Federated Learning with Differential Privacy for Adversarial Robustness in IoT Cybersecurity for Defending Against Data Poisoning Attacks

Federated Learning with Differential Privacy for Adversarial Robustness in IoT Cybersecurity for Defending Against Data Poisoning Attacks

1st Babatunde Alexander Abiola Research And Doctoral College University Of Greater Manchester Bolton, United Kingdom baa1res@bolton.ac.uk

ORCID: 0009-0004-8193-440X

4th Blessing Alice Alao-Olatunji Research and Doctoral College University of Greater Manchester Bolton, England bo6res@bolton.ac.uk

ORCID: 0009-0005-5665-8164

2nd John Olalere Ogunlola Research and Doctoral College University of Greater Manchester Bolton, United Kingdom jo3res@bolton.ac.uk

ORCID: 0009-0001-1546-1526

5th Adedeji Edward Adesola Research and Doctoral College University of Greater Manchester Bolton, United Kingdom adedeji198@ieee.org

ORCID: 0009-0001-8666-8292

3rd Opeyemi Victor Omolade Research And Doctoral College University of Greater Manchester Manchester, United Kingdom ovo1res@bolton.ac.uk

ORCID: 0007-6034-0778

6th Simon Olukayo Awodele Department of Computer Science Babcock University

Ilishan-Remo, Nigeria awodeles@babcock.edu.ng ORCID: 0009-0004-5740-8979

AbstractFederated learning (FL) offers a privacy-preserving paradigm for collaborative IoT intrusion detection but remains vulnerable to data poisoning. This work evaluates the interplay between client-level differential privacy stochastic gradient de- scent (DP-SGD) and adversarial robustness under GAN-based poisoning attacks on the TON IoT dataset. Robust aggrega- tion schemes (coordinate-wise Trimmed Mean and Krum) are assessed alongside DP noise using a Re´nyi-style accountant (cumulative privacy at round 10: 1.74). Results show that DP introduces a modest utility cost (accuracy drops from 0.997 to 0.957 while AUC stays > 0.996) but, when combined with Trimmed Mean, signicantly reduces attack success rate (ASR) falls from 34.8% to 3.9%. The ndings quantify the privacyutilityrobustness trade-off and provide actionable guid- ance for deploying DP-enabled, attack-resilient FL in resource- constrained IoT environments.

Index TermsFederated learning, intrusion detection systems, Internet of Things, differential privacy, poisoning attacks, robust aggregation, adversarial machine learning

1. Introduction

   Critical services in healthcare, manufacturing, and smart infrastructure are underpinned by the Internet of Things (IoT), with the IoT leading to the production of large volumes of telemetry and network data for automated analytics and intrusion detection. Signicant privacy and security risks are given rise to by the decentralised nature of IoT data, render- ing centralised data collection impractical and susceptible to exposure and points of failure that are isolated.

   These challenges are addressed by Federated Learning (FL) through the enabling of collaborative model training without transferring raw data to a central server, thereby ensuring the retention of data locality and condentiality.

   Fig. 1. Centralised learning versus federated learning architectures (adapted from [4]).

   Training on client devices is performed by FL and model updates are aggregated centrally, as illustrated in Fig. 1, making the approach well suited to distributed IoT envi- ronments. Despite these advantages, poisoning attacks pose a direct threat to FL, where compromised clients submit malicious updates to manipulate the global model [1]. Formal privacy guarantees are provided by Differential Privacy (DP) by placing constraints on the inferability of individual data contributions from shared model parameters [2]. Prior work shows that the detection of anomalous or malicious updates can be weakened by privacy noise, leading to a trade-off between privacy protection and adversarial robustness [3].

   Major threats in heterogeneous and weakly secured IoT networks are represented by poisoning and backdoor attacks, which illustrate how pronounced the issue is (see Fig. 2).

   A Differentially Private Federated Learning (DP-FL) frame-

   Fig. 2. Categories of attacks on federated learning systems (adapted from [5]).

   work is evaluated to jointly address the maintenance of privacy and resilience to poisoning in IoT settings. The TONIoT dataset, which contains real telemetry, system logs, and net- work trafc, is used to assess the framework. Generative Adversarial Networks (GANs) are utilised to produce stealthy poisoning behaviours that are underrepresented in public datasets. The non-exclusivity of privacy and robustness in practical federated IoT deployments is demonstrated by this study through the combination of DP with robust aggregation.

