pith. sign in

arxiv: 2409.09794 · v2 · submitted 2024-09-15 · 💻 cs.CR · cs.DC· cs.LG

Federated Learning in Adversarial Environments: Testbed Design and Poisoning Resilience in Cybersecurity

Hao Jian Huang , Hakan T. Otal , M. Abdullah Canbaz This is my paper

Pith reviewed 2026-05-23 20:47 UTC · model grok-4.3

classification 💻 cs.CR cs.DCcs.LG
keywords federated learningpoisoning attackscybersecurityintrusion detectiontestbedRaspberry PiNvidia Jetsonadversarial robustness
0
0 comments X

The pith

Hardware testbed shows federated learning for intrusion detection remains vulnerable to poisoning attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper designs a federated learning testbed on Raspberry Pi and Nvidia Jetson hardware running the Flower framework and applies it to a case study of federated intrusion detection systems. It runs comprehensive tests of poisoning attacks against both model parameters and training data to measure effects on anomaly detection performance. The work establishes that federated learning supports privacy-preserving collaboration across devices yet stays open to integrity attacks that can degrade detection accuracy. A sympathetic reader would care because the results point to concrete risks when moving such systems into production environments that protect critical network infrastructure.

Core claim

The paper presents the design and implementation of a federated learning testbed using Raspberry Pi and Nvidia Jetson hardware with the Flower framework, demonstrates its use in a federated intrusion detection case study, and through poisoning experiments concludes that federated learning enhances data privacy and distributed learning but remains vulnerable to poisoning attacks, which must be mitigated to ensure reliability in real-world applications.

What carries the argument

The Raspberry Pi and Nvidia Jetson hardware testbed running the Flower framework, which supports experimentation with federated learning performance, scalability, integration, and resilience testing against poisoning in intrusion detection.

Load-bearing premise

The specific poisoning attacks run on the Raspberry Pi and Jetson testbed represent the realistic adversarial threats a production federated intrusion detection system would face.

What would settle it

Running the same model and data poisoning techniques against a live federated intrusion detection system in an operational network and observing no measurable drop in detection accuracy would falsify the vulnerability claim.

Figures

Figures reproduced from arXiv: 2409.09794 by Hakan T. Otal, Hao Jian Huang, M. Abdullah Canbaz.

Figure 1
Figure 1. Figure 1: System architecture for the testbed, illustrating t [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The performance of FL testbed clients models with nor [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The performance of each experiment with multiple cli [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The performance of the aggregated model of each exper [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
read the original abstract

This paper presents the design and implementation of a Federated Learning (FL) testbed, focusing on its application in cybersecurity and evaluating its resilience against poisoning attacks. Federated Learning allows multiple clients to collaboratively train a global model while keeping their data decentralized, addressing critical needs for data privacy and security, particularly in sensitive fields like cybersecurity. Our testbed, built using Raspberry Pi and Nvidia Jetson hardware by running the Flower framework, facilitates experimentation with various FL frameworks, assessing their performance, scalability, and ease of integration. Through a case study on federated intrusion detection systems, the testbed's capabilities are shown in detecting anomalies and securing critical infrastructure without exposing sensitive network data. Comprehensive poisoning tests, targeting both model and data integrity, evaluate the system's robustness under adversarial conditions. The results show that while federated learning enhances data privacy and distributed learning, it remains vulnerable to poisoning attacks, which must be mitigated to ensure its reliability in real-world applications.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The manuscript presents the design and implementation of a federated learning testbed using Raspberry Pi and Nvidia Jetson hardware running the Flower framework, applied to a case study on federated intrusion detection systems in cybersecurity. It evaluates performance, scalability, and integration, then conducts comprehensive poisoning tests targeting model and data integrity to assess robustness, concluding that while FL enhances privacy and distributed learning, it remains vulnerable to poisoning attacks that must be mitigated for real-world reliability.

