Securing One-Class Federated Learning Classifiers Against Trojan Attacks in Smart Grid

Atef H. Bondok; Mahmoud Badr; Mohamed Mahmoud; Maazen Alsabaan; Mostafa M. Fouda; Mohamed Abdallah

doi:10.1109/JIOT.2024.3481213

Securing One-Class Federated Learning Classifiers Against Trojan Attacks in Smart Grid

Atef H. Bondok, Mahmoud Badr, Mohamed Mahmoud, Maazen Alsabaan, Mostafa M. Fouda, Mohamed Abdallah

CSE Information & Computing Technology

Research output: Contribution to journal › Article › peer-review

5 Citations (Scopus)

Abstract

Existing literature confirms the ability of machine learning to identify fraudulent smart grid power consumers who report false consumption readings to pay less electricity bills. Additionally, federated learning (FL) shows promise as a way to train the detection model without requiring data sharing, thereby safeguarding consumer privacy. However, malicious participants (i.e., clients) in FL training can launch adversarial attacks by training their local models with specially crafted low-consumption data to inject a Trojan into the global model. This Trojan can then be activated during the evaluation phase to evade the detection of false data. To the best of our knowledge, not enough research has been done on this topic in the context of unsupervised learning. The absence of labels in unsupervised learning exacerbates the effectiveness of Trojan attacks and renders it more challenging to design robust defense mechanisms. In this article, we first investigate the vulnerability of one-class classifiers to Trojan attacks. Then, we propose two defense approaches named layerwise close-to-median (LWCM) and Machine Unlearning to counter this attack. In LWCM, by choosing a FL client whose last layer model parameters are near to the median of all clients’ last layer parameters to update the global model, we can identify and exclude malicious updates. The idea is that the last layer parameters of honest clients should be similar, whereas those from malicious clients are different. With the majority of clients being honest, the median values are closer to the parameters of these clients, facilitating the detection of malicious clients. In Machine Unlearning, we utilize gradient ascent-based techniques to adapt models by selectively removing attacker-related data points. This is possible because honest clients generate data resembling that of malicious clients and employ a dual-component loss function to maintain model proficiency in recognizing benign power consumption patterns while eliminating malicious patterns. To show the seriousness of Trojan attacks and the effectiveness of our countermeasures, many experiments have been carried out.

Original language	English
Article number	10720069
Pages (from-to)	4006-4021
Number of pages	16
Journal	IEEE Internet of Things Journal
Volume	12
Issue number	4
DOIs	https://doi.org/10.1109/JIOT.2024.3481213
Publication status	Published - 15 Feb 2025

Keywords

And smart grid (SG) automatic metering infrastructure
Computational modeling
Data models
Data privacy
Detectors
Electricity
One-class classifiers
Security
Smart grids
Supervised learning
Training
Trojan attacks
Trojan horses
Unsupervised learning
federated learning (FL)

Access to Document

10.1109/JIOT.2024.3481213

https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10720069

Cite this

@article{0442d4be7e3f4b4b969aa034e7fae0a2,

title = "Securing One-Class Federated Learning Classifiers Against Trojan Attacks in Smart Grid",

abstract = "Existing literature confirms the ability of machine learning to identify fraudulent smart grid power consumers who report false consumption readings to pay less electricity bills. Additionally, federated learning (FL) shows promise as a way to train the detection model without requiring data sharing, thereby safeguarding consumer privacy. However, malicious participants (i.e., clients) in FL training can launch adversarial attacks by training their local models with specially crafted low-consumption data to inject a Trojan into the global model. This Trojan can then be activated during the evaluation phase to evade the detection of false data. To the best of our knowledge, not enough research has been done on this topic in the context of unsupervised learning. The absence of labels in unsupervised learning exacerbates the effectiveness of Trojan attacks and renders it more challenging to design robust defense mechanisms. In this article, we first investigate the vulnerability of one-class classifiers to Trojan attacks. Then, we propose two defense approaches named layerwise close-to-median (LWCM) and Machine Unlearning to counter this attack. In LWCM, by choosing a FL client whose last layer model parameters are near to the median of all clients{\textquoteright} last layer parameters to update the global model, we can identify and exclude malicious updates. The idea is that the last layer parameters of honest clients should be similar, whereas those from malicious clients are different. With the majority of clients being honest, the median values are closer to the parameters of these clients, facilitating the detection of malicious clients. In Machine Unlearning, we utilize gradient ascent-based techniques to adapt models by selectively removing attacker-related data points. This is possible because honest clients generate data resembling that of malicious clients and employ a dual-component loss function to maintain model proficiency in recognizing benign power consumption patterns while eliminating malicious patterns. To show the seriousness of Trojan attacks and the effectiveness of our countermeasures, many experiments have been carried out.",

keywords = "And smart grid (SG) automatic metering infrastructure, Computational modeling, Data models, Data privacy, Detectors, Electricity, One-class classifiers, Security, Smart grids, Supervised learning, Training, Trojan attacks, Trojan horses, Unsupervised learning, federated learning (FL)",

author = "Bondok, \{Atef H.\} and Mahmoud Badr and Mohamed Mahmoud and Maazen Alsabaan and Fouda, \{Mostafa M.\} and Mohamed Abdallah",

year = "2025",

month = feb,

day = "15",

doi = "10.1109/JIOT.2024.3481213",

language = "English",

volume = "12",

pages = "4006--4021",

journal = "IEEE Internet of Things Journal",

issn = "2372-2541",

publisher = "IEEE",

number = "4",

}

TY - JOUR

T1 - Securing One-Class Federated Learning Classifiers Against Trojan Attacks in Smart Grid

AU - Bondok, Atef H.