2. RELATED WORK

   A practical approach for privacy-aware collaborative learn- ing, particularly in distributed environments such as the In- ternet of Things (IoT) [1], has been produced by Federated Learning (FL) progressing over time into an operational paradigm. Direct data exposure is reduced by FL through keeping data on local devices and collecting and combining model updates at a central server. New vulnerabilities are introduced by this decentralised architecture, as demonstrated in prior studies, most notably poisoning and backdoor attacks in which the global model is corrupted by compromised clients manipulating model updates [4].

   1. Robust Aggregation in Federated Learning

      A primary defence against poisoning attacks has been widely studied in the literature: robust aggregation. Distance- metric-based selection of updates is performed by early meth- ods such as Krum and Multi-Krum to suppress outliers [5]. In heterogeneous IoT settings where benign updates may naturally diverge due to non-IID data distributionssystem performance can result in poorer performance, affecting these methods. Resilience to simple corruptions is improved through the removal of extreme values by coordinate-wise approaches such as Trimmed Mean and Median, but correlated or adaptive attacks continue to challenge those approaches [6]. Centrally located updates under adversarial conditions are targeted by more advanced techniques, including Geometric Median and Robust Federated Averaging [7]. Signicant computational overhead is imposed by these methods, reducing their prac- tical applicability in resource-constrained IoT environments.

      Server-side reference gradients to weight client updates are introduced by trust-based mechanisms such as FLTrust, but the reliance on clean validation data is often unrealistic in real-world IoT deployments [8].

   2. Anomaly and Reputation-Based Defences

      Poisoning detection is framed as an anomaly detection problem by an alternative research line. Colluding attackers are identied by methods such as FoolsGold through detection of overly similar gradient updates [9]. Effectiveness against Sybil-style attacks is offered by these approaches, but detec- tion capability against subtle, data-driven poisoning strategies is diminished. Client trust scores are dynamically adjusted over time by reputation-based systems [10], but additional communication and computation costs are brought about by those systems, making them poorly suited to large-scale IoT networks.

   3. Differential Privacy in Federated Learning

      Formal guarantees against information leakage are provided by Differential Privacy (DP) through injection of calibrated noise into model updates [2]. Integration of DP into federated learning has been achieved through mechanisms such as DP- FedAvg and client-level DP to provide protection for entire device contributions [11], [12]. A trade-offbetween privacy and model utility is provided evidence of by multiple studies. Statistical signals required to detect malicious updates have been masked from view by DP noise, causing a reduction in robustness against poisoning attacks [3]. The effect is rendered more pronounced in heterogeneous IoT environments where update variability is already high.

   4. GAN-Based Poisoning and Realistic Evaluation

      Realistic and stealthy poisoning behaviours have been sim- ulated using Generative Adversarial Networks (GANs) that were brought into use to better reect adaptive attackers [10]. Attack classes that are insufciently represented in IoT intrusion datasets have been augmented by GANs, improving generalisation and evaluation realism [13]. Despite this po- tential, interaction of GAN-based poisoning with Differential Privacy and robust aggregation continues to be insufciently explored.

   5. Research Gap

   Privacy preservation or poisoning robustness are predomi- nantly addressed in isolation by existing studies. Interaction of Differential Privacy noise with sophisticated poisoning attacks is insufciently understood under realistic IoT conditions characterised by non-IID data, constrained resources, and adaptive adversaries. This gap motivates the proposed DP- FL framework: robust aggregation and GAN-based adversarial simulation are brought together in the framework, and evalu- ation is performed using real IoT telemetry data.

3. Methodology

   The methodological framework adopted for the design and evaluation of a differentially private federated learning (DP- FL) system that is capable of withstanding poisoning attacks in Internet of Things (IoT) environments is depicted by this section. The interaction between privacy guarantees, adver- sarial robustness, and detection performance under controlled but realistic conditions is thoroughly analysed by engaging a quantitative, experimental methodology. The experimental de- sign, dataset preparation, adversarial modelling, and evaluation metrics are encapsulated by the methodology.