Significance. A hardware testbed for adversarial FL experimentation in cybersecurity could enable reproducible evaluation of poisoning resilience if the attacks and setup are shown to be representative. The practical implementation on constrained devices provides a concrete platform that, if validated against realistic threat models, would strengthen the case for incorporating defenses such as robust aggregation in production federated IDS deployments.

major comments (1)
  1. [Abstract and case study on federated intrusion detection systems] The central claim that the system 'remains vulnerable to poisoning attacks, which must be mitigated to ensure its reliability in real-world applications' (Abstract) is load-bearing on the representativeness of the testbed attacks. The manuscript provides no justification or mapping showing that the model/data integrity attacks implemented via Flower on Raspberry Pi/Jetson correspond to plausible adversary capabilities against a deployed federated IDS (e.g., whether they assume direct client control or unconstrained updates that production systems with anomaly detection on gradients would prevent).
minor comments (1)
  1. [Abstract] The abstract states results show vulnerability but provides no quantitative metrics, dataset descriptions, or attack success rates; adding these would improve clarity of the evaluation.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the detailed review and constructive feedback on the representativeness of the attack models. We address the major comment below and will revise the manuscript to strengthen the threat-model discussion.

read point-by-point responses

  1. Referee: [Abstract and case study on federated intrusion detection systems] The central claim that the system 'remains vulnerable to poisoning attacks, which must be mitigated to ensure its reliability in real-world applications' (Abstract) is load-bearing on the representativeness of the testbed attacks. The manuscript provides no justification or mapping showing that the model/data integrity attacks implemented via Flower on Raspberry Pi/Jetson correspond to plausible adversary capabilities against a deployed federated IDS (e.g., whether they assume direct client control or unconstrained updates that production systems with anomaly detection on gradients would prevent).

    Authors: We agree that an explicit mapping between the implemented attacks and realistic adversary capabilities in production federated IDS deployments would strengthen the central claim. The attacks implemented (data poisoning via label flipping on client datasets and model poisoning via arbitrary parameter updates through the Flower framework) follow standard techniques from the FL security literature and assume a threat model in which participating clients can be fully compromised or controlled by an adversary. This corresponds to scenarios with direct client control but does not account for server-side defenses such as gradient anomaly detection or robust aggregation that might constrain updates in a real deployment. In the revised manuscript we will add a dedicated subsection under the threat model (Section 3 or 4) that (1) states the assumed adversary capabilities, (2) explicitly notes the absence of server-side defenses in the current testbed, and (3) discusses the limitations of the results with respect to more defended production systems. This will clarify that the testbed provides a baseline demonstration of vulnerability under the stated model rather than a claim of universal vulnerability. revision: yes

Circularity Check

0 steps flagged

No circularity; experimental testbed with independent empirical results

full rationale

The paper describes construction of a hardware testbed (Raspberry Pi/Jetson with Flower) and reports experimental outcomes from poisoning attacks on a federated intrusion detection case study. No equations, fitted parameters, predictions, or derivations appear in the provided text. The central claim—that FL is vulnerable to poisoning and requires mitigation—rests on direct observation of attack effects within the testbed rather than any self-referential reduction, self-citation chain, or ansatz smuggled via prior work. The setup is self-contained against external benchmarks because the vulnerability finding is falsifiable by running the same attacks on alternative hardware or frameworks. No load-bearing step reduces to its own inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract-only review yields no explicit free parameters, axioms, or invented entities; the work assumes standard FL semantics and that the chosen hardware and framework behave as documented by their maintainers.

axioms (1)
  • domain assumption The Flower framework correctly implements standard federated averaging and client-server communication.
    Invoked by the choice to build the testbed on Flower without further verification.

pith-pipeline@v0.9.0 · 5702 in / 1159 out tokens · 23081 ms · 2026-05-23T20:47:20.414657+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

28 extracted references · 28 canonical work pages

  1. [1]

    Mitigating Poisonin g Attacks in Federated Learning,

    R. Ganjoo, M. Ganjoo, and M. Patil, “Mitigating Poisonin g Attacks in Federated Learning,” in Innovative Data Communication Technologies and Application . Springer Nature, 2022

    work page 2022

  2. [2]