AU - Badr, Mahmoud

AU - Mahmoud, Mohamed

AU - Alsabaan, Maazen

AU - Fouda, Mostafa M.

AU - Abdallah, Mohamed

PY - 2025/2/15

Y1 - 2025/2/15

N2 - Existing literature confirms the ability of machine learning to identify fraudulent smart grid power consumers who report false consumption readings to pay less electricity bills. Additionally, federated learning (FL) shows promise as a way to train the detection model without requiring data sharing, thereby safeguarding consumer privacy. However, malicious participants (i.e., clients) in FL training can launch adversarial attacks by training their local models with specially crafted low-consumption data to inject a Trojan into the global model. This Trojan can then be activated during the evaluation phase to evade the detection of false data. To the best of our knowledge, not enough research has been done on this topic in the context of unsupervised learning. The absence of labels in unsupervised learning exacerbates the effectiveness of Trojan attacks and renders it more challenging to design robust defense mechanisms. In this article, we first investigate the vulnerability of one-class classifiers to Trojan attacks. Then, we propose two defense approaches named layerwise close-to-median (LWCM) and Machine Unlearning to counter this attack. In LWCM, by choosing a FL client whose last layer model parameters are near to the median of all clients’ last layer parameters to update the global model, we can identify and exclude malicious updates. The idea is that the last layer parameters of honest clients should be similar, whereas those from malicious clients are different. With the majority of clients being honest, the median values are closer to the parameters of these clients, facilitating the detection of malicious clients. In Machine Unlearning, we utilize gradient ascent-based techniques to adapt models by selectively removing attacker-related data points. This is possible because honest clients generate data resembling that of malicious clients and employ a dual-component loss function to maintain model proficiency in recognizing benign power consumption patterns while eliminating malicious patterns. To show the seriousness of Trojan attacks and the effectiveness of our countermeasures, many experiments have been carried out.

AB - Existing literature confirms the ability of machine learning to identify fraudulent smart grid power consumers who report false consumption readings to pay less electricity bills. Additionally, federated learning (FL) shows promise as a way to train the detection model without requiring data sharing, thereby safeguarding consumer privacy. However, malicious participants (i.e., clients) in FL training can launch adversarial attacks by training their local models with specially crafted low-consumption data to inject a Trojan into the global model. This Trojan can then be activated during the evaluation phase to evade the detection of false data. To the best of our knowledge, not enough research has been done on this topic in the context of unsupervised learning. The absence of labels in unsupervised learning exacerbates the effectiveness of Trojan attacks and renders it more challenging to design robust defense mechanisms. In this article, we first investigate the vulnerability of one-class classifiers to Trojan attacks. Then, we propose two defense approaches named layerwise close-to-median (LWCM) and Machine Unlearning to counter this attack. In LWCM, by choosing a FL client whose last layer model parameters are near to the median of all clients’ last layer parameters to update the global model, we can identify and exclude malicious updates. The idea is that the last layer parameters of honest clients should be similar, whereas those from malicious clients are different. With the majority of clients being honest, the median values are closer to the parameters of these clients, facilitating the detection of malicious clients. In Machine Unlearning, we utilize gradient ascent-based techniques to adapt models by selectively removing attacker-related data points. This is possible because honest clients generate data resembling that of malicious clients and employ a dual-component loss function to maintain model proficiency in recognizing benign power consumption patterns while eliminating malicious patterns. To show the seriousness of Trojan attacks and the effectiveness of our countermeasures, many experiments have been carried out.

KW - And smart grid (SG) automatic metering infrastructure

KW - Computational modeling

KW - Data models

KW - Data privacy

KW - Detectors

KW - Electricity

KW - One-class classifiers

KW - Security

KW - Smart grids

KW - Supervised learning

KW - Training

KW - Trojan attacks

KW - Trojan horses

KW - Unsupervised learning

KW - federated learning (FL)

UR - https://ieeexplore.ieee.org/document/10720069/

U2 - 10.1109/JIOT.2024.3481213

DO - 10.1109/JIOT.2024.3481213

M3 - Article

SN - 2372-2541

VL - 12

SP - 4006

EP - 4021

JO - IEEE Internet of Things Journal

JF - IEEE Internet of Things Journal

IS - 4

M1 - 10720069

ER -

Securing One-Class Federated Learning Classifiers Against Trojan Attacks in Smart Grid

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this