1. Bibliographic Information

1.1. Title

The central topic of the paper is a defense mechanism against label poisoning attacks in federated learning environments, which integrates concepts from label noise analysis and adversarial training.

1.2. Authors

The authors are:

• Esa Hallaj

• Roozbeh Razavi-Far

• Mehrdad Saif

• Enrique Herrera-Viedma

  Their affiliations include the Department of Electrical and Computer Engineering at the University of Windsor, Canada, and Granada, Spain (presumably University of Granada for Enrique Herrera-Viedma, though not explicitly stated for all). Their research backgrounds appear to be in electrical and computer engineering, with a focus on machine learning, federated learning, and security aspects.

1.3. Journal/Conference

The paper was published in an Elsevier B.V. journal, based on the copyright notice and publication timeline. The specific journal name is not provided in the abstract or article info, but Elsevier is a well-regarded academic publisher in engineering and computer science fields, indicating a peer-reviewed publication.

1.4. Publication Year

The paper was received on October 9, 2022, revised on December 22, 2022, accepted on February 8, 2023, and made available online on February 14, 2023. Therefore, the publication year is 2023.

1.5. Abstract

This paper addresses the vulnerability of federated learning (FL) systems to label poisoning attacks, where malicious actors exploit data decentralization to corrupt shared models. It proposes a novel defense mechanism that combines adversarial training and label noise analysis. Specifically, the authors design a Generative Adversarial Label Poisoner (GALP) to artificially inject local models with label noise that mimics real-world backdoor and label flipping attacks. This synthetic noise helps train client models to be robust against various noise mechanisms (class-independent, class-dependent, and instance-dependent). Additionally, the paper advocates for using noisy-label classifiers within the client models. The combination of GALP and noisy-label classifiers enables the models to learn and counteract potential noise distributions, thereby neutralizing corrupted updates. The work also includes a comparative study of state-of-the-art deep noisy label classifiers. The proposed framework's effectiveness is evaluated on two Internet of Things (IoT) network datasets for intrusion detection, showing promising results.

1.6. Original Source Link

The original source link provided is /files/papers/690885161ccaadf40a4344fa/paper.pdf. This appears to be a relative path or an internal file system link, not a public URL. Given the copyright information from Elsevier B.V. and the availability date, it is likely an officially published paper, possibly behind a paywall, or an accepted manuscript from a journal.

2. Executive Summary

2.1. Background & Motivation

The core problem the paper aims to solve is the vulnerability of federated learning (FL) systems to label poisoning attacks. FL is a distributed machine learning paradigm where models are trained collaboratively across decentralized devices without sharing raw data, addressing data privacy and communication efficiency concerns inherent in centralized cloud-based training.

However, this decentralized nature and privacy feature, where the server does not directly observe client data, create a significant security loophole. Malicious actors can exploit this by manipulating their local training data (data poisoning) and sending forged updates to the central server. These corrupted updates can then degrade the global model, eventually affecting all other participants. Specifically, label poisoning (manipulating the labels of data samples) is identified as an open and critical research problem. Such attacks can lead to catastrophic consequences, especially in sensitive applications like Intrusion Detection Systems (IDS), where targeted attacks can inject backdoors (making specific malicious samples undetectable) or untargeted attacks can drastically increase false alarm rates, rendering the system dysfunctional. The challenge lies in distinguishing malicious label noise from benign, unintentional noise, as malicious noise often follows a specific, designed pattern.

The paper's entry point and innovative idea stem from treating label poisoning as a noisy label classification problem. While noisy label classifiers can handle random noise, they struggle with adversarial noise that follows specific patterns. The innovation lies in proposing a generative model (Generative Adversarial Label Poisoner or GALP) to artificially simulate these adversarial label poisoning attacks. By training noisy label classifiers on this known artificially poisoned data, the models can learn to recognize and become robust against the distribution of real-world label poisoning attacks, effectively "vaccinating" them.

2.2. Main Contributions / Findings

The paper makes several primary contributions:

• Novel Robustness Approach: Proposes a novel approach to make neural network models robust against label poisoning attacks by treating malicious labels as noisy labels. This is a shift from traditional defense mechanisms that might focus on anomaly detection of updates.

• Generative Adversarial Label Poisoner (GALP) Design: Introduces and designs GALP, a Generative Adversarial Network (GAN)-based scheme. GALP artificially injects client networks with synthetic label noise that resembles real backdoor and label flipping attacks. This allows for training noisy label classifiers on known label noise distributions, enabling them to learn attack patterns.

• Comparative Study of Noisy-Label Classifiers: Conducts a comprehensive comparative study of state-of-the-art deep noisy label classifiers to identify the most compatible and effective models when coupled with GALP.

• Categorization of Label Poisoning Attacks: Studies label poison attacks based on three distinct label noise mechanisms (class-independent, class-dependent, and instance-dependent) within the FL context. It demonstrates how backdoor and label flipping attacks map to these mechanisms, informing the GALP design.

• Empirical Evaluation on IoT Networks: Designs and tests an FL-based IDS on two real-world IoT network datasets (UNSW-NB15 and NIMS). The study investigates the effects of noise ratio and label noise mechanism on the IDS's detection performance, providing practical validation.

  The key conclusion is that coupling the GALP algorithm with a robust noisy-label classifier (specifically CORES in their experiments) significantly reduces the impact of malicious noisy labels in FL systems. The findings indicate that GALP effectively neutralizes label flipping attacks (simulated by class-dependent and class-independent noise) regardless of the noise ratio. For backdoor attacks (simulated by instance-dependent noise), GALP effectively neutralizes noise ratios up to ten percent, showing robustness for typical attack scenarios. This solves the problem of FL models being vulnerable to label poisoning by proactively training them to recognize and mitigate adversarial noise patterns.

