pith. sign in

arxiv: 2605.16098 · v1 · pith:OXCCEDGKnew · submitted 2026-05-15 · 💻 cs.CR · cs.DC

PCDM: A Diffusion-Based Data Poisoning Attack Against Federated Learning Systems

Wei Sun , Yijun Chen , Bo Gao , Ke Xiong , Yuwei Wang , Pingyi Fan , Khaled Ben Letaief This is my paper

Pith reviewed 2026-05-20 17:08 UTC · model grok-4.3

classification 💻 cs.CR cs.DC
keywords data poisoningfederated learningdiffusion modeladversarial attackByzantine robust aggregationstealthy poisoninggenerative model security
0
0 comments X

The pith

A conditional diffusion model lets attackers generate poisoned data for federated learning that degrades global performance while staying harder to detect than GAN outputs.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes PCDM, a diffusion-based framework that poisons data locally in federated learning systems. It embeds an adjustable poisoning vector into the diffusion process and adds a jumping diffusion strategy to produce samples efficiently. Experiments across MNIST, CIFAR, and a wireless dataset show stronger degradation of the global model and fewer statistical anomalies than prior GAN-based attacks, even against Byzantine-robust defenses. A sympathetic reader would care because the work shows how generative models can be turned into targeted, hard-to-spot threats against distributed training.

Core claim

The PCDM framework incorporates an adjustable poisoning vector inside a conditional diffusion model to control poisoned-data generation from the global context, paired with a jumping diffusion strategy that enables lightweight local sampling, delivering both attack effectiveness and stealth with theoretical performance guarantees.

What carries the argument

Poisoning-Oriented Conditional Diffusion Model (PCDM) that uses an adjustable poisoning vector and jumping diffusion strategy to generate poisoned samples locally.

If this is right

  • Attackers obtain fine-grained control over poisoning strength through the adjustable vector.
  • Theoretical guarantees link the poisoning vector to attack success rate.
  • Generated samples exhibit fewer statistical anomalies than GAN-produced data.
  • The attack remains effective against several advanced Byzantine-robust aggregation rules on image and wireless datasets.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Defenses may need to shift from checking output consistency to detecting diffusion-specific generation artifacts.
  • The same conditional-vector idea could be tested on other distributed learning settings such as split learning or decentralized training.
  • Real-world FL deployments might benefit from adding diffusion-aware data provenance checks at the server.

Load-bearing premise

The data produced by the adjustable poisoning vector and jumping diffusion remains close enough in distribution to clean data to evade advanced statistical anomaly detectors and Byzantine-robust aggregators.

What would settle it

An experiment that feeds PCDM-generated samples into existing statistical anomaly detectors or Byzantine-robust aggregators and measures whether detection rates rise or global model accuracy fails to drop would falsify the stealth and effectiveness claims.

Figures

Figures reproduced from arXiv: 2605.16098 by Bo Gao, Ke Xiong, Khaled Ben Letaief, Pingyi Fan, Wei Sun, Yijun Chen, Yuwei Wang.

Figure 2
Figure 2. Figure 2: The overall attack model. Attacker’s targets: We assume the presence of at least one attacker with two primary goals. Firstly, the attacker aims to degrade the overall performance of the global model by misclassifying samples. Secondly, it is equally important to hide the attacks from the server’s detection. Attacker’s capabilities: The attacker can take control of or impersonate one or multiple benign cli… view at source ↗
Figure 1
Figure 1. Figure 1: Wireless federated learning system model. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: Denoising Diffusion Probabilistic Model (DDPM). [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Workflow of the PCDM approach. The significant training costs, prolonged data generation time, and substantial hardware requirements of DDPM pose challenges for its application in attacks. To address these issues, we developed PCDM, a model based on DDPM, to effectively generate poisoned data. As shown in [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: The poisoned models after different attacks. [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Defense methods performance breakdown by attack type. [PITH_FULL_IMAGE:figures/full_fig_p012_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Accuracy of Different Defense Methods Against Various Malicious [PITH_FULL_IMAGE:figures/full_fig_p013_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Ablation study comparison of poisoned data. [PITH_FULL_IMAGE:figures/full_fig_p014_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Ablation study comparison of attack effectiveness and stealthiness. [PITH_FULL_IMAGE:figures/full_fig_p014_9.png] view at source ↗
Figure 11
Figure 11. Figure 11: Impact of E and Tˆ on the effectiveness-stealthiness trade-off. VI. CONCLUSION AND FUTURE WORK In this paper, we have proposed PCDM, a lightweight and highly stealthy data poisoning attack for FL systems, which introduced a specialized poisoning vector and an in￾novative jumping diffusion strategy to enable highly stealthy and efficient attacks. We have also provided a comprehensive theoretical analysis d… view at source ↗
Figure 10
Figure 10. Figure 10: Sensitivity analysis of attack performance with respect to poisoning [PITH_FULL_IMAGE:figures/full_fig_p015_10.png] view at source ↗
read the original abstract

