{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T17:01:34Z","timestamp":1775840494366,"version":"3.50.1"},"reference-count":40,"publisher":"Association for Computing Machinery (ACM)","issue":"2","funder":[{"name":"FCT\/MECI","award":["UIDP\/UIDB\/04234\/2020"],"award-info":[{"award-number":["UIDP\/UIDB\/04234\/2020"]}]},{"name":"Intelligent Systems Associate Laboratory - LASI","award":["LA\/P\/0104\/2020"],"award-info":[{"award-number":["LA\/P\/0104\/2020"]}]},{"name":"ADANET","award":["PTDC\/EEICOM\/3362\/2021"],"award-info":[{"award-number":["PTDC\/EEICOM\/3362\/2021"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2026,5,31]]},"abstract":"\n Recent attacks on federated learning (FL) can introduce malicious model updates that can circumvent widely adopted Euclidean distance-based detection methods. This article proposes a novel defense strategy, referred to as LayerCAM-AE, designed to counteract model poisoning in FL. The LayerCAM-AE puts forth a new Layer Class Activation Mapping (LayerCAM) integrated with an autoencoder (AE), significantly enhancing detection capabilities. Specifically, LayerCAM-AE generates a heat map for each local model update, which is then transformed into a more compact visual explanation. The autoencoder processes the LayerCAM heat maps from the local model updates, improving their distinctiveness and increasing the accuracy in spotting anomalous maps and malicious local models. To mitigate the risk of misclassifications in LayerCAM-AE, a voting algorithm is developed, where a local model update is flagged as malicious if its heat maps are consistently suspicious over several communication rounds. Extensive tests on the SVHN and CIFAR-100 datasets are performed under both Independent and Identically Distributed (IID) and non-IID settings in comparison with the state-of-the-art ResNet-50 and REGNETY-800MF defense models. The experimental results show that LayerCAM-AE increases detection rates (Recall: 1.0, Precision: 1.0, FPR: 0.0, Accuracy: 1.0, F1 score: 1.0, AUC: 1.0) and the test accuracy of FL, surpassing both the ResNet-50 and REGNETY-800MF. Our code is available at:\n https:\/\/github.com\/jjzgeeks\/LayerCAM-AE<\/jats:ext-link>\n .\n <\/jats:p>","DOI":"10.1145\/3799892","type":"journal-article","created":{"date-parts":[[2026,3,3]],"date-time":"2026-03-03T11:10:15Z","timestamp":1772536215000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Exploring Visual Explanations for Defending Federated Learning against Poisoning Attacks: Enhancing LayerCAM with Autoencoders"],"prefix":"10.1145","volume":"29","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5728-9453","authenticated-orcid":false,"given":"Jingjing","family":"Zheng","sequence":"first","affiliation":[{"name":"CISTER","place":["Porto, Portugal"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9167-1613","authenticated-orcid":false,"given":"Xin","family":"Yuan","sequence":"additional","affiliation":[{"name":"Commonwealth Scientific and Industrial Research Organisation","place":["Sydney, Australia"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0517-2392","authenticated-orcid":false,"given":"Kai","family":"Li","sequence":"additional","affiliation":[{"name":"University of Cambridge","place":["Cambridge, United Kingdom of Great Britain and Northern Ireland"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0780-4637","authenticated-orcid":false,"given":"Wei","family":"Ni","sequence":"additional","affiliation":[{"name":"Commonwealth Scientific and Industrial Research Organization","place":["Sydney, Australia"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8979-3876","authenticated-orcid":false,"given":"Eduardo","family":"Tovar","sequence":"additional","affiliation":[{"name":"CISTER","place":["Porto, Portugal"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7013-0121","authenticated-orcid":false,"given":"Jon","family":"Crowcroft","sequence":"additional","affiliation":[{"name":"University of Cambridge","place":["Cambridge, United Kingdom of Great Britain and Northern Ireland"]}]}],"member":"320","published-online":{"date-parts":[[2026,4,10]]},"reference":[{"key":"e_1_3_2_2_2","first-page":"118","volume-title":"Proceedings of the 31st International Conference on Neural Information Processing Systems","author":"Blanchard Peva","year":"2017","unstructured":"Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. 2017. Machine learning with adversaries: Byzantine tolerant gradient descent. In Proceedings of the 31st International Conference on Neural Information Processing Systems. 118\u2013128."