3. Prerequisite Knowledge & Related Work

3.1. Foundational Concepts

To understand this paper, a reader should be familiar with the following core concepts:

• Machine Learning (ML): A field of artificial intelligence that uses statistical techniques to give computer systems the ability to "learn" from data, without being explicitly programmed. In ML, models are trained on datasets to find patterns and make predictions or decisions.
• Deep Learning (DL): A subfield of ML that uses artificial neural networks with multiple layers (deep networks) to learn representations of data with multiple levels of abstraction. Deep neural networks are particularly effective for complex tasks like image recognition, natural language processing, and, in this context, intrusion detection.
• Federated Learning (FL): An ML paradigm that enables multiple decentralized edge devices or organizations to collaboratively train a shared global model without exchanging their local data.
  • Decentralization: Data remains on local devices.
  • Privacy: Raw data is not shared with a central server, only model updates (e.g., gradients or model parameters).
  • Aggregation: A central server aggregates the model updates from multiple clients to create an improved global model, which is then sent back to the clients.
• Intrusion Detection System (IDS): A security mechanism that monitors network traffic or system activities for malicious activities or policy violations. An IDS is crucial for protecting IoT networks from cyberattacks.
• Generative Adversarial Network (GAN): A class of artificial intelligence algorithms used in unsupervised learning, implemented by a system of two neural networks, a Generator ($G$) and a Discriminator ($D$), contesting with each other in a zero-sum game framework.
  • Generator ($\mathcal{G}$): Learns to create new data instances that resemble the training data. Its goal is to produce fake data convincing enough to fool the Discriminator.
  • Discriminator ($\mathcal{D}$): Learns to distinguish between real data from the training set and fake data produced by the Generator. Its goal is to correctly identify fake data.
  • Adversarial Training: The Generator and Discriminator are trained simultaneously. The Generator tries to minimize the Discriminator's ability to distinguish real from fake, while the Discriminator tries to maximize its ability to do so. This adversarial process drives both networks to improve.
• Label Noise: Errors or inaccuracies in the labels (target outputs) of a dataset. Instead of the true label, a data sample might have an incorrect label.
  • Class-independent (Symmetric/NCAR - Noisy Completely At Random): The probability of a label being corrupted is independent of the true class or any other variables. E.g., any label has a fixed probability of being randomly swapped with another label.
  • Class-dependent (Asymmetric/NAR - Noisy At Random): The probability of a label being corrupted depends on its true class. E.g., 'cat' labels might often be mislabeled as 'dog', but not vice-versa, or specific classes are more prone to mislabeling than others.
  • Instance-dependent (NNAR - Noisy Not At Random): The probability of a label being corrupted depends on both the sample's features ($x$) and its true class ($y$). This is the most complex and realistic type of noise, often indicative of a malicious attack targeting specific data patterns.
• Label Poisoning Attacks: A type of data poisoning attack where an adversary intentionally manipulates the labels of training data samples to degrade the performance of a machine learning model.
  • Targeted Attack: Aims to cause misclassification for specific target samples or classes, or inject backdoors.
  • Untargeted Attack: Aims to degrade the overall performance of the model across all classes.
  • Label Flipping Attack: A common type of label poisoning where the true label of a data sample is changed to an incorrect label. It can be untargeted (random swaps) or targeted (swapping specific labels to specific incorrect ones).
  • Backdoor Attack: A more sophisticated targeted label poisoning attack where the attacker embeds a "trigger" pattern into a small subset of training data. When this trigger is present in input data during inference, the model is forced to output a specific, incorrect prediction, while maintaining high accuracy on clean data without the trigger. This is highly effective for injecting vulnerabilities.
• Noisy-Label Classifiers: Machine learning models or training techniques specifically designed to be robust to label noise during training, often by trying to identify and correct mislabeled samples or minimize their impact.
• F-measure (F1-score): A metric used in statistical analysis of binary classification to measure a test's accuracy. It is the harmonic mean of precision and recall. It is useful for imbalanced datasets where one class is much more frequent than the other.
• Accuracy: The proportion of total predictions that were correct. Calculated as (True Positives + True Negatives) / (Total Samples).

3.2. Previous Works

The paper references several prior works, primarily in the context of federated learning, label noise, and adversarial attacks.

• Federated Learning Challenges and Security:

  • [1, 2] Highlight data privacy and latency as major concerns in traditional centralized ML for IoT.
  • [3] Google's original proposal for Federated Learning to address these issues.
  • [4, 5] Discuss privacy-preserving features of FL.
  • [6] Hallaji et al. (one of the current paper's authors) survey adversaries and defense mechanisms in FL.
  • [7] Mothukuri et al. survey security and privacy of federated learning.
  • [8] Nasr et al. analyze privacy attacks against centralized and federated learning.
  • [9, 10] Detail how backdoor attacks can be launched in FL.
  • [11] Discusses false data injection on features (distinguishing it from label poisoning). These works establish the context of FL's vulnerability to data poisoning, especially label poisoning, which is the focus of the current paper.

• Noisy Label Classification Techniques: The paper compares against or builds upon various state-of-the-art noisy label classifiers:

  • Co-teaching [13]: Trains two neural networks simultaneously, where each network selects "clean" samples (those confidently predicted by the other network) to train itself, thus being robust to noisy labels. It leverages the observation that deep neural networks tend to fit clean data before memorizing noisy labels.
  • MetaWeight-Net [14]: A meta-learning approach that learns to assign weights to samples. It extracts sample weights automatically to eliminate training bias from noisy labels.
  • Label Confidence [15]: Estimates label confidence to filter out noisy labels, treating confidence as a metric for sample reliability.
  • Label Enhancement [16]: Recovers and refines the label distribution, often based on "trusted data".
  • ProSelfLC [17]: Progressive self label correction based on minimum entropy regularization. It assumes deep models learn informative samples before fitting noise, guiding the process with "trusted data" obtained via label enhancement.
  • Stochastic Label Noise [18]: Suggests that stochastic gradient noise induced by stochastic label noise can help combat inherent label noise.
  • Learning from Massive Noisy Labeled Data (LMNL) [19]: A framework for convolutional neural networks that models relationships between samples, class labels, and label noise using a probabilistic graphical model, even with limited clean labels.
  • Masking [20]: Incorporates human cognition of noisy class transitions by speculating the noise transition matrix structure. It uses a structure-aware probabilistic model to estimate unmasked noise transition probabilities.
  • Gold Loss Correction (GLC) [21]: A semi-supervised method that uses a small set of trusted data to estimate label noise parameters and then trains a corrected classifier on the noisy labels.
  • Probabilistic End-to-End Noise Correction for Learning with Noisy Labels (PENCIL) [22]: Updates both network parameters and label estimations as label distributions. It is backbone-independent and does not require auxiliary clean data or prior noise information.
  • Symmetric Cross Entropy Learning (SCEL) [23]: Addresses overfitting to noisy labels on "easy classes" and under-learning on "hard classes" when using cross-entropy. It symmetrically combines cross-entropy with Reverse Cross Entropy (RCE) for robustness.
    • Cross-Entropy Loss (H(p, q)): Measures the difference between two probability distributions, $p$ (true distribution) and $q$ (predicted distribution). For classification, if $y$ is the one-hot encoded true label and $\hat{y}$ is the model's predicted probability distribution, the cross-entropy loss for a single sample is: $ L_{CE} = -\sum_{i=1}^{C} y_i \log(\hat{y}_i) $ where $C$ is the number of classes.
    • Reverse Cross-Entropy Loss (H(q, p)): Swaps the roles of the true and predicted distributions. $ L_{RCE} = -\sum_{i=1}^{C} \hat{y}_i \log(y_i) $ While $y_i$ is typically one-hot and $\log(y_i)$ would be undefined for $y_i=0$, RCE is usually applied with a smoothed version of $y_i$ or within specific contexts like SCEL where the true labels are implicitly handled (e.g., through confidence estimation or a noise transition matrix). The intuition is that it penalizes predictions that are far from the true label, but in a way that is less sensitive to hard mislabeling than standard cross-entropy.
    • Symmetric Cross-Entropy (SCEL) Loss: Combines Cross-Entropy and Reverse Cross-Entropy: $ L_{SCEL} = L_{CE} + L_{RCE} $ This combination aims to leverage the benefits of both, reducing overfitting to noisy labels while improving under-learning.
  • COnfidence REgularized Sample Sieve (CORES) [24]: Filters out noisy samples by learning the underlying clean distribution rather than the noisy distribution. It defines a regularization term to enhance model confidence and separates clean and noisy samples to apply a supervised loss on clean data and an unsupervised consistency loss on noisy samples.
  • Online Label Smoothing (OLS) [25]: Assumes model predictive distributions can discover inter-category relationships. It replaces label smoothing by generating soft labels that consider these relationships, treating each category as a moving label distribution.