   1. Experimental Methodology

      The robustness of the proposed DP-FL framework against poisoning attacks in a distributed IoT setting is evaluated by employing a quantitative experimental design. How controlled variations in privacy and defence mechanisms inuence model performance and security is placed under quantitative assess- ment and given central emphasis by the methodology. System- atic adjustments are applied to independent variables such as privacy budget (), noise scale (), aggregation strategy, and proportion of malicious clients, while observations are made on dependent variables including accuracy, recall, AUCROC, and attack success rate.

      A simulated federated environment that mirrors the decen- tralised and heterogeneous nature of IoT networks is used to conduct the experiments. An IoT device is represented by each client, which trains locally on its own data partition, while model updates are collected and combined at a central server without direct access to raw data.

   2. Framework Architecture

      Fig. 3. Experimental workow of the proposed DP-FL framework.

      The proposed DP-FL framework consists of four tightly coupled components:

      • Federated Learning Environment: Local model train- ing is performed on mutually exclusive partitions of the TONIoT dataset, ensuring that raw data remains on- device, by multiple simulated IoT clients.

      • Differential Privacy Integration: Gaussian noise is ap- plied to client gradients after local training in accor- dance with differential privacy principles, offering formal

        privacy safeguards against inference and reconstruction attacks, by the clients.

      • Robust Aggregation: Noisy client updates are ag- gregated using robust aggregation techniques such as Trimmed Mean and Krum to mitigate the inuence of malicious or anomalous updates, by the central server.

      • GAN-Based Adversarial Simulation: Stealthy poisoned samples or gradients are generated to simulate realistic poisoning threats, enabling robust assessment under adap- tive and sophisticated attack conditions, by Generative Adversarial Networks.

   3. Experimental Flow

      Fig. 4. Experimental Flow

      Each federated learning round proceeds as follows: (i) clients perform local training; (ii) differentially private noise is applied to gradients; (iii) poisoned updates are injected into a subset of clients; (iv) the server performs robust aggregation;

      (v) the updated global model is evaluated. This cycle is repeated until convergence or a predened number of rounds is reached.

   4. Dataset and Preprocessing

      Experiments utilise the TONIoT dataset, which contains real telemetry, system logs, and network trafc collected from heterogeneous IoT devices [3]. Data are partitioned by device type to simulate non-IID distributions across clients. Preprocessing includes feature normalisation, label encoding, and controlled adversarial injection. Differential privacy noise is applied at the gradient level during training.

   5. Notation and threat model

      Let K denote the number of participating clients, indexed by i {1,…,K}. Each client i holds a private local dataset Di. The global model parameter vector at round t is w(t) Rd. During each federated round, a subset (potentially all)

      i

      of clients perform local training and submit model updates (or gradients) (t) to the server, which then aggregates the received updates to produce w(t+1).

      The adversary is assumed to control up to f compromised clients (in the experiments f/K = 0.30 was used), which may submit poisoned updates generated via a GAN-based poi- soning mechanism that aims to be stealthy under aggregation and DP noise. The server is honest-but-curious and performs aggregation using either standard averaging, coordinate-wise

      Trimmed Mean, or Krum as described below. Experimental

      Fig. 5. Pseudocode (client side) DP-SGD (per client)

      • Clip each per-example gradient gx to norm C: gx =

        C

        gx/ max 1, gx 2 .

        xD

      • Aggregate clipped gradients: g¯i = 1 gx.

        settings and dataset partitioning follow the protocol described

        • Add Gaussian noise:

        |Di| i

        in the evaluation section.

   6. Differential privacy denitions and mechanism

      (, )-differential privacy (formal denition) A random- ized mechanism M : X R satises (, )-differential pri- vacy if, for any pair of neighbouring datasets D, Dt (differing by one record) and any measurable subset S R,

      Pr[M(D) S] e Pr[M(Dt) S]+ . (1)

      Gaussian mechanism and sensitivity. For a function f :

      X Rd with L2-sensitivity 2(f ) = maxD,Dt lf (D)

      f (Dt)l2, the Gaussian mechanism releases

      2

      gi = g¯i + N (0, 2Id), where = z · C. (4)

      i

      • Send gi (or the update (t) derived from gi) to the server.

      Server aggregation (high level): Collect noisy client up- dates {gi} and apply the chosen aggregation rule (mean, Trimmed Mean, Krum, etc.) to produce the global update.

      For the privacy accounting, the per-round contribution to the global privacy loss is tracked using a privacy accountant.