Federated learning (FL) is vulnerable to data poisoning attacks due to its distributed nature. Although recent GAN-based data poisoning methods have indicated the potential of using generative AI to generate seemingly legitimate poisoned data, the inherent consistency of GAN outputs can still reveal a sign of data poisoning. In this paper, we propose a diffusion-based data poisoning framework against FL systems, which leverages a Poisoning-Oriented Conditional Diffusion Model (PCDM) to enable fine-grained control over the local generation of poisoned data while ensuring both attack effectiveness and stealthiness. Our PCDM incorporates an adjustable poisoning vector within the global context to precisely control the generation of poisoned data, with theoretical guarantees on attack performance. Furthermore, it employs a novel jumping diffusion strategy for lightweight and efficient poisoned data generation. We conduct the most systematic and broad experimental evaluation for FL poisoning attacks against various defenses, including advanced Byzantine robust aggregation mechanisms, on four open datasets: MNIST, Fashion-MNIST, CIFAR-10, CIFAR-100, and a real-world wireless-specific dataset VRAI. Our results demonstrate that PCDM is less likely to exhibit statistical anomalies compared with the state-of-the-art methods while more effectively degrading global FL performance, which poses a significant risk to data security in FL.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes PCDM, a Poisoning-Oriented Conditional Diffusion Model for data poisoning attacks in federated learning. It uses an adjustable poisoning vector inserted into the global context for fine-grained control over poisoned data generation, combined with a jumping diffusion strategy for efficiency, and claims theoretical guarantees on attack performance along with stealthiness. The authors report systematic experiments on MNIST, Fashion-MNIST, CIFAR-10, CIFAR-100, and the VRAI wireless dataset, showing that PCDM degrades global model performance more effectively than prior methods while exhibiting fewer statistical anomalies against Byzantine-robust aggregators and anomaly detectors.

Significance. If the central claims hold, the work would be significant for introducing a diffusion-based poisoning framework that offers tunable control and claimed theoretical backing, potentially exposing limitations in current FL defenses. The broad evaluation across five datasets and multiple defense categories strengthens the practical relevance, and the emphasis on stealth via generative modeling could inform future defense research.

major comments (2)
  1. [Theoretical Analysis] Theoretical guarantees section: the claimed theoretical guarantees on attack performance do not derive or state explicit bounds (e.g., total variation or Wasserstein distance) on the distributional shift induced by the adjustable poisoning vector and conditioning, which is load-bearing for the stealthiness argument against statistical anomaly detectors and Byzantine-robust methods.
  2. [Experiments] Evaluation section (experiments on MNIST/Fashion-MNIST/CIFAR/VRAI): the reported effectiveness and anomaly-evasion results rely on post-hoc choices for the poisoning vector scale and jumping diffusion parameters without ablation showing sensitivity or robustness of these choices, leaving the superiority claim over SOTA methods dependent on unverified hyperparameter tuning.
minor comments (2)
  1. [Abstract] The abstract and introduction should clarify the exact threat model assumptions (e.g., number of compromised clients, knowledge of global model) to align with the experimental setup.
  2. [Figures] Figure captions for the diffusion process and attack pipeline would benefit from explicit notation linking to the adjustable poisoning vector definition.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments on our paper. We address each of the major comments in detail below and indicate the revisions we plan to make to strengthen the manuscript.

read point-by-point responses

  1. Referee: [Theoretical Analysis] Theoretical guarantees section: the claimed theoretical guarantees on attack performance do not derive or state explicit bounds (e.g., total variation or Wasserstein distance) on the distributional shift induced by the adjustable poisoning vector and conditioning, which is load-bearing for the stealthiness argument against statistical anomaly detectors and Byzantine-robust methods.