3.3. Technological Evolution

The field has evolved from centralized ML with inherent privacy and latency issues to federated learning as a solution. However, FL introduced new security challenges, particularly data poisoning attacks, which are harder to detect due to data decentralization. Initial defenses often focused on feature poisoning or simple label flipping that induced class-independent noise. The evolution progressed to understanding more sophisticated label noise mechanisms (class-dependent, instance-dependent) that mimic backdoor attacks. Simultaneously, research in noisy label classification advanced, leading to various techniques to handle different types of label inaccuracies.

This paper's work fits within this evolution by bridging adversarial attack simulation (using GANs) with noisy label classification. Instead of solely relying on noisy label classifiers to implicitly handle unknown noise, it proactively generates adversarial noise to explicitly train models to be robust against targeted attack patterns. This represents a step forward in making FL more robust against realistic and sophisticated label poisoning threats, particularly those that leverage specific noise mechanisms for malicious goals like backdoors.

3.4. Differentiation Analysis

Compared to prior noisy label classification methods, this paper's core innovation is the integration of a Generative Adversarial Label Poisoner (GALP) into the federated learning training process.

• Traditional Noisy-Label Classifiers: Most existing noisy label classifiers (e.g., Co-teaching, LMNL, Masking, GLC, PENCIL, SCEL, CORES, OLS) are designed to handle unintentional or randomly distributed label noise. While some, like CORES, target instance-dependent noise, they primarily focus on detecting and correcting noise within the given dataset. They might struggle if the noise distribution is specifically crafted by an intelligent adversary to evade detection.

• This Paper's Approach (GALP + Noisy Classifier): The key differentiator is the proactive generation of adversarial label noise using GALP. GALP simulates backdoor and label flipping attacks by creating class-dependent and instance-dependent noise. By training the noisy label classifiers on this artificially generated and controlled adversarial noise, the models are "vaccinated." This means the noisy label classifier doesn't just try to recover from unknown noise; it learns the signature of malicious noise and its distribution, making it explicitly robust against such attack patterns.

• Focus on Federated Learning Security: While noisy label classification is a general ML problem, this paper specifically applies and adapts it to the FL context to address a critical security vulnerability that arises from FL's decentralized nature. The GALP ensures that even attacker models, when initialized with server updates, become "vaccinated," thus neutralizing their poisoned updates.

• Comprehensive Noise Mechanisms: The paper explicitly addresses all three label noise mechanisms (class-independent, class-dependent, instance-dependent) and maps label flipping and backdoor attacks to these, providing a more structured approach to adversarial noise generation.

  In essence, while previous work provided tools to handle label noise, this paper provides a method to prepare the models against maliciously crafted label noise in a federated setting by generating realistic attack scenarios for training.

4. Methodology

The proposed framework aims to mitigate label poisoning attacks in federated learning by combining a Generative Adversarial Label Poisoner (GALP) with noisy label classifiers. The core idea is to "vaccinate" local models against label poisoning by injecting them with artificially generated label noise that mimics real attack patterns. This allows the models to learn the distribution of malicious noise and become robust to it.

The overall process is illustrated in Image 2.

Image 2: Schematic diagram illustrating the proposed defense mechanism in federated learning that combines adversarial training with label noise analysis.

The process flow is as follows:

1. Local Model Initialization: Each client model ($\mathcal{M}_r$) is initialized with the latest global update ($\theta_S$) from the server.

2. Artificial Poisoning by GALP: On each client, the GALP component generates artificially poisoned data ($\tilde{Y}$) by injecting label noise into a subset of the client's local dataset ($T_r$). The GALP uses a Generator ($\mathcal{G}$) and a Discriminator ($\mathcal{D}$) to create label noise that resembles class-dependent or instance-dependent label poisoning attacks.

3. Noisy Label Classifier Training: The client's local model ($\mathcal{M}_r$), which is a chosen noisy label classifier, is then trained on a combination of its original clean data and the artificially poisoned data generated by GALP. This training makes the model robust to various noise distributions. This robust model is referred to as a "vaccinated model."

4. Local Parameter Update: After training, the vaccinated model produces updated local parameters ($\theta_{out}^r$).

5. Server Aggregation: These vaccinated parameters ($\theta_{out}^r$) are sent to the central server. The server aggregates the parameters from all participating clients using an aggregation function ($f(\cdot)$) to produce a new global model update ($\theta_S$).

6. Global Model Broadcast: The server broadcasts this new vaccinated global update ($\theta_S$) back to all clients.

7. Attack Neutralization: If an attacker attempts to poison their local data, their model will also be initialized with the vaccinated global update. Consequently, the attacker's model will be vaccinated against label poisoning, and the poisoned updates it sends to the server will have a neutralized effect on the aggregation process.