      H. Robust aggregation rules: Trimmed Mean and Krum

      Coordinate-wise Trimmed Mean is computed independently for each parameter (coordinate) j {1,…, d}. Let he scalar

      j-th coordinate reported by client i at round t be g(t). Sort the

      M(D) = f (D)+ N (0, Id), (2)

      (t)

      (t)

      i,j

      which satises (, )-DP provided is chosen according to

      K values {g1,j,…, gK,j } in non-decreasing order and denote

      the sorted sequence by g(t) · · · g(t) . For an integer

      (one valid bound)

      trimming parameter b

      (1),j

      (K),j

      2(f )2 ln(1.25/) . (3)

      (number of smallest and largest values to discard), the Trimmed Mean estimate for coordinate j is

      L g

      Kb

      In differentially private stochastic gradient descent (DP- SGD), per-example (or per-client) gradient clipping enforces

      (t) 1 TMj = K 2b

      (t) (k),j

      k=b+1

      . (5)

      a known sensitivity 2, after which Gaussian noise with standard deviation proportional to the clipping norm is added. The noise multiplier is commonly expressed as z = /C, where C is the clipping norm. The privacy loss over multiple rounds is accumulated via a privacy accountant (e.g., Re´nyi DP accountant or Moments Accountant) to yield a nal (, )

      after T rounds (recommended default: = 105 or = 1/N ,

      where N is total number of records).

   7. DP-SGD procedure (client-side): Description and pseu- docode

   DP-SGD is implemented at the client side using per-

   The trim ratio can be expressed as = b/K. Typical choices ensure 2b < K; the selection of b should reect an upper bound on the number of Byzantines expected in the system. Trimmed Mean is resilient to coordinate-wise outliers but assumes that the majority of coordinate values are benign or only mildly perturbed. Exact trim parameter(s) used in each experiment should be reported explicitly.

   a) Krum (distance-based robust aggregation): Krum se- lects a single client update that is closest (in aggregate Euclidean distance) to other client updates while discounting anomalous updates. For each client i, compute the squared

   Euclidean distances dij = lgi gjl2 to all other gj. Let Si

   example gradient clipping followed by Gaussian noise in-

   be the set of

   2

   K f 2 nearest neighbours of gi (excluding

   jection. The procedure used in the experiments follows the standard client-level DP-SGD pipeline with the following steps per participating client i at round t:

   Client local update (per participating client i):

   • Compute per-example gradients .e(w(t); x) for local samples x Di.

   the largest f +1 distances). The Krum score for client i is

   2

   score(i) = L lgi gjl2. (6)

   jSi

   Krum selects the index i* = arg mini score(i) and sets the aggregated update to gi* . Multi-Krum generalises this to select

   multiple candidate updates and average them. The value of f should be set to an upper bound on the number of corrupted clients. When Krum is used in conjunction with DP noise, care should be taken because the DP noise increases inter-client distance and may affect Krums selection; parameter tuning is therefore required and must be reported.

   I. Experimental hyperparameters and reproducibility checklist

   To ensure reproducibility of the results, the following ex- perimental hyperparameters fully specied. Values available from the current experimental artifacts are included and cited; missing values are shown with recommended defaults and should be veried before submission:

   • Dataset and partitioning:

     • Dataset: TON IoT dataset (device-partitioned to sim- ulate non-IID).

     • Number of clients K

     • Partitioning strategy: by device type (non-IID).

   • Federated training:

     • Number of global rounds T : 11 (convergence ob- served within 11 rounds).

     • Clients selected per round

     • Local epochs per round

     • Local minibatch size

     • Optimizer and learning rate(s)

     • Model architecture: fully-specied MLP (number of layers, units per layer, activation functions).

   • Differential privacy:

     • Clipping norm C

     • Noise multiplier z (so = zC)

     • Privacy accountant: Re´nyi accountant (recom- mended) or Moments Accountant; name of the ac- countant used must be stated.

     • Reported privacy result

   • Robustness / attack:

     • Attack model: GAN-based poisoning (GAN archi- tecture and training schedule must be given). Provide generator/discriminator architectures, loss functions, and training epochs.

     • Fraction of compromised clients f/K: 30%.

     • Attack objective and injection method: [data-level poisoning vs. gradient replacement specify]; in current experiments, GAN-generated poisoned samples/gradients were injected into compromised clients (describe whether labels were ipped, gra- dients replaced, or crafted samples added).