    Authors: We appreciate the referee highlighting this aspect of our theoretical analysis. Our current theoretical guarantees focus on the convergence properties of the federated learning process under the PCDM attack and the expected impact on model performance, leveraging the properties of the diffusion model and the adjustable poisoning vector. However, we acknowledge that we have not explicitly derived or stated bounds on the distributional shift (such as total variation or Wasserstein distance) between the poisoned and clean data distributions. This could indeed bolster the stealthiness claims. In the revised version, we will extend the theoretical section to include such explicit bounds derived from the conditioning mechanism and jumping strategy. revision: yes

  2. Referee: [Experiments] Evaluation section (experiments on MNIST/Fashion-MNIST/CIFAR/VRAI): the reported effectiveness and anomaly-evasion results rely on post-hoc choices for the poisoning vector scale and jumping diffusion parameters without ablation showing sensitivity or robustness of these choices, leaving the superiority claim over SOTA methods dependent on unverified hyperparameter tuning.

    Authors: The referee is correct that our experimental results would benefit from additional ablation studies on the key hyperparameters, namely the poisoning vector scale and the jumping diffusion parameters. While these were selected through careful preliminary experiments to balance attack effectiveness and stealthiness, we did not present a full sensitivity analysis in the manuscript. We will add comprehensive ablation studies in the revised evaluation section to demonstrate the robustness of our chosen parameters and to further validate the superiority over state-of-the-art methods. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected in derivation chain

full rationale

The PCDM framework introduces an adjustable poisoning vector and jumping diffusion strategy as design choices for controlling poisoned data generation in FL. Theoretical guarantees on attack performance are stated as part of the model construction rather than derived from fitted experimental outputs. Stealthiness claims rest on empirical comparisons across MNIST, Fashion-MNIST, CIFAR-10/100, and VRAI datasets against Byzantine-robust aggregators, without any reduction of performance metrics to self-fitted parameters or self-citation chains by construction. The derivation remains self-contained, with independent content from the proposed diffusion conditioning and systematic experimental validation.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 1 invented entities

The central claim rests on standard federated learning threat model assumptions plus the modeling choice that diffusion can be conditioned to produce stealthy poisons; no new physical entities are postulated.

free parameters (1)
  • poisoning vector scale
    Adjustable parameter introduced to control the strength of poisoning in the conditional generation process.
axioms (1)
  • domain assumption A subset of clients can be fully compromised and replace their local data with model-generated poisoned samples.
    Standard FL poisoning threat model invoked to justify the attack setting.
invented entities (1)
  • Poisoning-Oriented Conditional Diffusion Model (PCDM) no independent evidence
    purpose: Generate controlled poisoned data samples for the attack.
    New model architecture proposed in the paper; no independent evidence outside the attack experiments is provided.

pith-pipeline@v0.9.0 · 5766 in / 1364 out tokens · 59464 ms · 2026-05-20T17:08:52.114397+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

55 extracted references · 55 canonical work pages · 1 internal anchor

  1. [1]

    Block hunter: Federated learning for cyber threat hunting in blockchain-based iiot networks,

    A. Yazdinejad, A. Dehghantanha, R. M. Parizi, M. Hammoudeh, H. Karimipour, and G. Srivastava, “Block hunter: Federated learning for cyber threat hunting in blockchain-based iiot networks,”IEEE Transactions on Industrial Informatics, vol. 18, no. 11, pp. 8356–8366, 2022

    work page 2022

  2. [2]

    Survey on federated learning threats: Concepts, taxonomy on attacks and defences, experimental study and challenges,

    N. Rodr ´ıguez-Barroso, D. Jim´enez-L´opez, M. V . Luz´on, F. Herrera, and E. Mart ´ınez-C´amara, “Survey on federated learning threats: Concepts, taxonomy on attacks and defences, experimental study and challenges,” Inf. Fusion, vol. 90, pp. 148–173, 2023

    work page 2023

  3. [3]

