{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,14]],"date-time":"2025-10-14T00:51:00Z","timestamp":1760403060746,"version":"build-2065373602"},"reference-count":44,"publisher":"Association for Computing Machinery (ACM)","issue":"4","funder":[{"name":"CISTER Research Unit","award":["UIDP\/UIDB\/04234\/2020"],"award-info":[{"award-number":["UIDP\/UIDB\/04234\/2020"]}]},{"name":"National Funds through FCT\/MCTES","award":["ADANET (PTDC\/EEICOM\/3362\/2021)"],"award-info":[{"award-number":["ADANET (PTDC\/EEICOM\/3362\/2021)"]}]},{"name":"Aero.Next Portugal","award":["C645727867-00000066"],"award-info":[{"award-number":["C645727867-00000066"]}]},{"name":"EU\/Next Generation","award":["02\/C05-i01\/2022"],"award-info":[{"award-number":["02\/C05-i01\/2022"]}]},{"name":"Recovery and Resilience Plan"},{"DOI":"10.13039\/501100001961","name":"AXA Research Fund","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100001961","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2025,11,30]]},"abstract":"<jats:p>\n            Recent poisoning attacks on federated learning (FL) generate malicious model updates that circumvent widely adopted Euclidean distance-based detection methods. This article proposes a new defense mechanism, namely, GradCAM-AE, against model poisoning attacks on FL, which integrates Gradient-weighted Class Activation Mapping (GradCAM) and autoencoder (AE) to offer a substantially more powerful detection capability compared to existing Euclidean distance-based approaches. Particularly, GradCAM-AE generates a heat map for each uploaded local model update, transforming each local model update into a lower-dimensional, visual representation. An AE further reprojects the GradCAM heat maps of all local module updates with improved distinguishability, thereby accentuating the hidden features of the heat maps and increasing the success rate of identifying anomalous heat maps and malicious local models. A comprehensive evaluation of the proposed GradCAM-AE framework is conducted using the CIFAR-10 and GTSRB datasets under both Independent and Identically Distributed (IID) and Non-IID settings. The ResNet-18 and MobileNetV3-Large models are tested. The results substantiate that GradCAM-AE offers superior detection rates and test accuracy of FL global model, juxtaposed with contemporary state-of-the-art methods. Our code is available at:\n            <jats:ext-link xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\" xlink:href=\"https:\/\/github.com\/jjzgeeks\/GradCAM-AE\">https:\/\/github.com\/jjzgeeks\/GradCAM-AE<\/jats:ext-link>\n            .\n          <\/jats:p>","DOI":"10.1145\/3765743","type":"journal-article","created":{"date-parts":[[2025,9,12]],"date-time":"2025-09-12T11:49:08Z","timestamp":1757677748000},"page":"1-23","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["GradCAM-AE: A New Shield Defense against Poisoning Attacks on Federated Learning"],"prefix":"10.1145","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5728-9453","authenticated-orcid":false,"given":"Jingjing","family":"Zheng","sequence":"first","affiliation":[{"name":"CISTER","place":["Porto, Portugal"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0517-2392","authenticated-orcid":false,"given":"Kai","family":"Li","sequence":"additional","affiliation":[{"name":"University of Cambridge","place":["Cambridge, United Kingdom of Great Britain and Northern Ireland"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9167-1613","authenticated-orcid":false,"given":"Xin","family":"Yuan","sequence":"additional","affiliation":[{"name":"Commonwealth Scientific and Industrial Research Organisation","place":["Sydney, Australia"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0780-4637","authenticated-orcid":false,"given":"Wei","family":"Ni","sequence":"additional","affiliation":[{"name":"Commonwealth Scientific and Industrial Research Organisation","place":["Sydney, Australia"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8979-3876","authenticated-orcid":false,"given":"Eduardo","family":"Tovar","sequence":"additional","affiliation":[{"name":"CISTER","place":["Porto, Portugal"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2523-3858","authenticated-orcid":false,"given":"\u00d6zg\u00fcr","family":"B. Akan","sequence":"additional","affiliation":[{"name":"University of Cambridge","place":["Cambridge, United Kingdom of Great Britain and Northern Ireland"]}]}],"member":"320","published-online":{"date-parts":[[2025,10,13]]},"reference":[{"key":"e_1_3_2_2_2","first-page":"118","volume-title":"Proceedings of the 31st International Conference on Neural Information Processing Systems","author":"Blanchard Peva","year":"2017","unstructured":"Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. 2017. Machine learning with adversaries: Byzantine tolerant gradient descent. In Proceedings of the 31st International Conference on Neural Information Processing Systems. 118\u2013128."},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24434"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW56347.2022.00383"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3212174"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2020.3033171"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","unstructured":"J. K. Chow Z. Su J. Wu P. S. Tan X. Mao and Y. H. Wang. 2020. Anomaly detection of defects on concrete structures with the convolutional autoencoder. Advanced Engineering Informatics 45 (2020) 101105. DOI:10.1016\/j.aei.2020.101105","DOI":"10.1016\/j.aei.2020.101105"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489304"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.4266498"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00140"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/3543507.3583450"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"e_1_3_2_14_2","unstructured":"Forrest N. Iandola Song Han Matthew W. Moskewicz Khalid Ashraf William J. Dally and Kurt Keutzer. 2016. SqueezeNet: AlexNet-level accuracy with 50\u00d7 fewer parameters and <0.5MB model size. arXiv:1602.07360 (2016)."},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1038\/s42256-021-00337-8"},{"key":"e_1_3_2_16_2","unstructured":"Alex Krizhevsky Geoffrey Hinton and others. 2009. Learning multiple layers of features from tiny images. (2009)."