   • Aggregation:

     • Trimmed Mean trimming parameter b (or trim ratio

       = b/K):

     • Krum parameter f (maximum assumed Byzantine clients):

     • Any additional aggregation-specic hyperparame- ters:

   • Repetitions and random seeds:

     • Number of independent runs per conguration: [rec- ommended 35]

     • Seeds used:

   • Evaluation:

     • Metrics reported: accuracy, precision, recall, F1, AUC-ROC, Attack Success Rate (ASR).

     • Statistical reporting: mean ± standard deviation (or 95% CI) across runs; statistical test used for pairwise

   comparisons (e.g., Wilcoxon signed-rank or paired t- test).

   J. Implementation notes and best practices

   • Per round, plotting of (t) versus global rounds should be made available, and adjacency of the selected for experiments to all privacy-budget claims must be ensured; naming and a brief conguration statement for the privacy-accountant algorithm (Renyi DP accountant, Moments Accountant, or similar) should be included as part of the documentation and made available by the authors.

   • When distance-based aggregation methods (Krum) or coordinate-wise methods (Trimmed Mean) are combined with DP noise, an increase in inter-client distances and coordinate variance is caused by the DP noise, which can reduce the capacity of robust aggregators to tell apart malicious updates; co-tuning of hyperparameters (clip norm (C), noise multiplier (z), trimming parameter (b), and Krums (f) assumption) is therefore required. Reporting of the grid or search procedure applied in order to obtain the nal hyperparameters should be performed in the manuscript.

   • Pseudocode for the full server-side round (client selection

   DP-SGD on clients optional attack injection robust aggregation global update) should be provided, and a concise complexity analysis (communication bytes

   per round, server aggregation complexity) should be included for reproducibility and assessment by reviewers.

4. Result and Discussion

   This section restates and extends the original papers nd- ings wit additional statistical rigor and concrete experiment artefacts. All quantitative summaries below are computed from the per-round tables provided in the analysis (rounds 110 used for summary statistics; round 0 excluded as warm-up).

   1. Benchmark performance (clean / baseline FL)

      Under clean (no-attack) conditions the baseline federated learning run converged quickly. Using per-round accuracies from the (rounds 110) the baseline conguration attains:

      • Accuracy (rounds 110): 0.9854 ± 0.0116 (mean ± std); 95

      • AUC (rounds 110): 0.99833 (mean across rounds 110). These per-round trends are plotted in Fig. 6, which show rapid convergence and low run-to-run variance across global rounds. An upper bound for detection performance is offered by the

        baseline model for interpretation in the experimental setup,

        Fig. 6. Accuracy vs Global Rounds

        and the network architecture and pre-processing pipeline are thereby validated.

   2. Impact of Differential Privacy

      Changes to training dynamics are introduced by client- side DP (DP-SGD) without resulting in collapse. Under the reported conguration, end-of-training (round 10) metrics are observed as: accuracy 0.9575 and AUC 0.9967 (per- round trajectories are displayed in Fig. 6). Aggregation of

      rounds 110 (round 0 treated as warm-up) yields accuracy

      0.9432 ± 0.0249 (mean ± std), 95% CI = (0.9254, 0.9610),

      and mean AUC 0.98994. A shift of the classier toward conservatism is produced by DP: recall decreases while pre- cision remains high (single-run recall 0.947); for full rigor, recall should be reported as mean ± std (or 95% CI) over 5 independent seeds.

      Statistical signicance of the accuracy reduction is indicated by paired per-round tests (FL vs. FL+DP, rounds 110): a

      paired (t)-test gives t = 6.515, p = 1.10 × 104, and a Wilcoxon signed-rank test yields (p=0.00195). When signif-

      icance is reported, inclusion of the test name, test statistic, (p)-value and an effect-size metric (e.g., Cohens (d) or rank- biserial) is required, and a statement of whether normality checks supported the use of the (t)-test should be provided.

      Cumulative privacy loss is shown to increase over rounds by the privacy accountant, reaching 1.74 at round 10 under the selected accountant and hyperparameters; this corresponds to a moderate privacy regime that accounts for the observed privacyutility trade-off (AUC remains high while

      utility metrics slightly degrade). Per-round privacy budget and convergence behaviour are plotted in Fig. 6.