    Data poisoning and leakage analysis in federated learning,

    W. Wei, T. Huang, Z. Yahn, A. Singhal, M. Loper, and L. Liu, “Data poisoning and leakage analysis in federated learning,” inHandbook of Trustworthy Federated Learning. Springer, 2024, pp. 73–108

    work page 2024

  4. [4]

    Demystifying data poisoning attacks in distributed learning as a service,

    W. Wei, K.-H. Chow, Y . Wu, and L. Liu, “Demystifying data poisoning attacks in distributed learning as a service,”IEEE Trans. Serv. Comput., 2023

    work page 2023

  5. [5]

    How to backdoor federated learning,

    E. Bagdasaryan, A. Veit, Y . Hua, D. Estrin, and V . Shmatikov, “How to backdoor federated learning,” inProc. Int. Conf. Artif. Intell. Stat., 2020, pp. 2938–2948

    work page 2020

  6. [6]

    Data poisoning attacks against federated learning systems,

    V . Tolpegin, S. Truex, M. E. Gursoy, and L. Liu, “Data poisoning attacks against federated learning systems,” inProc. Eur. Symp. Res. Comput. Secur. (ESORICS), 2020, pp. 480–501

    work page 2020

  7. [7]

    Threats and defenses in federated learning life cycle: A comprehensive survey and challenges,

    Y . Li, Z. Guo, N. Yang, H. Chen, D. Yuan, and W. Ding, “Threats and defenses in federated learning life cycle: A comprehensive survey and challenges,”arXiv preprint arXiv:2407.06754, 2024. 16

    work page arXiv 2024

  8. [8]

    Auror: Defending against poisoning attacks in collaborative deep learning systems,

    S. Shen, S. Tople, and P. Saxena, “Auror: Defending against poisoning attacks in collaborative deep learning systems,” inProc. 32nd Annu. Conf. Comput. Secur. Appl. (ACSAC), 2016, pp. 508–519

    work page 2016

  9. [9]

    Defending against label- flipping attacks in federated learning systems with umap,

    D. Upreti, H. Kim, E. Yang, and C. Seo, “Defending against label- flipping attacks in federated learning systems with umap,” 2022

    work page 2022

  10. [10]

    Exploring repre- sentational similarity analysis to protect federated learning from data poisoning,

    G. Chen, K. Li, A. M. Abdelmoniem, and L. You, “Exploring repre- sentational similarity analysis to protect federated learning from data poisoning,” inCompanion Proc. ACM Web Conf. 2024, 2024, pp. 525– 528

    work page 2024

  11. [11]

    Vaguegan: A gan-based data poisoning attack against federated learning systems,

    W. Sun, B. Gao, K. Xiong, Y . Lu, and Y . Wang, “Vaguegan: A gan-based data poisoning attack against federated learning systems,” in2023 IEEE 20th Int. Conf. Sensing, Commun. Netw. (SECON), 2023, pp. 321–329

    work page 2023

  12. [12]

    A gan-based data poisoning attack against federated learning systems and its countermeasure,

    W. Sun, B. Gao, K. Xiong, and Y . Wang, “A gan-based data poisoning attack against federated learning systems and its countermeasure,”arXiv preprint arXiv:2405.11440, 2024

    work page arXiv 2024

  13. [13]

    A survey on generative diffusion models,

    H. Cao, C. Tan, Z. Gao, Y . Xu, G. Chen, P.-A. Heng, and S. Z. Li, “A survey on generative diffusion models,”IEEE Trans. Knowl. Data Eng., 2024

    work page 2024

  14. [14]

    A review of applications in federated learning,

    L. Li, Y . Fan, M. Tse, and K.-Y . Lin, “A review of applications in federated learning,”Comput. Ind. Eng., vol. 149, p. 106854, 2020

    work page 2020

  15. [15]

    Vertical federated learning: Concepts, advances, and challenges,

    Y . Liu, Y . Kang, T. Zou, Y . Pu, Y . He, X. Ye, Y . Ouyang, Y .-Q. Zhang, and Q. Yang, “Vertical federated learning: Concepts, advances, and challenges,”IEEE Trans. Knowl. Data Eng., 2024

    work page 2024

  16. [16]

    A survey on federated learning: challenges and applications,

    J. Wen, Z. Zhang, Y . Lan, Z. Cui, J. Cai, and W. Zhang, “A survey on federated learning: challenges and applications,”Int. J. Mach. Learn. Cybern., vol. 14, no. 2, pp. 513–535, 2023

    work page 2023

  17. [17]