   Consider a federated network with a set of $k$ client models $$\boldsymbol{\Gamma} = \{ \mathcal{M}_1, \mathcal{M}_2, \ldots, \mathcal{M}_k \}$$. Each client model $\mathcal{M}_r$ operates on a training set $\mathcal{T}_r = \{X_r, Y_r \}$, where $$X_r = \{x_1^r, x_2^r, \ldots, x_{m_r}^r \}$$ are samples and $$Y_r = \{y_1^r, y_2^r, \ldots, y_{m_r}^r \}$$ are their corresponding labels. $m_r$ is the number of samples in $\mathcal{T}_r$. After noisy labels are injected (either artificially by GALP or by a real attacker), $Y_r$ becomes corrupted for some $\mathcal{T}_r$. The noisy label sets and corrupted training sets are denoted as $$\tilde{Y}_r = \{\tilde{y}_1^r, \tilde{y}_2^r, \ldots, \tilde{y}_{m_r}^r \}$$ and $$\tilde{\mathcal{T}}_r = \{X_r, \tilde{Y}_r \}$$, respectively.

4.1. Label Poisoning using Noisy Label Injection (GALP)

The GALP is a GAN-based system designed to inject label noise using class-dependent and instance-dependent mechanisms. It consists of a Generator ($\mathcal{G}$) and a Discriminator ($\mathcal{D}$).

The core idea is that $\mathcal{G}$ tries to generate fake samples (i.e., samples whose labels are corrupted $$\{x_i^r : y_i^r \neq \tilde{y}_i^r \mid x_i^r \}\}$$) while $\mathcal{D}$ tries to distinguish these fake samples from real samples (i.e., samples with their original labels $$\{y_i^r = \tilde{y}_i^r \mid x_i^r \}\}$$).

The Generator $\mathcal{G}$ takes a random noise matrix $Z$ as input and generates fake samples $\tilde{X}$ corresponding to $\tilde{Y}_r$. The Discriminator $\mathcal{D}$ receives the produced corrupted training set $\tilde{\mathcal{T}}_r$ and identifies samples where the label has been corrupted ($y_i^r \neq \tilde{y}_i^r$).

The structures of $\mathcal{G}$ and $\mathcal{D}$ are formally defined as: $$\mathcal{G}(z_i) = (z_i, u_1^{\mathcal{G}}, u_2^{\mathcal{G}}, \ldots, u_L^{\mathcal{G}}, \tilde{x}_i)$$ $$\mathcal{D}(x_i, \tilde{y}_i) = (\{x_i, \tilde{y}_i\}, u_1^{\mathcal{D}}, u_2^{\mathcal{D}}, \ldots, u_L^{\mathcal{D}}, \hat{y}_i)$$ where:

• $z_i$: input random noise for $\mathcal{G}$.

• $x_i$: input sample for $\mathcal{D}$.

• $\tilde{y}_i$: input noisy label for $\mathcal{D}$.

• $L$: the number of hidden layers in $\mathcal{G}$ and $\mathcal{D}$.

• $u_l^{\mathcal{G}}$ and $u_l^{\mathcal{D}}$: the activations of the representation of the $l$-th layer in $\mathcal{G}$ and $\mathcal{D}$, respectively.

• $\tilde{x}_i$: the generated fake sample from $\mathcal{G}$.

• $\hat{y}_i$: the Discriminator's output, indicating whether the input is real or fake (or the predicted label).

  The computation of hidden layer representations $h_l$ is given by a recursive formulation: $ h_l = \frac{u_{l-1}^T \cdot w_l - \mu_l}{\sigma_l}, \ s.t. \ u_0 = {x_i, \tilde{y}_i}, $ where:

• $u_{l-1}^T$: activation from the previous layer (l-1).

• $w_l$: weights for the current layer ($l$).

• $\mu_l$ and $\sigma_l$: mean and standard deviation of $h_l$, used for batch normalization to normalize the layer's inputs.

• For $\mathcal{G}$, the initial input $u_0$ is $z_i$.

  The activation function $u_l(h_l)$ for the layers is defined as: $ u_l(h_l) = \left{ \begin{array}{ll} 0.01 h_l & \mathrm{if} h_l < 0 \mathrm{~\land~} l < L \ h_l & \mathrm{if} h_l \geq 0 \mathrm{~\land~} l < L \ \frac{1}{1 + e^{-h_l}} & \mathrm{if} l = L \end{array} \right. $ This implies:

• For hidden layers ($l < L$): A Leaky Rectified Linear Unit (Leaky ReLU) activation is used. If $h_l$ is negative, the output is $0.01 h_l$; otherwise, it's $h_l$. Leaky ReLU helps mitigate the "dying ReLU" problem by allowing a small, non-zero gradient when the unit is not active.

• For the output layer ($l = L$): A Sigmoid activation function is used, mapping the output to a range between 0 and 1, suitable for binary classification (e.g., real or fake).

  The GALP algorithm (Algorithm 1) outlines the training process for both class-dependent and instance-dependent injectors.

The following are the results from Algorithm 1 of the original paper:

Algorithm 1: Generative Adversarial Label Poisoner (GALP)

Input: Local data Tr, server update θs, mechanism.
Output: Locally updated parameters θut

Definitions: Instance-dependent confidence threshold: t2.
Initialization:
  Estimate M from Γ.
  Initialize client models Γ.
  Initialize G with random weights.
  Form a random noise matrix Z.
  Initialize D with θ.

1 Classify T, using Mr(θ, Xr) = Y 2 for ∀   do
2    Estimate label error E for  using (6).
3 end for
4  = {c |  > 1}.
5 if Mechanism = Instance-dependent then
6 for ∀{xi, i}  Cc: do
7    Calculate label confidence i using (10).
8 end for
9  = {{    |  < 2}
10 end if
11 for ∀ epochs do
12   Train G on Z: G(Z) = X.
13   switch Mechanism do
14   case Class-dependent do
15     Train D with G(Z) and the class-dependent subset: D(X, CC) = fake
16     Update G and D using cD in (9).
17   end case
18   case Instance-dependent do
19     Train D with G(Z) and the instance-dependent subset: D(X, CD) = Pfake
20     Update G and D using VD in (11).
21   end case
22 end switch
23 end for
24 Train Mr(θs, {X, Y, Y} U Tr).
return

Note: The provided Algorithm 1 text has several OCR/formatting issues (e.g., missing variables, broken symbols, line numbers out of order). I will interpret the intent based on the surrounding text and common GAN training procedures and describe it. The key steps are initialization, error estimation for identifying target classes/instances, and then an epoch loop for GAN training based on the chosen noise mechanism. Finally, the noisy label classifier is trained.