      • Baseline vs FL+DP: paired t-test: t = 6.515, p = 1.0955 × 104.

      • Baseline vs FL+DP: Wilcoxon signed-rank: stat = 0.0,

      p = 0.00195.

      Both tests indicate that the reduction in accuracy introduced by DP is statistically signicant at conventional levels (p « 0.05).

      The Wilcoxon result is reported because per-round differences deviate modestly from normality; together the tests support the claim that DP causes a measurable utility drop in this experimental setup.

      The practical interpretation is that DP reduces re- call/sensitivity more than precision (the classier becomes more conservative), but AUC remains high (> 0.98 across rounds), indicating the model retains discriminative capacity

      even with privacy noise. The practical effect of ASR reduction is large, reported ASR drops from 34.8% 3.9% when moving from undefended FL to DP + Trimmed Mean (absolute reduction 30.9 percentage points), conrming Trimmed Means ability to suppress GAN-based poisoned updates in

      this setting. Fig. 7 shows a compact comparison bar chart.

      Fig. 7. Attack Success Rate by Defence Conguration

   3. Robust aggregation under GAN-based poisoning

      The manuscript reports a GAN-based poisoning attack af- fecting 30% of clients and evaluates Trimmed Mean aggre- gation combined with DP. From the we have the following per-round behaviour and nal ASR gures reported in the manuscript:

      • FL (undefended) Attack Success Rate (ASR): 34.8%

      • FL + DP (no robust aggregator) ASR: 27.5%

      • FL + DP + Trimmed Mean ASR: 3.9%

        Using the per-round accuracy measurements for the DP+GAN+robust conguration:

      • FL + DP + GAN/Robust Accuracy (rounds 110):

        0.9457 ± 0.0236; 95% CI = (0.92882, 0.96252).

      • FL + DP + GAN/Robust AUC (rounds 110): 0.98562

        (mean).

   4. Statistical comparison vs FL+DP (no robust aggregator).

      • FL+DP vs FL+DP+GAN/Robust: paired t-test: t =

        1.769, p = 0.1107 (not signicant at = 0.05).

      • FL+DP vs FL+DP+GAN/Robust: Wilcoxon signed-rank:

        stat = 1.0, p = 0.003906.

        The Wilcoxon test reports a signicant difference favoring the robust aggregator, while the paired t-test is not signicant. This mixed outcome suggests non-normal per-round differences and underlines the need to prefer a non-parametric test (Wilcoxon) in this small-sample per-round comparison. Using the non- parametric test, Trimmed Mean combined with DP yields

        a statistically signicant improvement in robustness/accuracy under the specied GAN poisoning setting.

        This section presents and interprets the experimental results of the proposed Differentially Private Federated Learning (DP- FL) framework for intrusion detection using the TONIoT dataset. Results are analysed across three congurations: stan- dard federated learning (FL), FL with differential privacy (DP- FL), and DP-FL under GAN-based poisoning with robust aggregation. Evaluation is based on accuracy, precision, recall, F1-score, AUC-ROC, privacy budget (), and attack success rate (ASR).

        a) Practical implications and interpretation.:

      • The large Cohens d ( 2.06) for Baseline vs DP shows that privacy noise materially reduces accuracy in the tested setting; this must be weighed against the privacy

        benet ( progression reported in §IV.B).

      • The moderate effect (|d| 0.56) and signicant Wilcoxon result for DP vs DP+Trimmed Mean indicate that a layered defence (DP + robust aggregator) reliably

   improves robustness against the evaluated poisoning at- tack without materially increasing accuracy loss relative to DP alone. This is consistent with the ASR reduction reported in the manuscript (34.8% 3.9% when moving from undefended FL to DP + Trimmed Mean), visualised

   in Fig. 7.