    Recent advances on federated learning: A systematic survey,

    B. Liu, N. Lv, Y . Guo, and Y . Li, “Recent advances on federated learning: A systematic survey,”Neurocomputing, p. 128019, 2024

    work page 2024

  18. [18]

    Federated learning under attack: Exposing vulnerabilities through data poisoning attacks in computer networks,

    E. Nowroozi, I. Haider, R. Taheri, and M. Conti, “Federated learning under attack: Exposing vulnerabilities through data poisoning attacks in computer networks,”IEEE Trans. Netw. Serv. Manag., 2025

    work page 2025

  19. [19]

    Beyond data poisoning in federated learning,

    H. Kasyap and S. Tripathy, “Beyond data poisoning in federated learning,”Expert Syst. Appl., vol. 235, p. 121192, 2024

    work page 2024

  20. [20]

    Visualizing the shadows: Unveiling data poisoning behaviors in federated learning,

    X. Zhang, J. Zhang, K.-H. Chow, J. Chen, Y . Mao, M. Rahouti, X. Li, Y . Liu, and W. Wei, “Visualizing the shadows: Unveiling data poisoning behaviors in federated learning,”arXiv preprint arXiv:2405.16707, 2024

    work page arXiv 2024

  21. [21]

    Challenges and countermeasures of feder- ated learning data poisoning attack situation prediction,

    J. Wu, J. Jin, and C. Wu, “Challenges and countermeasures of feder- ated learning data poisoning attack situation prediction,”Mathematics, vol. 12, no. 6, p. 901, 2024

    work page 2024

  22. [22]

    Privacy-preserving and byzantine-robust federated learning framework using permissioned blockchain,

    H. Kasyap and S. Tripathy, “Privacy-preserving and byzantine-robust federated learning framework using permissioned blockchain,”Expert Syst. Appl., vol. 238, p. 122210, 2024

    work page 2024

  23. [23]

    Poisongan: Generative poisoning attacks against federated learning in edge com- puting systems,

    J. Zhang, B. Chen, X. Cheng, H. T. T. Binh, and S. Yu, “Poisongan: Generative poisoning attacks against federated learning in edge com- puting systems,”IEEE Internet Things J., vol. 8, no. 5, pp. 3310–3322, 2020

    work page 2020

  24. [24]

    Pros and cons of gan evaluation measures: New develop- ments,

    A. Borji, “Pros and cons of gan evaluation measures: New develop- ments,”Comput. Vis. Image Underst., vol. 215, p. 103329, 2022

    work page 2022

  25. [25]

    Gan-generated faces detection: A survey and new perspectives,

    X. Wang, H. Guo, S. Hu, M.-C. Chang, and S. Lyu, “Gan-generated faces detection: A survey and new perspectives,”ECAI 2023, pp. 2533– 2542, 2023

    work page 2023

  26. [26]

    Fltracer: Accurate poisoning attack provenance in federated learning,

    X. Zhang, Q. Liu, Z. Ba, Y . Hong, T. Zheng, F. Lin, L. Lu, and K. Ren, “Fltracer: Accurate poisoning attack provenance in federated learning,” IEEE Trans. Inf. Forensics Secur., 2024

    work page 2024

  27. [27]

    Contra: Defending against poisoning attacks in federated learning,

    S. Awan, B. Luo, and F. Li, “Contra: Defending against poisoning attacks in federated learning,” inProc. 26th Eur. Symp. Res. Comput. Secur. (ESORICS), 2021, pp. 455–475

    work page 2021

  28. [28]

    Manipulating the byzantine: Opti- mizing model poisoning attacks and defenses for federated learning,

    V . Shejwalkar and A. Houmansadr, “Manipulating the byzantine: Opti- mizing model poisoning attacks and defenses for federated learning,” in NDSS, 2021

    work page 2021

  29. [29]

    Robust federated learning based on met- rics learning and unsupervised clustering for malicious data detection,

    J. Li, X. Zhang, and L. Zhao, “Robust federated learning based on met- rics learning and unsupervised clustering for malicious data detection,” inProc. 2022 ACM Southeast Conf., 2022, pp. 238–242

    work page 2022

  30. [30]

