Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
Tracing Back the Malicious Clients in Poisoning Attacks to Federated Learning
Authors: Yuqi Jia, Minghong Fang, Hongbin Liu, Jinghuai Zhang, Neil Gong
NeurIPS 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Moreover, we empirically show the effectiveness of FLForensics at tracing back both existing and adaptive poisoning attacks on five benchmark datasets. Our results show that FLForensics can accurately trace back malicious clients under various existing and adaptive attacks. We conduct our experiments using five diverse benchmark datasets: four image datasets (CIFAR-10, Fashion-MNIST, MNIST, and Image Net-Fruits) and one text dataset (Sentiment140). Table 2 shows the results of FLForensics and compared poison-forensics methods. This section presents several ablation studies for FLForensics, including the impact of (i) the fraction of malicious clients, (ii) degree of non-IID data, and (iii) aggregation rules. |
| Researcher Affiliation | Academia | Yuqi Jia Minghong Fang Hongbin Liu Duke University University of Louisville Duke University EMAIL EMAIL EMAIL Jinghuai Zhang Neil Gong University of California, Los Angeles Duke University EMAIL EMAIL |
| Pseudocode | Yes | Algorithm 1 FLForensics Input: Misclassified target input x, target label y, non-target input x , check points β¦= {t1, t2, , tk}, global models {wt}t β¦in the check points, selected clients Ct in each check point t β¦, and clients model updates {g(i) t }t β¦,i Ct. Output: Predicted malicious clients M. |
| Open Source Code | No | Answer: [No] Justification: All datasets are public, and we will release our code and implementation upon publication to support reproducibility. |
| Open Datasets | Yes | Datasets: We conduct our experiments using five diverse benchmark datasets: four image datasets (CIFAR-10, Fashion-MNIST, MNIST, and Image Net-Fruits) and one text dataset (Sentiment140). CIFAR-10 [29]. Fashion-MNIST [38]. MNIST [30]. Sentiment140 [23]. Image Net-Fruits [12]. |
| Dataset Splits | Yes | Following [7, 16], we model FL with 100 clients. For CIFAR-10, Fashion-MNIST, MNIST, and Image Net-Fruits we create non-IID partitions using the method of [16] (Appendix F shows the details). Since Sentiment140 already exhibits user-level non-IID, we simply group users uniformly at random into 100 clients. Table 3: Dataset statistics. CIFAR-10 # Training 50,000 # Testing 10,000 # Classes 10. |
| Hardware Specification | Yes | All the experiments are finished on one single Quadro RTX 6000 GPU with 24GB memory. |
| Software Dependencies | No | The paper mentions 'MXNet' as the implementation framework for the models but does not provide any specific version number for MXNet or other software libraries. |
| Experiment Setup | Yes | Default hyper-parameters (learning rate, batch size, global rounds, local epochs) are listed in Table 5 in Appendix. Table 5: Default parameter setting. Parameter CIFAR-10 ... # clients 100 ... # rounds 1500 ... Batch size 64 ... Learning rate 1e-2 ... |