4.1.1. Class-dependent injector

The class-dependent injector aims to create label noise where the corrupted labels are statistically dependent on the true class but not on the sample features ($X$). This mimics a targeted label flipping attack. From a security perspective, the attacker wants to minimize the probability of the injected noisy labels being detected as malicious. To achieve this, the GALP identifies classes that already have a higher error rate when evaluated with the server update $\theta_S$.

First, the current client model $\mathcal{M}_r$ (updated with $\theta_S$) is used to predict labels for the local data $X_r$: $ \mathcal{M}_r(\theta_S, X_r) = \hat{Y}_r, $ where $\hat{Y}_r$ are the predicted labels.

Next, classes with a higher risk of being noisy are determined by calculating the error rate for each class $c_j$ in the local dataset: $ E_j^r = \frac{1}{|c_j|} \sum_{i=1}^{|c_j|} P(\hat{y}_i^r = y_i^r), {x_i, y_i} \in c_j, $ where:

• $E_j^r$: the error probability for class $c_j$ on client $r$'s data.

• $$\Omega = \{c_1, c_2, \ldots, c_k\}$$: the set of all possible data classes. (Note: The paper uses $k$ for both number of clients and number of classes in $\Omega$, which can be ambiguous. Assuming $k$ here refers to number of classes for $\Omega$).

• $|c_j|$: the cardinality (number of samples) of class $c_j$.

• $P(\hat{y}_i^r = y_i^r)$: This term appears to be a misprint in the formula, as it calculates the probability of correct prediction. For an error rate, it should likely be $P(\hat{y}_i^r \neq y_i^r)$ or $1 - P(\hat{y}_i^r = y_i^r)$. However, strictly adhering to the paper's formula, it calculates the average accuracy for each class. If $E_j^r$ is low, it means the class has a higher error.

• $\{x_i, y_i\} \in c_j$: refers to samples belonging to class $c_j$.

  The set of classes with label errors is then identified as $$C_{CD} = \{c_j \mid E_j \neq 0 \}$$. The Generator $\mathcal{G}$ is then fed with random noise $Z$ to produce artificially generated samples $\tilde{X}$: $ \mathcal{G}(Z) = \tilde{X}. $ The Discriminator $\mathcal{D}$ is fed with these generated samples $\tilde{X}$ and the class-dependent subset $C_{CD}$: $ \mathcal{D}(\tilde{X}, C_{CD}) = P_{fake} $ This indicates that $\mathcal{D}$ tries to identify if $\tilde{X}$ coupled with $C_{CD}$ is fake (i.e., corresponds to poisoned labels within the targeted classes).

The class-dependent injector converges by minimizing the following loss function (value function $V_{CD}$): $ \underset{\mathcal{G}}{\operatorname*{min}} \underset{\mathcal{D}}{\operatorname*{max}} V_{CD}(\mathcal{G}, \mathcal{D}) = \mathbb{E}\left[\log \mathcal{D}(\hat{\mathcal{X}}, C_{CD})\right] + \mathbb{E}\left[1 - \mathcal{D}\big(\tilde{\mathcal{X}}, C_{CD}\big)\right], $ where:

• $$\underset{\mathcal{G}}{\operatorname*{min}} \underset{\mathcal{D}}{\operatorname*{max}}$$: This is the minimax objective function typical of GANs. $\mathcal{D}$ tries to maximize its ability to distinguish real from fake, while $\mathcal{G}$ tries to minimize $\mathcal{D}$'s ability to do so.
• $\mathbb{E}[\cdot]$: Expectation operator.
• $\hat{\mathcal{X}}$: Denotes real samples (with their original labels).
• $\tilde{\mathcal{X}}$: Denotes fake samples generated by $\mathcal{G}$.
• $C_{CD}$: The set of classes identified as having errors, used to guide both $\mathcal{G}$ and $\mathcal{D}$ to focus on class-dependent noise. The Generator $\mathcal{G}$ participates in the loss estimation as part of the Discriminator's input.

4.1.2. Instance-dependent injector

The instance-dependent (ID) mechanism is designed to initiate a backdoor attack, meaning the label noise depends on both the sample variables ($x$) and the class labels ($y$). The goal is to produce poisoned labels that are difficult to detect as anomalies. In addition to finding classes with a higher probability of error (as in class-dependent), instance-dependent injector also identifies specific samples within those classes that have the least membership confidence.

Given a Softmax activation function at the final layer of the noisy classifier, the confidence $\varphi_i$ for the $i$-th sample is measured as: $ \varphi_i = \frac{\sum_{j=1}^{|u_L|} (u_L(j) - \bar{u_L})}{|u_L| - 1}, $ where:

• $\varphi_i$: the measured confidence for the $i$-th sample.
• $u_L(j)$: the output of the Softmax layer for class $j$.
• $\bar{u_L}$: the mean of the Softmax output values for all classes for that sample ($$\bar{u_L} = \frac{1}{|u_L|} \sum_{j=1}^{|u_L|} u_L(j)$$).
• $|u_L|$: the number of output classes (dimension of the Softmax output). This formula calculates a value related to the variance of the activation outputs. A lower $\varphi_i$ indicates less confidence in the assigned label, making that sample a candidate for instance-dependent poisoning.

These low-confidence samples are collected as $C_{ID}$. The instance-dependent injector then uses the same GAN structure as the class-dependent injector, but with a different objective function: $ \underset{\mathcal{G}}{\operatorname*{min}} \underset{\mathcal{D}}{\operatorname*{max}} V_{ID}(\mathcal{G}, \mathcal{D}) = \mathbb{E}\left[\log \mathcal{D}(\hat{\boldsymbol{X}}, \boldsymbol{C}{ID})\right] + \mathbb{E}\left[1 - \mathcal{D}\big(\tilde{\boldsymbol{X}}, \boldsymbol{C}{ID}\big)\right], $ where:

• $V_{ID}$: the value function for the instance-dependent injector.
• $\hat{\boldsymbol{X}}$: real samples.
• $\tilde{\boldsymbol{X}}$: fake samples generated by $\mathcal{G}$.
• $\boldsymbol{C}_{ID}$: the set of samples identified as having low confidence, used to guide $\mathcal{G}$ and $\mathcal{D}$ to focus on instance-dependent noise.

