with model replacement, where the malicious update is scaled to overwrite the global model.

99%+
Backdoor accuracy on triggered inputs
04

Sybil-Based Poisoning

An attack that amplifies the impact of a single adversary by creating multiple fake client identities (Sybil nodes). In federated learning, the server's aggregation rule is often weighted by the number of data points. An adversary controlling many Sybil clients can dominate the aggregation round, even with small per-client updates. This undermines secure aggregation protocols that assume each identity is a distinct, honest entity.

>50%
Sybil nodes required for majority control
05

Data Poisoning at Source

While not an attack on the federated protocol itself, an adversary can poison the local dataset on a compromised edge device before training begins. This label flipping or clean-label poisoning causes the local model to learn a corrupted mapping. The resulting malicious update is then uploaded, appearing as a legitimate but poorly trained model. This is particularly dangerous in cross-device federated learning with millions of unmanaged endpoints.

06

Adaptive Poisoning Against Defenses

A sophisticated attack where the adversary has full knowledge of the aggregation defense mechanism (e.g., Krum, Trimmed Mean) and crafts updates specifically to evade it. The attacker analyzes the defense's rejection criteria and generates malicious updates that fall within the accepted statistical bounds while still corrupting the model. This cat-and-mouse dynamic requires defenses like Byzantine resilience to be continuously updated.

MODEL POISONING

Frequently Asked Questions

Explore the mechanics, risks, and defenses against adversarial attacks that corrupt the federated learning process by injecting malicious model updates.

A model poisoning attack is a security exploit where a malicious participant in a federated learning system deliberately crafts and uploads a corrupted model update to sabotage the global model's performance or introduce a backdoor. Unlike data poisoning, which targets the training dataset, model poisoning directly manipulates the gradient or weight updates sent to the aggregation server. The attacker's goal is typically to cause the global model to misclassify specific inputs (a targeted backdoor) or to degrade overall model accuracy (an untargeted attack). Because the server cannot inspect raw client data, detecting these corrupted updates requires sophisticated Byzantine-resilient aggregation rules and anomaly detection on the parameter space itself.

BYZANTINE-RESILIENT AGGREGATION COMPARISON

Model Poisoning Defense Strategies

Comparison of defense mechanisms against malicious model updates in federated learning systems

Defense StrategyKrumTrimmed MeanFederated Averaging with Differential Privacy

Primary Mechanism

Selects single update closest to geometric median of all updates

Discards extreme values per coordinate before averaging

Clips per-client updates and adds calibrated Gaussian noise

Byzantine Tolerance

Up to 33% malicious clients

Up to 25% malicious clients

Mitigates but does not guarantee Byzantine resilience

Computational Overhead

O(n²) pairwise distance computation

O(n log n) per coordinate sorting

O(n) clipping and noise generation

Convergence Impact on Clean Data

Moderate slowdown vs. standard FedAvg

Minimal slowdown with correct trim threshold

Accuracy degradation proportional to privacy budget ε

Backdoor Attack Resistance

Targeted Model Replacement Defense

Preserves Non-IID Performance

Communication Overhead vs. Standard FedAvg

Identical

Identical

Identical

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.