},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24434"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW56347.2022.00383"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","unstructured":"Xiaoyu Cao Zaixi Zhang Jinyuan Jia and Neil Zhenqiang Gong. 2022. FLCert: Provably secure federated learning against poisoning attacks. IEEE Transactions on Information Forensics and Security 17 (2022) 3691\u20133705. DOI:10.1109\/TIFS.2022.3212174","DOI":"10.1109\/TIFS.2022.3212174"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/WACV.2018.00097"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","unstructured":"Zhenzhu Chen Anmin Fu Yinghui Zhang Zhe Liu Fanjian Zeng and Robert H. Deng. 2021. Secure collaborative deep learning against GAN attacks in the internet of things. IEEE Internet of Things Journal 8 7 (2021) 5839\u20135849. DOI:10.1109\/JIOT.2020.3033171","DOI":"10.1109\/JIOT.2020.3033171"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489304"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.4266498"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00140"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"e_1_3_2_13_2","unstructured":"Forrest N. Iandola Matthew W. Moskewicz Khalid Ashraf Song Han William J. Dally and Kurt Keutzer. 2016. SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and <1MB model size. arXiv:1602.07360. Retrieved from http:\/\/arxiv.org\/abs\/1602.07360"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","unstructured":"Peng-Tao Jiang Chang-Bin Zhang Qibin Hou Ming-Ming Cheng and Yunchao Wei. 2021. LayerCAM: Exploring hierarchical class activation maps for localization. IEEE Transactions on Image Processing 30 (2021) 5875\u20135888. DOI:10.1109\/TIP.2021.3089943","DOI":"10.1109\/TIP.2021.3089943"},{"key":"e_1_3_2_15_2","unstructured":"Alex Krizhevsky and Geoffrey Hinton. 2009. Learning multiple layers of features from tiny images. (2009). Toronto ON Canada."},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","unstructured":"Kai Li Jingjing Zheng Xin Yuan Wei Ni Ozgur B. Akan and H. Vincent Poor. 2024. Data-agnostic model poisoning against federated learning: A graph autoencoder approach. IEEE Transactions on Information Forensics and Security 19 (2024) 3465\u20133480. DOI:10.1109\/TIFS.2024.3362147","DOI":"10.1109\/TIFS.2024.3362147"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","unstructured":"Wenxin Liu Hui Lin Xiaoding Wang Jia Hu Georges Kaddoum Md. Jalil Piran and Atif Alamri. 2023. D2MIF: A malicious model detection mechanism for federated-learning-empowered artificial intelligence of things. IEEE Internet of Things Journal 10 3 (2023) 2141\u20132151. DOI:10.1109\/JIOT.2021.3081606","DOI":"10.1109\/JIOT.2021.3081606"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","unstructured":"Ziwei Liu Ping Luo Xiaogang Wang and Xiaoou Tang. 2015. Deep learning face attributes in the wild. In 2015 IEEE International Conference on Computer Vision (ICCV). 3730\u20133738. DOI:10.1109\/ICCV.2015.425","DOI":"10.1109\/ICCV.2015.425"},{"key":"e_1_3_2_19_2","series-title":"Proceedings of Machine Learning Research","first-page":"1273","volume-title":"Proceedings of the 20th International Conference on Artificial Intelligence and Statistics","volume":"54","author":"McMahan Brendan","year":"2017","unstructured":"Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In Proceedings of the 20th International Conference on Artificial Intelligence and Statistics. Aarti Singh and Jerry Zhu (Eds.), Proceedings of Machine Learning Research, Vol. 54, PMLR, 1273\u20131282. Retrieved from https:\/\/proceedings.mlr.press\/v54\/mcmahan17a.html"},{"key":"e_1_3_2_20_2","unstructured":"Yuval Netzer Tao Wang Adam Coates Alessandro Bissacco Baolin Wu and Andrew Y. Ng. 2011. Reading digits in natural images with unsupervised feature learning. In NIPS Workshop on Deep Learning and Unsupervised Feature Learning 2011 5 (2011) 7."},{"key":"e_1_3_2_21_2","first-page":"1415","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security 22)","author":"Nguyen Thien Duc","year":"2022","unstructured":"Thien Duc Nguyen, Phillip Rieger, Roberta De Viti, Huili Chen, Bj\u00f6rn B. Brandenburg, Hossein Yalame, Helen M\u00f6llering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, et\u00a0al. 2022. FLAME: Taming backdoors in federated learning. In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22). 1415\u20131432."},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","unstructured":"Krishna Pillutla Sham M. Kakade and Zaid Harchaoui. 2022. Robust aggregation for federated learning. IEEE Transactions on Signal Processing 70 (2022) 1142\u20131154. DOI:10.1109\/TSP.2022.3153135","DOI":"10.1109\/TSP.2022.3153135"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01044"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.74"},{"key":"e_1_3_2_25_2","volume-title":"Proceedings of the Network and Distributed Systems Security (NDSS) Symposium 2021","author":"Shejwalkar Virat","year":"2021","unstructured":"Virat Shejwalkar and Amir Houmansadr. 