4.2. Training the Noisy Label Classifier and Aggregation

Upon convergence of the noisy label injectors (GALP), the device trains its noisy label classifier ($\mathcal{M}_r$) using the server update $\theta_S$, its original local data ($T_r$), and the artificially poisoned data generated by GALP ($\{\hat{X}, \tilde{Y}, Y\}$, where $\hat{X}$ are the original features of the poisoned samples, $\tilde{Y}$ are the poisoned labels, and $Y$ might refer to the original labels or a context for GALP): $ \mathcal{M}r(\theta_S, {\hat{X}, \tilde{Y}, Y} \cup T_r) \to \theta{\mathrm{out}}^r, $ where $\theta_{\mathrm{out}}^r$ represents the outgoing parameters set from client $r$. This vaccinated model is then sent to the server.

On the server-side, the global model parameters $\theta_S$ are obtained by an aggregation function $f(\cdot)$ that combines the outgoing parameters from all clients: $ \theta_S = f({ \theta_{\mathrm{out}}^r \mid 1 \leq r \leq k }). $ For simplicity, the paper defines the aggregation function as a simple average: $ f({ \theta_{\mathrm{out}}^r \mid 1 \leq r \leq k }) = \frac{1}{k} \sum_{r=1}^k \theta_{\mathrm{out}}^r. $ This averaged aggregation ensures that the robustness learned by individual vaccinated models is incorporated into the global model, which is then broadcast back to all clients for the next round.

5. Experimental Setup

5.1. Datasets

The experiments utilize two real-world network traffic datasets commonly used for IoT intrusion detection systems: UNSW-NB15 and NIMS.

• UNSW-NB15 Dataset [28]:

  • Source: Captured from a network environment simulating real-world traffic, including both normal and abnormal (attack) activities.
  • Characteristics: Contains pcap, Argus, Bro, and Csv files. Originally, it's a binary classification problem (normal vs. attack).
  • Modification for Experiments: To increase the complexity and challenge for the noisy classifiers, the authors transformed the binary classification problem into a multi-class problem with 9 classes: 1 normal class and 8 categories of attacks.
  • Purpose: Evaluate network intrusion detection systems.
  • Data Sample Example (Conceptual): A row in the dataset might represent a network connection with features like source IP, destination IP, port numbers, protocol type, duration, number of bytes transferred, flags, and finally a label indicating whether it's normal traffic or a specific type of attack (e.g., DoS, Exploits, Generic, Shellcode, Backdoor, etc.).

• NIMS Botnet Dataset [29]:

  • Source: Collected from a research lab testbed network where various network scenarios were simulated.
  • Characteristics: Includes network traffic from a client computer connected to SSH servers outside the testbed, generating SSH connections. Emulates various application behaviors such as DNS, HTTP, FTP, P2P (limewire), and telnet.
  • Purpose: Specifically designed for botnet detection and analysis of encrypted traffic.
  • Data Sample Example (Conceptual): A data sample would represent network flow characteristics (e.g., packet size distribution, inter-arrival times, flow duration, byte counts) without relying on port numbers, IP addresses, or payload inspection, which are challenging for encrypted traffic. The label would indicate if a flow is normal or part of a botnet activity.

• Dataset Split and Client Distribution: For both datasets, 50 clients are simulated. For each client, 50 percent of samples from each class in the original dataset are randomly selected to form the client's local data. This ensures data heterogeneity across clients while maintaining class representation.

5.2. Evaluation Metrics

The performance of the proposed approach and selected noisy classifiers is evaluated using two common metrics: F-measure and Accuracy.

5.2.1. Accuracy

• Conceptual Definition: Accuracy measures the proportion of correctly classified instances out of the total number of instances. It provides a general idea of how well the model performs across all classes.
• Mathematical Formula: $ \text{Accuracy} = \frac{\text{Number of Correct Predictions}}{\text{Total Number of Predictions}} = \frac{TP + TN}{TP + TN + FP + FN} $
• Symbol Explanation:
  • TP: True Positives (correctly predicted positive instances).
  • TN: True Negatives (correctly predicted negative instances).
  • FP: False Positives (incorrectly predicted positive instances, type I error).
  • FN: False Negatives (incorrectly predicted negative instances, type II error).

5.2.2. F-measure (F1-score)

• Conceptual Definition: The F-measure (or F1-score) is the harmonic mean of Precision and Recall. It is particularly useful when dealing with imbalanced datasets (where one class significantly outnumbers others), as it balances the concerns of Precision and Recall, giving a more robust evaluation than Accuracy alone in such scenarios. For multi-class classification, it is often calculated as a weighted or macro average across all classes.
• Mathematical Formula: $ \text{F1-score} = 2 \times \frac{\text{Precision} \times \text{Recall}}{\text{Precision} + \text{Recall}} $ Where: $ \text{Precision} = \frac{TP}{TP + FP} $ $ \text{Recall} = \frac{TP}{TP + FN} $
• Symbol Explanation:
  • TP: True Positives.
  • FP: False Positives.
  • FN: False Negatives.
  • Precision: The proportion of positive identifications that were actually correct (answers the question: "Of all items I identified as positive, how many were actually positive?").
  • Recall: The proportion of actual positives that were identified correctly (answers the question: "Of all actual positive items, how many did I correctly identify?").

5.3. Baselines

The paper's method (GALP combined with a noisy label classifier) is compared against various state-of-the-art deep noisy label classifiers themselves. These noisy label classifiers serve as the baselines to show the effectiveness of adding GALP for adversarial noise robustness. The selected baselines are:

• LMNL (Learning from Massive Noisy Labeled Data) [19]

• Masking [20]

• GLC (Gold Loss Correction) [21]

• PENCIL (Probabilistic End-to-End Noise Correction for Learning with Noisy Labels) [22]

• CE (Cross Entropy - likely used as a standard baseline without explicit noise handling, but could also be SCEL which uses CE as a component, though SCEL is also listed separately). Given the mention of SCEL later, CE might refer to a basic Cross-Entropy trained model.

• SCEL (Symmetric Cross Entropy Learning) [23]

• CORES (COnfidence REgularized Sample Sieve) [24]

• OLS (Online Label Smoothing) [25]

  These baselines are representative as they cover a wide range of modern noisy label classification techniques, including probabilistic models, meta-learning, confidence-based filtering, and regularization approaches, providing a comprehensive comparison for GALP's contribution.