    Blockchain-Based Federated Learning Technique for Priva cy Preser- vation and Security of Smart Electronic Health Records,

    M. Guduri, C. Chakraborty, U. Maheswari, and M. Margala, “Blockchain-Based Federated Learning Technique for Priva cy Preser- vation and Security of Smart Electronic Health Records,” IEEE Trans. on Consumer Electronics , 2024

    work page 2024

  3. [3]

    Executive order on the safe, secure, and tru stworthy development and use of artificial intelligence,

    J. R. Biden, “Executive order on the safe, secure, and tru stworthy development and use of artificial intelligence,” 2023

    work page 2023

  4. [4]

    Advance s and Open Problems in Federated Learning,

    P . Kairouz, H. B. McMahan, B. Avent, and Others, “Advance s and Open Problems in Federated Learning,” F oundations and Trends® in Machine Learning, Jun. 2021

    work page 2021

  5. [5]

    Federated learning review: Fundamentals, enabling techn ologies, and future applications,

    S. Banabilah, M. Aloqaily, E. Alsayed, N. Malik, and Y . Ja rarweh, “Federated learning review: Fundamentals, enabling techn ologies, and future applications,” Information Processing & Management, Nov. 2022

    work page 2022

  6. [6]

    A survey o n federated learning,

    C. Zhang, Y . Xie, H. Bai, B. Y u, W. Li, and Y . Gao, “A survey o n federated learning,” Knowledge-Based Systems , Mar. 2021

    work page 2021

  7. [7]

    Fed- erated Learning for Healthcare Informatics,

    J. Xu, B. S. Glicksberg, C. Su, P . Walker, J. Bian, and F. Wa ng, “Fed- erated Learning for Healthcare Informatics,” JOURNAL OF HEALTH- CARE INFORMATICS RESEARCH , Mar. 2021

    work page 2021

  8. [8]

    Machine Learning and Big Data Ana lytics for Cybersecurity Threat Detection: A Holistic Review of Techn iques and Case Studies,

    A. Nassar and M. Kamal, “Machine Learning and Big Data Ana lytics for Cybersecurity Threat Detection: A Holistic Review of Techn iques and Case Studies,” Journal of Artificial Intelligence and Machine Learning in Management, Feb. 2021

    work page 2021

  9. [9]

    Y . Jin, H. Zhu, J. Xu, and Y . Chen, Federated Learning . Springer, 2023

    work page 2023

  10. [10]

    Machine Learning Security Against Data Poisoning: Are We T here Y et?

    A. E. Cin` a, K. Grosse, A. Demontis, B. Biggio, F. Roli, a nd M. Pelillo, “Machine Learning Security Against Data Poisoning: Are We T here Y et?”Computer, Mar. 2024

    work page 2024

  11. [11]

    An overview of implementing security and privacy in federated learning,

    K. Hu, S. Gong, Q. Zhang, C. Seng, M. Xia, and S. Jiang, “An overview of implementing security and privacy in federated learning,” ARTIFICIAL INTELLIGENCE REVIEW , Jul. 2024

    work page 2024

  12. [12]

    The Path to Defence: A Roadmap to Characterising Data Poisoning Attacks on Victim Models,

    T. Chaalan, S. Pang, J. Kamruzzaman, I. Gondal, and X. Zh ang, “The Path to Defence: A Roadmap to Characterising Data Poisoning Attacks on Victim Models,” ACM Computing Surveys , Jul. 2024

    work page 2024

  13. [13]

    Byzantine-robust aggregation for s ecuring decentralized federated learning,

    D. Cajaraville-Aboy, A. Fern´ andez-Vilas, R. P . D´ ıaz -Redondo, and M. Fern´ andez-V eiga, “Byzantine-robust aggregation for s ecuring decentralized federated learning,” 2024. [Online]. Avail able: https://arxiv.org/abs/2409.17754

    work page arXiv 2024

  14. [14]

    Federated learning with d ifferential privacy: Algorithms and performance analysis,