    How to cope with malicious federated learning clients: an unsupervised learning-based approach,

    M. A. Onsu, B. Kantarci, and A. Boukerche, “How to cope with malicious federated learning clients: an unsupervised learning-based approach,”Comput. Netw., vol. 234, p. 109938, 2023

    work page 2023

  31. [31]

    Feddmc: Efficient and robust federated learning via detecting malicious clients,

    X. Mu, K. Cheng, Y . Shen, X. Li, Z. Chang, T. Zhang, and X. Ma, “Feddmc: Efficient and robust federated learning via detecting malicious clients,”IEEE Trans. Dependable Secure Comput., 2024

    work page 2024

  32. [32]

    Lomar: A local defense against poisoning attack on federated learning,

    X. Li, Z. Qu, S. Zhao, B. Tang, Z. Lu, and Y . Liu, “Lomar: A local defense against poisoning attack on federated learning,”IEEE Trans. Dependable Secure Comput., 2021

    work page 2021

  33. [33]

    Machine learning with adversaries: Byzantine tolerant gradient descent,

    P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer, “Machine learning with adversaries: Byzantine tolerant gradient descent,”Adv. Neural Inf. Process. Syst. (NeurIPS), vol. 30, 2017

    work page 2017

  34. [34]

    Byzantine-robust federated learning through collaborative malicious gradient filtering,

    J. Xu, S.-L. Huang, L. Song, and T. Lan, “Byzantine-robust federated learning through collaborative malicious gradient filtering,” inIEEE Int. Conf. Distrib. Comput. Syst. (ICDCS), 2022, pp. 1223–1235

    work page 2022

  35. [35]

    Achieving byzantine-resilient federated learning via layer-adaptive sparsified model aggregation,

    J. Xu, Z. Zhang, and R. Hu, “Achieving byzantine-resilient federated learning via layer-adaptive sparsified model aggregation,” inIEEE Winter Conf. Appl. Comput. Vis. (WACV), 2025, pp. 1508–1517

    work page 2025

  36. [36]

    Ap2fl: Auditable privacy-preserving federated learning framework for electronics in healthcare,

    A. Yazdinejad, A. Dehghantanha, and G. Srivastava, “Ap2fl: Auditable privacy-preserving federated learning framework for electronics in healthcare,”IEEE Transactions on Consumer Electronics, vol. 70, no. 1, pp. 2527–2535, 2023

    work page 2023

  37. [37]

    Breaking interprovincial data silos: How federated learning can unlock canada’s public health potential,

    A. Yazdinejad and J. D. Kong, “Breaking interprovincial data silos: How federated learning can unlock canada’s public health potential,” Available at SSRN 5247328, 2025

    work page 2025

  38. [38]

    A robust privacy-preserving federated learning model against model poisoning attacks,

    A. Yazdinejad, A. Dehghantanha, H. Karimipour, G. Srivastava, and R. M. Parizi, “A robust privacy-preserving federated learning model against model poisoning attacks,”IEEE Transactions on Information Forensics and Security, vol. 19, pp. 6693–6708, 2024

    work page 2024

  39. [39]

    Advanced ai-driven methane emission detection, quantification, and localization in canada: A hybrid multi-source fusion framework,

    A. Yazdinejad, H. Wang, and J. Kong, “Advanced ai-driven methane emission detection, quantification, and localization in canada: A hybrid multi-source fusion framework,”Science of The Total Environment, vol. 998, p. 180142, 2025

    work page 2025

  40. [40]

    An explainable and privacy-preserving federated learning model for threat detection in cyber-physical-social systems,

    A. Yazdinejad, Z. D. Mohammadabadi, A. Dehghantanha, and G. Srivas- tava, “An explainable and privacy-preserving federated learning model for threat detection in cyber-physical-social systems,”IEEE Transactions on Computational Social Systems, 2025

    work page 2025

  41. [41]

    Hybrid privacy preserving federated learning against irregular users in next-generation internet of things,

    A. Yazdinejad, A. Dehghantanha, G. Srivastava, H. Karimipour, and R. M. Parizi, “Hybrid privacy preserving federated learning against irregular users in next-generation internet of things,”Journal of Systems Architecture, vol. 148, p. 103088, 2024

    work page 2024

  42. [42]