Experimental Settings Details:

• Runs: All experiments are repeated ten times.
• Batch Size: 100 for all noisy classifiers and GALP.
• GALP Structure: Generator ($\mathcal{G}$) and Discriminator ($\mathcal{D}$) each have three hidden layers.
• Optimizer: Adam optimizer is used for GALP parameters.
• Hyperparameter Search:

  • Learning rate: Searched within {0.001, 0.01, 0.02, 0.1}.

  • Number of hidden layers: Selected from {2, 3, 4, 5} empirically.

    The following are the results from Table 1 of the original paper:

    Algorithm	Parameters	Value/Method
    LMNL	Optimizer	AdaMax
    	Activations	Relu and Softmax
    	#. hidden layers	3
    	Learning rate	0.01
    Masking	Optimizer	Adam
    	Activations	Sigmoid and Softmax
    	#. hidden layers	3
    	Learning rate	0.01
    GLC	Optimizer	Adam
    	Activations	Relu and Softmax
    	#. hidden layers	3
    	Learning rate	0.001
    PENCIL	Optimizer	Adam
    	Activations	Relu and LogSoftmax
    	#. hidden layers	4
    	Learning rate	0.02
    CE	Optimizer	SGD
    	Activations	Convolution + Relu and Sofmax
    	#. hidden layers	5
    	Learning rate	0.1
    CORES	Optimizer	SGD
    	Activations	Convolution + LeakyRelu and Softmax
    	#. hidden layers	5
    	Learning rate	0.01
    OLS	Optimizer	SGD
    	Activations	Convolution + LeakyRelu and Softmax
    	#. hidden layers	5
    	Learning rate	0.02

Table 1 provides specific parameter settings for each noisy classifier used in the comparative study, including their optimizer, activation functions, number of hidden layers, and learning rate.

6. Results & Analysis

6.1. Core Results Analysis

The experimental results demonstrate the effectiveness of the proposed approach, particularly when GALP is combined with robust noisy label classifiers. The analysis focuses on how different label noise mechanisms and noise ratios affect the performance of various noisy classifiers in an FL setting for intrusion detection.

The following figures show the accuracy and F-measure results under different label noise mechanisms and ratios.

Image 3: Accuracy of noisy classifiers for different label noise mechanisms on UNSW-NB15 and NIMS datasets.

Image 4: F-measure of noisy classifiers for different label noise mechanisms on UNSW-NB15 and NIMS datasets.

• Impact of Noise Mechanism:

  • Class-independent (CI) noise is consistently the easiest for noisy classifiers to handle. For instance, GLC's accuracy on UNSW-NB15 degrades by roughly 15% with CI noise (Figure 3a), whereas class-dependent (CD) noise causes up to 30% degradation for the same technique and dataset (Figure 3b). This confirms that CD noise, which GALP can generate, represents a more challenging and effective label flipping attack than traditional CI noise.
  • Instance-dependent (ID) noise is generally the most challenging, as it mimics backdoor attacks that are highly specific to data instances.

• Sensitivity to Noise Ratio:

  • GLC shows high sensitivity to CI and CD noise ratios but surprisingly high robustness against ID noise on UNSW-NB15 (Figure 3c).
  • CORES consistently exhibits the highest robustness against noise ratio across most noise mechanisms and datasets (e.g., Figure 3d, 3e, 3f).

• Dataset Challenge: UNSW-NB15 appears to be more challenging for the noisy classifiers compared to the NIMS dataset, as evidenced by generally lower performance and steeper degradation curves.

• F-measure vs. Accuracy: The F-measure results (Image 4) largely confirm the accuracy analysis. However, Masking's F-measure degrades at a higher rate compared to its accuracy, indicating a potential issue with class imbalance for this method.

  The following figures show the distribution and variance of obtained accuracy and F-measure values.

  Image 5: Box plots comparing accuracy and F1-score across different noise types for various methods.

• Stability (Variance) of Methods:

  • LMNL shows the lowest variance when dealing with CI and CD labels, suggesting high stability for these noise types.

  • Masking is the least stable for CI and CD noise mechanisms.

  • PENCIL and SCEL show similar stability.

  • For ID noise, the stability varies by dataset. GLC is stable in terms of accuracy on NIMS (Figure 5c) but most stable in terms of F-measure (Figure 5f), indicating that dataset distribution plays a role in method stability.

  • CORES makes the most accurate predictions regardless of the noise mechanism, aligning with its robustness to noise ratio.

    The following are the results from Table 2 of the original paper:

    Algorithm	Accuracy	F-measure	Rank
    LMNL	0.7811 ± 0.0229	0.6895 ± 0.0229	6
    Masking	0.8529 ± 0.1011	0.6909 ± 0.1011	5
    GLC	0.7861 ± 0.0626	0.6354 ± 0.0626	7
    PENCIL	0.9038 ± 0.0740	0.7929 ± 0.0740	4
    SCEL	0.9059 ± 0.0637	0.8259 ± 0.0637	2
    CORES	0.9306 ± 0.0547	0.8599 ± 0.0551	1
    OLS	0.9218 ± 0.650	0.8199 ± 0.632	3

Table 2 provides an overall ranking of the noisy label classifiers based on their average Accuracy and F-measure across all experimental conditions (datasets, noise types, and ratios).

• Overall Ranking:

  1. CORES: Outperforms all other competitors with the highest average Accuracy (0.9306) and F-measure (0.8599). This suggests CORES is the best choice to combine with GALP. Its design to handle instance-dependent label noise is a key factor.
  2. SCEL: Ranks second with a strong F-measure (0.8259), indicating good performance in handling class imbalance.
  3. OLS: Ranks third with high Accuracy (0.9218).
  4. PENCIL and Masking: Ranked fourth and fifth, respectively.
  5. LMNL and GLC: Rank sixth and seventh. LMNL has better F-measure than GLC, despite GLC having slightly higher Accuracy, due to the significance of F-measure for imbalanced data.

• Effectiveness of GALP: The results imply that coupling GALP with a classifier like CORES significantly reduces the impact of malicious noisy labels. While GALP generates CI, CD, and ID noise, many techniques are primarily designed for CI and CD. The superior performance of CORES is attributed to its design specifically targeting instance-dependent noise, which is harder to handle.

