XFED: Non-Collusive Model Poisoning Attack Against Byzantine-Robust Federated Classifiers

A team of researchers led by Israt Jahan Mouri, Muhammad Ridowan, and Muhammad Abdullah Adnan has introduced XFED, a groundbreaking attack that fundamentally challenges the security assumptions of federated learning (FL). FL is a privacy-preserving machine learning technique where models are trained across decentralized devices (like phones or hospitals) without sharing raw data. The core innovation of XFED is its 'non-collusive' attack model, where compromised clients share a common goal—to poison the global model—but act completely independently. They require no communication, no exchange of benign model data, and no knowledge of the server's defense mechanisms. This makes the attack stealthy, scalable, and far more practical than previous collusion-based methods, which were costly and detectable.

In extensive empirical evaluations, XFED demonstrated alarming effectiveness. The attack was tested against eight state-of-the-art Byzantine-robust aggregation defenses, including Krum, Multi-Krum, Trimmed Mean, and Median. It successfully bypassed all of them across six standard benchmark datasets. Furthermore, XFED outperformed six existing model poisoning attacks that rely on coordination. The findings, detailed in a 21-page arXiv paper, indicate that current FL security is built on a flawed premise. The research formalizes a new, more realistic threat model and proves that defenses must evolve beyond detecting coordinated malicious behavior. This has immediate implications for industries relying on FL, such as healthcare for training on sensitive patient data or tech companies for improving keyboard suggestions on personal devices, forcing a urgent re-evaluation of security protocols.