Abstract
Federated learning (FL) protects privacy in deep learning by enabling clients to train a model collaboratively without sharing their data. However, it is vulnerable to poisoning attacks when adversaries craft malicious client updates. This thesis studies data poisoning attacks under current aggregator mechanisms with non-independent and identically distributed (non-IID) clients, investigating whether security can be achieved without breaking the privacy boundary. Our approach treats the post-aggregation model update as structured data, detects directional fingerprints of collusion using median-centred statistics and median absolute deviation, and applies a soft, neuron-wise mask only where evidence is strongest. A lightweight class conditional divergence checks on a small public validation set flags suspicious rounds, and a short pseudo-label reconstruction step repairs flagged contributions so that the benign signal is not discarded. All analysis and mitigation occur after masks cancel, so per client updates remain private, the aggregation outcome is unchanged, and the defense adds one small server pass with no extra rounds or client metadata. Experiments on popular image classification datasets, such as MNIST (Modified National Institute of Standards and Technology), with compact CNNs (Convolutional Neural Networks) and staged label flipping demonstrate the effectiveness of our proposed approach. Specifically, we test on the expected failure pattern for undefended training, partial recovery with a directional screen, and stable recovery with defended aggregation. Mitigation concentrates in the classifier head and, at times, the deepest convolutional layer, consistent with the attack mechanism. Although the study is limited to a small number of clients and a typical dataset, the results indicate that privacy and security are not in conflict. Aggregating the unit of analysis and the neuron of action reduces adversarial influence while preserving useful signal from non-IID clients, keeping secure aggregation robust.