    K. Wei, J. Li, M. Ding, C. Ma, H. H. Y ang, F. Farokhi, S. Jin , T. Q. S. Quek, and H. Vincent Poor, “Federated learning with d ifferential privacy: Algorithms and performance analysis,” IEEE Transactions on Information F orensics and Security, vol. 15, pp. 3454–3469, 2020

    work page 2020

  15. [15]

    Improving Security with Federated Learning,

    H. N. Priya, A. S. M. Harish, S. S. Gowri, and P . D. Rathika , “Improving Security with Federated Learning,” in 2021 INTERNATIONAL CON- FERENCE ON COMPUTATIONAL PERFORMANCE EVALUATION (COMPE-2021). IEEE, 2021

    work page 2021

  16. [16]

    Flower: A friendly federated learning research framework,

    D. J. Beutel, T. Topal, A. Mathur, X. Qiu et al. , “Flower: A friendly federated learning research framework,” 2020

    work page 2020

  17. [17]

    Decentralized federated ave raging,

    T. Sun, D. Li, and B. Wang, “Decentralized federated ave raging,” IEEE Transactions on Pattern Analysis and Machine Intelligence , 2023

    work page 2023

  18. [18]

    Tensorflow: learning functions at scale,

    M. Abadi, “Tensorflow: learning functions at scale,” in Proceedings of the 21st ACM SIGPLAN international conference on functio nal programming, 2016

    work page 2016

  19. [19]

    Scikit-learn: Machine learning in python,

    F. Pedregosa, G. V aroquaux, A. Gramfort, V . Michel, B. T hirion, O. Grisel, M. Blondel, P . Prettenhofer, R. Weiss, V . Dubourg et al. , “Scikit-learn: Machine learning in python,” the Journal of machine Learning research, 2011

    work page 2011

  20. [20]

    T. E. Oliphant et al. , Guide to numpy . Trelgol Publishing USA, 2006

    work page 2006

  21. [21]

    pandas: a foundational python library for data analysis and statistics,

    W. McKinney et al. , “pandas: a foundational python library for data analysis and statistics,” Python for high performance and scientific computing, 2011

    work page 2011

  22. [22]

    Tosi, Matplotlib for Python developers

    S. Tosi, Matplotlib for Python developers . Packt Publishing Ltd, 2009

    work page 2009

  23. [23]

    Decentralized f ederated deep learning image recognition models,

    S. Kugan, M. Q. U. Islam, and R. Kashef, “Decentralized f ederated deep learning image recognition models,” in 2023 4th Int. Conf. on AI, Robotics and Control (AIRC) , 2023

    work page 2023

  24. [24]

    Perf ormance analysis and optimization for federated learning applicat ions with pysyft- based secure aggregation,

    P .-S. Lin, M.-C. Kao, W.-Y . Liang, and S.-H. Hung, “Perf ormance analysis and optimization for federated learning applicat ions with pysyft- based secure aggregation,” in Int. Computer Symposium , 2020

    work page 2020

  25. [25]

    Federated learning: A survey o n enabling technologies, protocols, and applications,

    M. Aledhari and Others, “Federated learning: A survey o n enabling technologies, protocols, and applications,” IEEE Access , 2020

    work page 2020

  26. [26]

    Dnp3 intrusion detection dataset,

    P . Radoglou-Grammatikis, V . Kelli, T. Lagkas, V . Argyr iou, and P . Sa- rigiannidis, “Dnp3 intrusion detection dataset,” 2022

    work page 2022

  27. [27]

    Char- acterization of tor traffic using time based features,

    A. H. Lashkari, G. D. Gil, M. S. I. Mamun, and A. A. Ghorban i, “Char- acterization of tor traffic using time based features,” in International Conference on Information Systems Security and Privacy , 2017

    work page 2017

  28. [28]

    Ae-lstm based anomaly dete ction system for communication over dnp 3.0,

    I. Ji, S. Jeon, and J. T. Seo, “Ae-lstm based anomaly dete ction system for communication over dnp 3.0,” in International Conference on Information Security Applications , 2023

    work page 2023