Tipo di tesi
Tesi di laurea magistrale
Titolo
Evolving Poisoning Attacks in Federated Learning: An Experimental Path to Attack Optimization via Simulated Annealing
Dipartimento
INGEGNERIA DELL'INFORMAZIONE
Corso di studi
CYBERSECURITY
Parole chiave
- Anomaly Detection
- Federated Learning
- Model Poisoning
- Simulated Annealing
Data inizio appello
26/05/2026
Riassunto (Inglese)
Federated Learning (FL) has emerged as a powerful paradigm for the distributed training of machine learning models, offering significant privacy advantages by avoiding the centralization of sensitive data. However, its decentralized architecture exposes it to critical security threats, particularly poisoning attacks conducted by malicious clients aimed at corrupting the global model.
The primary objective of this thesis is to undertake a structured experimental path that, starting from the analysis of basic FL system vulnerabilities, leads to the definition of an optimized attack strategy capable of inflicting significant damage to the model while simultaneously evading server-side defense mechanisms. The case study selected for the experiments is an air quality time-series forecasting system (PM 2.5), implemented using Long Short-Term Memory (LSTM) neural networks and the Flower federated framework.
Initial analysis demonstrated that while basic poisoning attacks, such as injecting random noise into local models, have catastrophic effects on unprotected systems, they are entirely ineffective when the server implements similarity-based or anomaly-detection defenses
(such as K-means clustering or centroid distance-based filters).
Consequently, to succeed in a protected environment, an attacker must calibrate a complex trade-off between attack effectiveness and stealthiness. The central contribution of this work lies in the application of the Simulated Annealing (SA) optimization algorithm for performing advanced model poisoning attacks. The algorithm is employed to explore the weight space and dynamically calculate the optimal perturbation that maximizes the malicious objective while constraining the update to remain below the detection threshold imposed by the defense.
Experimental results confirm the high threat level of this methodology: a strong adversary, employing SA for an untargeted attack, can systematically bypass server-side defense mechanisms, causing a severe degradation in the model’s general predictive performance. On the other hand, simulations conducted for targeted attack scenarios revealed that achieving similarly catastrophic results is a significantly more complex process, strictly limited by the statistical asymmetry of the data, thus preparing the ground for necessary future studies.