5. CONCLUSION

This study demonstrates that privacy preservation and ad- versarial robustness are not mutually exclusive in federated IoT intrusion detection. Strong privacy guarantees, stable convergence, and signicant resistance to poisoning attacks are successfully delivered by the proposed DP-FL framework through the integration of differential privacy, robust aggre- gation, and GAN-based adversarial stress testing. Practical guidance for putting into operation secure, privacy-aware federated learning systems in real-world IoT infrastructures is provided by the results. This paper makes four primary contributions. Firstly, a practical differentially private fed- erated learning (DP-FL) framework is developed that inte- grates client-level Gaussian differential privacy through DP- SGD, robust aggregation mechanisms such as coordinate-wise Trimmed Mean and other resilient aggregators, and adversarial simulation to systematically evaluate the interaction between privacy preservation and robustness in Internet of Things (IoT) environmens. Secondly, a realistic generative adversarial network (GAN)-based poisoning methodology is introduced to generate adaptive and stealthy poisoned updates, extend- ing beyond conventional label-ipping attacks and enabling rigorous stress testing of federated intrusion detection models under heterogeneous, device-level data distributions. Thirdly, a comprehensive empirical evaluation using the TON IoT dataset is conducted to quantify the privacyutilityrobustness trade- offs. The results indicate that although differential privacy introduces some reduction in raw model utility, the integration of DP with robust aggregation preserves strong discriminative

performance (AUC 0.99) while signicantly reducing attack

success rates (ASR), from 34.8% in undefended federated learning and 27.5% under DP-only settings to 3.9% when DP is combined with Trimmed Mean aggregation. Finally, the study derives practical design insights and prescriptive rec- ommendations to guide the deployment of privacy-aware and attack-resilient federated learning systems within resource- constrained IoT environments.

References

1. P. Kairouz et al., Advances and open problems in federated learning, Foundations and Trends® in Machine Learning, vol. 14, no. 12, pp. 1210, 2021.

2. C. Dwork, Differential privacy, in Proc. 33rd Int. Colloq. Automata, Languages and Programming (ICALP), Venice, Italy, 2006, pp. 112.

3. C. Xie, O. Koyejo, and I. Gupta, Differentially private poisoning attacks and defenses in federated learning, IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 4, pp. 20932107, 2023.

4. Y. Zhou, Y. Liu, T. Chen, and L. Yang, Federated learning for Internet of Things: Concepts, applications and challenges, IEEE Internet of Things Journal, vol. 8, no. 5, pp. 40354053, Mar. 2021.

5. H. Sikandar et al., Threats, attacks and defences in federated learning for IoT systems, Journal of Network and Computer Applications, vol. 216, Art. no. 103673, 2023.

6. P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer, Machine learning with adversaries: Byzantine tolerant gradient descent, in Proc. Advances in Neural Information Processing Systems (NeurIPS), 2017,

   pp. 118128.

7. K. Pillutla, S. M. Kakade, and Z. Harchaoui, Robust aggregation for federated learning, arXiv preprint arXiv:1912.13445, 2019.

8. X. Cao et al., FLTrust: Byzantine-robust federated learning via trust bootstrapping, in Proc. Network and Distributed System Security Sym- posium (NDSS), 2021.

9. C. Fung, C. J. M. Yoon, and I. Beschastnikh, The limitations of federated learning in sybil settings, in Proc. 23rd Int. Symp. Research in Attacks, Intrusions and Defenses (RAID), 2020.

10. E. Bagdasaryan et al., How to backdoor federated learning, in Proc. Int. Conf. Articial Intelligence and Statistics (AISTATS), vol. 108, 2020,

    pp. 29382948.

11. R. C. Geyer, T. Klein, and M. Nabi, Differentially private federated learning: A client-level perspective, in Proc. NIPS Workshop on Privacy Preserving Machine Learning, 2018.

12. H. B. McMahan et al., Communication-efcient learning of deep net- works from decentralized data, in Proc. Int. Conf. Articial Intelligence and Statistics (AISTATS), vol. 54, 2017, pp. 12731282.

13. N. Moustafa, TONIoT datasets: A new generation of real-time datasets for evaluating IoT cybersecurity solutions, Sensors, vol. 21, no. 19, Art. no. 6568, 2021.

14. L. Sun et al., Robust federated learning against model poisoning at- tacks, IEEE Internet of Things Journal, vol. 9, no. 16, pp. 1459014602, Aug. 2022.

15. Y. Wang et al., Adversarially robust federated learning for IoT anomaly detection, Computers and Security, vol. 137, Art. no. 103798, 2024.

16. L. Zhao et al., Adversarial generation of stealthy model poisoning at- tacks in federated learning, IEEE Transactions on Information Forensics and Security, vol. 18, pp. 27832795, 2023.

17. K. Zhang et al., Adversarial defense in federated learning: Survey and outlook, ACM Computing Surveys, vol. 55, no. 12, pp. 138, 2022.