  • For label flipping attacks (CI and CD noise), GALP almost offsets their effect, regardless of the noise ratio.
  • For backdoor attacks (ID mechanism), GALP effectively neutralizes noise ratios smaller than 10%. For higher noise ratios, the data distribution becomes a more critical factor. However, the authors argue that corrupting more than ten percent of traffic data using backdoor attacks is unlikely in most large-scale FL applications.

6.2. Ablation Studies / Parameter Analysis

To explicitly demonstrate the effect of GALP in making noisy classifiers robust, an ablation study was performed by removing GALP from the training process. The best-performing algorithm, CORES, was chosen for this comparison.

The following figure illustrates the effect of GALP on mitigating label poisoning.

Image 6: Effect of GALP on mitigating label poisoning, comparing CORES trained with and without GALP's artificial poisoning.

• Comparison of CORES (with GALP) vs. CORES (without GALP):
  • CORES without GALP was trained using symmetric noise (randomly generated, typically class-independent) and then tested against class-dependent and instance-dependent label poisoning. This is a crucial distinction: CORES on its own might handle random noise well, but not necessarily adversarial noise patterns it hasn't seen during training.
  • Figure 6a (Class-Dependent Attack): The accuracy of CORES without GALP (orange line) degrades significantly as the noise ratio increases. In contrast, CORES with GALP (blue line) maintains a much higher accuracy, showing robustness.
  • Figure 6b (Instance-Dependent Attack): A similar trend is observed. CORES without GALP suffers substantial performance drops, while CORES with GALP demonstrates remarkable resilience, especially at higher noise ratios.
• Conclusion from Ablation: The results clearly indicate that GALP plays a vital role in vaccinating the models. The effect of GALP becomes more significant as the ratio of label noise in poisoning attacks increases. This validates GALP's contribution by showing that simply using a robust noisy label classifier is not enough to defend against adversarial label poisoning without explicitly training it on adversarially generated noise.

7. Conclusion & Reflections

7.1. Conclusion Summary

This paper successfully proposes and evaluates a novel defense mechanism against label poisoning attacks in federated learning environments. The core of their approach is the Generative Adversarial Label Poisoner (GALP), which artificially generates label noise mimicking realistic class-dependent and instance-dependent label flipping and backdoor attacks. By coupling GALP with state-of-the-art noisy label classifiers, the framework effectively "vaccinates" local models, enabling them to learn malicious noise distributions and robustly withstand poisoned updates. The comprehensive comparative study identified CORES as the most compatible noisy label classifier for this framework. Evaluated on two IoT intrusion detection datasets (UNSW-NB15 and NIMS), the proposed approach demonstrated significant effectiveness in mitigating the impact of label poisoning attacks, especially for label flipping attacks and backdoor attacks with reasonable noise ratios.

7.2. Limitations & Future Work

The authors implicitly or explicitly highlight several limitations and potential future research directions:

• Instance-Dependent Noise at High Ratios: While GALP is effective for instance-dependent noise below 10%, its effectiveness decreases for higher noise ratios, where data distribution becomes a critical factor. This implies that for extremely aggressive backdoor attacks, the defense might still be challenged.
• Scope of Attacks: The paper focuses on label poisoning. Future work could explore integrating defenses against other types of data poisoning, such as feature poisoning (false data injection), or model poisoning where attackers manipulate model parameters directly.
• Generative Model Complexity: Training GANs can be challenging and computationally intensive. The paper does not delve into the computational overhead or convergence stability of GALP in a real-world FL setting with many clients and varying computational resources. This could be a practical limitation.
• Generalizability of GALP: The effectiveness of GALP relies on its ability to accurately simulate real attack patterns. While it models class-dependent and instance-dependent noise, the GAN's ability to perfectly capture the nuances of all potential future adversarial strategies might be limited. Future work might explore adaptive GALP designs.
• Homogeneous Networks: The paper mentions "homogeneous federated networks." This implies clients have similar data distributions and model architectures. Extending the defense to heterogeneous FL (e.g., varying data schemas, different local model types) could be a challenge.
• Server-Side Defenses: The paper focuses on client-side vaccination. While the server aggregates vaccinated models, more robust aggregation rules or anomaly detection mechanisms at the server could further enhance overall security.

7.3. Personal Insights & Critique

This paper presents a highly relevant and innovative approach to a critical problem in federated learning. The idea of actively generating adversarial noise to "vaccinate" models is conceptually elegant and addresses a key vulnerability.

• Innovation: The integration of GANs for adversarial noise generation in the FL context is a strong contribution. It moves beyond passive noise handling to proactive defense. The mapping of backdoor and label flipping attacks to specific label noise mechanisms provides a structured framework for understanding and simulating these threats.
• Applicability: The methods and conclusions are highly transferable. The GALP concept could be adapted to other data poisoning scenarios (e.g., feature poisoning, or even model poisoning by generating malicious model updates). The vaccination paradigm could inspire defenses in other distributed machine learning or multi-agent systems where trust among participants is limited.
• Potential Issues/Areas for Improvement:

  • Practical Deployment Overhead: While conceptually sound, deploying GALP on resource-constrained IoT edge devices might be computationally expensive. Training a GAN itself requires significant resources. The paper doesn't detail the computational cost per client, which is crucial for FL in IoT.

  • Threshold Selection: The determination of class-dependent error threshold $t1$ and instance-dependent confidence threshold $t2$ (mentioned in Algorithm 1, though not explicitly defined in the text) is critical. How these thresholds are chosen and their sensitivity to different datasets or attack scenarios could impact performance. This might introduce new hyperparameters that need careful tuning.

  • Dynamic Nature of Attacks: Attackers might evolve their strategies. While GALP learns known noise distributions, a constantly evolving attacker could develop new poisoning patterns. The GALP would need to be continuously updated or made adaptive to such zero-day attack patterns, which might require re-training or more sophisticated GAN architectures.

  • Data Availability for GALP: The paper implies GALP uses local client data to generate poisoned versions. If a client's local data is extremely limited or highly skewed, GALP's ability to generate diverse and realistic adversarial noise might be constrained.

  • Aggregation Robustness: While the paper mentions simple averaging for aggregation, exploring more robust aggregation rules (e.g., Krum, trimmed mean) in conjunction with GALP-vaccinated models could offer even stronger defenses. This could be a fruitful area for future empirical work.

    Overall, this paper provides a robust foundation for building more resilient federated learning systems in the face of increasingly sophisticated adversarial attacks. The vaccination metaphor aptly captures the proactive defense mechanism, which is a valuable shift in perspective.