    Communication-efficient learning of deep networks from decentralized data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” inArtificial Intelligence and Statistics (AISTATS), 2017, pp. 1273– 1282

    work page 2017

  43. [43]

    Deep generative models in engineering design: A review,

    L. Regenwetter, A. H. Nobari, and F. Ahmed, “Deep generative models in engineering design: A review,”J. Mech. Des., vol. 144, no. 7, p. 071704, 2022

    work page 2022

  44. [44]

    Advancements in generative ai: A comprehensive review of gans, gpt, autoencoders, diffusion model, and transformers,

    S. Bengesi, H. El-Sayed, M. K. Sarker, Y . Houkpati, J. Irungu, and T. Oladunni, “Advancements in generative ai: A comprehensive review of gans, gpt, autoencoders, diffusion model, and transformers,”IEEE Access, 2024

    work page 2024

  45. [45]

    Denoising diffusion probabilistic models,

    J. Ho, A. Jain, and P. Abbeel, “Denoising diffusion probabilistic models,” Adv. Neural Inf. Process. Syst., vol. 33, pp. 6840–6851, 2020

    work page 2020

  46. [46]

    Diffusion models in vision: A survey,

    F.-A. Croitoru, V . Hondru, R. T. Ionescu, and M. Shah, “Diffusion models in vision: A survey,”IEEE Trans. Pattern Anal. Mach. Intell., vol. 45, no. 9, pp. 10 850–10 869, 2023

    work page 2023

  47. [47]

    Diffusion models: A comprehensive survey of methods and applications,

    L. Yang, Z. Zhang, Y . Song, S. Hong, R. Xu, Y . Zhao, W. Zhang, B. Cui, and M.-H. Yang, “Diffusion models: A comprehensive survey of methods and applications,”ACM Comput. Surv., vol. 56, no. 4, pp. 1–39, 2023

    work page 2023

  48. [48]

    The mnist database of handwritten digit images for machine learning research [best of the web],

    L. Deng, “The mnist database of handwritten digit images for machine learning research [best of the web],”IEEE Signal Process. Mag., vol. 29, no. 6, pp. 141–142, 2012

    work page 2012

  49. [49]

    Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms

    H. Xiao, K. Rasul, and R. V ollgraf, “Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms,”arXiv preprint arXiv:1708.07747, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  50. [50]

    Learning multiple layers of features from tiny images,

    A. Krizhevsky, G. Hintonet al., “Learning multiple layers of features from tiny images,” 2009

    work page 2009

  51. [51]

    Federated multi-task learning under a mixture of distributions,

    O. Marfoq, G. Neglia, A. Bellet, L. Kameni, and R. Vidal, “Federated multi-task learning under a mixture of distributions,”Adv. Neural Inf. Process. Syst., vol. 34, pp. 15 434–15 447, 2021

    work page 2021

  52. [52]

    Analysis of adversarial attacks against cnn-based image forgery detectors,

    D. Gragnaniello, F. Marra, G. Poggi, and L. Verdoliva, “Analysis of adversarial attacks against cnn-based image forgery detectors,” in2018 26th Eur. Signal Process. Conf. (EUSIPCO). IEEE, 2018, pp. 967–971

    work page 2018

  53. [53]

    Clean- label poisoning attacks on federated learning for iot,

    J. Yang, J. Zheng, T. Baker, S. Tang, Y .-a. Tan, and Q. Zhang, “Clean- label poisoning attacks on federated learning for iot,”Expert Syst., vol. 40, no. 5, p. e13161, 2023

    work page 2023

  54. [54]

    Catastrophic forgetting and mode collapse in gans,

    H. Thanh-Tung and T. Tran, “Catastrophic forgetting and mode collapse in gans,” in2020 international joint conference on neural networks (ijcnn). IEEE, 2020, pp. 1–10

    work page 2020

  55. [55]

    Vehicle re-identification in aerial imagery : Dataset and approach,

    W. Peng, J. Bingliang, Y . Lu, Z. Shizhou, W. Wei, and Z. Yanning, “Vehicle re-identification in aerial imagery : Dataset and approach,” in Proc. IEEE Int. Conf. Comp. Vis., 2019

    work page 2019