},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","unstructured":"Kai Li Jingjing Zheng Xin Yuan Wei Ni Ozgur B. Akan and H. Vincent Poor. 2024. Data-agnostic model poisoning against federated learning: A graph autoencoder approach. IEEE Transactions on Information Forensics and Security 19 (2024) 3465\u20133480. DOI:10.1109\/TIFS.2024.3362147","DOI":"10.1109\/TIFS.2024.3362147"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2021.3081606"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179400"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v37i7.26083"},{"key":"e_1_3_2_21_2","volume-title":"Proceedings of the 6th International Conference on Learning Representations, ICLR 2018","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In Proceedings of the 6th International Conference on Learning Representations, ICLR 2018. OpenReview.net. Retrieved from https:\/\/openreview.net\/forum?id=rJzIBfZAb"},{"key":"e_1_3_2_22_2","series-title":"Proceedings of Machine Learning Research","first-page":"1273","volume-title":"Proceedings of the 20th International Conference on Artificial Intelligence and Statistics","volume":"54","author":"McMahan Brendan","year":"2017","unstructured":"Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In Proceedings of the 20th International Conference on Artificial Intelligence and Statistics. Aarti Singh and Jerry Zhu (Eds.), Proceedings of Machine Learning Research, Vol. 54, PMLR, 1273\u20131282. Retrieved from https:\/\/proceedings.mlr.press\/v54\/mcmahan17a.html"},{"key":"e_1_3_2_23_2","first-page":"1415","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security 22)","author":"Nguyen Thien Duc","year":"2022","unstructured":"Thien Duc Nguyen, Phillip Rieger, Roberta De Viti, Huili Chen, Bj\u00f6rn B. Brandenburg, Hossein Yalame, Helen M\u00f6llering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, et\u00a0al. 2022. \\(\\lbrace\\) FLAME \\(\\rbrace\\) : Taming backdoors in federated learning. In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22). 1415\u20131432."},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.74"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24498"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991125"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2021.3118347"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","unstructured":"Johannes Stallkamp Marc Schlipsing Jan Salmen and Christian Igel. 2012. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural Networks 32 (2012) 323\u2013332. DOI:10.1016\/J.NEUNET.2012.02.016","DOI":"10.1016\/J.NEUNET.2012.02.016"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","unstructured":"Marek Wadinger and Michal Kvasnica. 2024. Adaptable and Interpretable Framework for Anomaly Detection in SCADA-based industrial systems. Expert Systems with Applications 246 (2024) 123200. DOI:10.1016\/j.eswa.2024.123200","DOI":"10.1016\/j.eswa.2024.123200"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3485447.3512222"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2019.2904348"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1201\/b14398"},{"key":"e_1_3_2_33_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Xie Chulin","year":"2020","unstructured":"Chulin Xie, Keli Huang, Pin-Yu Chen, and Bo Li. 2020. DBA: Distributed backdoor attacks against federated learning. In Proceedings of the International Conference on Learning Representations."},{"key":"e_1_3_2_34_2","first-page":"5650","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Yin Dong","year":"2018","unstructured":"Dong Yin, Yudong Chen, Ramchandran Kannan, and Peter Bartlett. 2018. Byzantine-robust distributed learning: Towards optimal statistical rates. In Proceedings of the International Conference on Machine Learning. PMLR, 5650\u20135659."},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.5555\/3620237.3620594"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3543507.3583542"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1145\/3534678.3539231"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.findings-emnlp.25"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/3123266.3123451"},{"key":"e_1_3_2_40_2","first-page":"4489","volume-title":"Advances in Neural Information Processing Systems","author":"Zhao Yue","year":"2021","unstructured":"Yue Zhao, Ryan Rossi, and Leman Akoglu. 2021. Automatic unsupervised outlier model selection. In Advances in Neural Information Processing Systems. M. Ranzato, A. Beygelzimer, Y. Dauphin, P.S. Liang, and J. Wortman Vaughan (Eds.), Vol. 34, Curran Associates, Inc., 4489\u20134502. Retrieved from https:\/\/proceedings.neurips.cc\/paper_files\/paper\/2021\/file\/23c894276a2c5a16470e6a31f4618d73-Paper.pdf"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.319"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098052"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","unstructured":"Hao Zhou Geng Yang Hua Dai and Guoxiu Liu. 2022. PFLF: Privacy-preserving federated learning framework for edge computing. IEEE Transactions on Information Forensics and Security 17 (2022) 1905\u20131918. DOI:10.1109\/TIFS.2022.3174394","DOI":"10.1109\/TIFS.2022.3174394"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","unstructured":"Tengteng Zhu Zehua Guo Chao Yao Jiaxin Tan Songshi Dou Wenrun Wang and Zhenzhen Han. 2024. Byzantine-robust Federated Learning via cosine similarity aggregation. Computer Networks 254 (2024) 110730. DOI:10.1016\/j.comnet.2024.110730","DOI":"10.1016\/j.comnet.2024.110730"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW59228.2023.00236"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3765743","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,13]],"date-time":"2025-10-13T14:33:20Z","timestamp":1760366000000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3765743"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,13]]},"references-count":44,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2025,11,30]]}},"alternative-id":["10.1145\/3765743"],"URL":"https:\/\/doi.org\/10.1145\/3765743","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"type":"print","value":"2471-2566"},{"type":"electronic","value":"2471-2574"}],"subject":[],"published":{"date-parts":[[2025,10,13]]},"assertion":[{"value":"2024-07-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-08-23","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-10-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}