2021. Manipulating the byzantine: Optimizing model poisoning attacks and defenses for federated learning. In Proceedings of the Network and Distributed Systems Security (NDSS) Symposium 2021."},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991125"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","unstructured":"Siping Shi Chuang Hu Dan Wang Yifei Zhu and Zhu Han. 2022. Federated anomaly analytics for local model poisoning attack. IEEE Journal on Selected Areas in Communications 40 2 (2022) 596\u2013610. DOI:10.1109\/JSAC.2021.3118347","DOI":"10.1109\/JSAC.2021.3118347"},{"key":"e_1_3_2_28_2","series-title":"Proceedings of Machine Learning Research","first-page":"3319","volume-title":"Proceedings of the 34th International Conference on Machine Learning, ICML 2017","volume":"70","author":"Sundararajan Mukund","year":"2017","unstructured":"Mukund Sundararajan, Ankur Taly, and Qiqi Yan. 2017. Axiomatic attribution for deep networks. In Proceedings of the 34th International Conference on Machine Learning, ICML 2017 . Doina Precup and Yee Whye Teh (Eds.), Proceedings of Machine Learning Research, Vol. 70, PMLR, 3319\u20133328. Retrieved from http:\/\/proceedings.mlr.press\/v70\/sundararajan17a.html"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/3485447.3512222"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","unstructured":"Shiqiang Wang Tiffany Tuor Theodoros Salonidis Kin K. Leung Christian Makaya Ting He and Kevin Chan. 2019. Adaptive federated learning in resource constrained edge computing systems. IEEE Journal on Selected Areas in Communications 37 6 (2019) 1205\u20131221. DOI:10.1109\/JSAC.2019.2904348","DOI":"10.1109\/JSAC.2019.2904348"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","unstructured":"Duygu Nur Yaldiz Tuo Zhang and Salman Avestimehr. 2023. Secure federated learning against model poisoning attacks via client filtering. arXiv:2304.00160. Retrieved from https:\/\/arxiv.org\/abs\/2304.00160.DOI:10.48550\/ARXIV.2304.00160","DOI":"10.48550\/ARXIV.2304.00160"},{"key":"e_1_3_2_32_2","unstructured":"Leon Yao and John Miller. 2015. Tiny imagenet classification with convolutional neural networks. CS 231N 2 5 (2015) 8."},{"key":"e_1_3_2_33_2","first-page":"5650","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Yin Dong","year":"2018","unstructured":"Dong Yin, Yudong Chen, Ramchandran Kannan, and Peter Bartlett. 2018. Byzantine-robust distributed learning: Towards optimal statistical rates. In Proceedings of the International Conference on Machine Learning. PMLR, 5650\u20135659."},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/3543507.3583542"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/3534678.3539231"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.findings-emnlp.25"},{"key":"e_1_3_2_37_2","first-page":"4489","volume-title":"Advances in Neural Information Processing Systems","author":"Zhao Yue","year":"2021","unstructured":"Yue Zhao, Ryan Rossi, and Leman Akoglu. 2021. Automatic unsupervised outlier model selection. In Advances in Neural Information Processing Systems. M. Ranzato, A. Beygelzimer, Y. Dauphin, P.S. Liang, and J. Wortman Vaughan (Eds.), Vol. 34, Curran Associates, Inc., 4489\u20134502. Retrieved from https:\/\/proceedings.neurips.cc\/paper_files\/paper\/2021\/file\/23c894276a2c5a16470e6a31f4618d73-Paper.pdf"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1145\/3636534.3697430"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.319"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","unstructured":"Hao Zhou Geng Yang Hua Dai and Guoxiu Liu. 2022. PFLF: Privacy-preserving federated learning framework for edge computing. IEEE Transactions on Information Forensics and Security 17 (2022) 1905\u20131918. DOI:10.1109\/TIFS.2022.3174394","DOI":"10.1109\/TIFS.2022.3174394"},{"key":"e_1_3_2_41_2","doi-asserted-by":"crossref","unstructured":"Tengteng Zhu Zehua Guo Chao Yao Jiaxin Tan Songshi Dou Wenrun Wang and Zhenzhen Han. 2024. Byzantine-robust federated learning via cosine similarity aggregation. Computer Networks 254 (2024) 110730.","DOI":"10.1016\/j.comnet.2024.110730"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3799892","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T16:05:40Z","timestamp":1775837140000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3799892"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,10]]},"references-count":40,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2026,5,31]]}},"alternative-id":["10.1145\/3799892"],"URL":"https:\/\/doi.org\/10.1145\/3799892","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,4,10]]},"assertion":[{"value":"2025-03-10","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-11-22","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-10","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}