FedTrident: Resilient Road Condition Classification Against Poisoning Attacks in Federated Learning

FedTrident: Resilient Road Condition Classification Against Poisoning Attacks in Federated Learning Sheng Liu, and Panagiotis Papadimitratos Manuscript received X X, 2026; revised X X, 2026. (Corresponding author: Sheng Liu.)Sheng Liu and Panagiotis Papadimitratos are with the Networked Systems Security Group, KTH Royal Institute of Technology, 114 28 Stockholm, Sweden (e-mail: shengliu@kth.se; papadim@kth.se). Abstract Federated Learning (FL) has emerged as a transformative paradigm for Intelligent Transportation Systems (ITS). With a server aggregating model parameters from vehicles and distributing an updated model to them, FL can train various models supporting advanced ITS tasks, notably camera-based Road Condition Classification (RCC), in a user-privacy-preserving and edge-resource-efficient manner. However, by enabling collaboration, FL-based RCC exposes the system to adversarial participants launching Targeted Label-Flipping Attacks (TLFAs). Malicious clients (vehicles) can relabel their local training data (e.g., from an actual “uneven” road to a wrong “smooth” road), consequently compromising global model predictions and jeopardizing transportation safety. Existing countermeasures against such poisoning attacks fail to maintain resilient model performance near the necessary attack-free levels in various attack scenarios due to: 1) not tailoring poisoned local model detection to TLFAs, 2) not excluding malicious vehicular clients based on historical behavior, and 3) not remedying the already-corrupted global model after exclusion. To close this research gap, we propose FedTrident, which introduces: 1) neuron-wise analysis for local model misbehavior detection (notably including attack goal identification, critical feature extraction, and Gaussian Mixture Model (GMM)-based model clustering and filtering); 2) adaptive client rating for client exclusion according to the local model detection results in each FL round; and 3) machine unlearning for corrupted global model remediation once malicious clients are excluded during FL. Extensive evaluation across diverse FL-RCC models, tasks, and configurations demonstrates that FedTrident can effectively thwart TLFAs, achieving performance comparable to that in attack-free scenarios and outperforming eight baseline countermeasures by 9.49% and 4.47% for the two most critical metrics. Moreover, FedTrident is resilient to various malicious client rates, data heterogeneity levels, complicated multi-task, and dynamic attacks. I Introduction Intelligent Transportation Systems (ITS) hinge on timely and reliable perception of the road environment, where the automated identification of surface conditions (such as unevenness level, friction magnitude, and material type) plays a crucial role [5]. In practice, an autonomous vehicle that anticipates a waterlogged stretch via on-board cameras and a deep neural network (DNN)–based Road Condition Classification (RCC) module, can proactively modulate speed, reconfigure traction control, and adjust suspension settings. Image data is particularly suitable for RCC [28], as cameras are widely deployed and cost-effective, yet they can capture fine-grained contextual features that improve classification accuracy. Training RCC models solely on images collected and stored locally at each vehicle separately would suffer from a skewed perception (e.g., one weather and road type mostly encountered). Shifting to centralized data collection and model training is also unsustainable in the long run for three reasons: 1) evolving regulations about user privacy111https://geospy.ai/, e.g., GDPR222https://gdpr-info.eu/ in Europe, CCPA333https://w.oag.ca.gov/privacy/ccpa in the United States, and PIPL444http://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm in China, restrict individual data aggregation and transmission; 2) computation and storage burden is concentrated at the data center (server), leaving on-board resources underutilized; and 3) transmitting raw images implies high bandwidth usage and increased response latency for vehicles. Federated Learning (FL) [26, 23, 47], resolves the tension between regulation considerations and resource utilization. Through iterative client-server exchange on model parameters in cross-device horizontal FL, a high-performance global RCC model can be learned without direct image data sharing [41], while capturing road conditions across a large-scale deployment with varying environments. However, FL-based RCC systems, which accept contributions from potentially any participant, are vulnerable to compromised or adversarial clients. Targeted Label-Flipping Attacks (TLFAs) [34] are a particularly potent threat: malicious clients deliberately poisoning their local data by flipping labels from a source class (true) to a target class (falsified). Then, such poisoned data is used for local model training, and its contributions mislead the prediction results of the aggregated global model. For example, as illustrated in Fig. 1, if an adversary relabels road evenness labels from “uneven” to “smooth” during the FL training phase, its local model would learn incorrectly from this mislabeled data. Through aggregation rounds in which such an adversary participates, this local corruption progressively poisons the global model. During the inference phase, the consequent RCC model may misclassify actual “uneven” conditions as “smooth” in this example. Such an underestimation of hazardous road conditions would increase accident rates and jeopardize transportation safety. Indeed, both findings, e.g., in [21] and our analysis in Section V-B demonstrate a catastrophic performance degradation in FL-RCC systems due to TLFAs in the absence of defense mechanisms. TLFAs pose a highly practical threat: unlike more complex attacks (e.g., backdoor attacks [20]) that require manipulating image pixels or features, TLFAs only necessitate simple label replacement operations, making them easy for adversaries to launch using on-vehicle resources. Figure 1: Illustration of TLFAs in FL-RCC systems. (A) Training Phase: Malicious clients deliberately mislabel their data, e.g., from uneven to smooth; thus, their local models are poisoned after local training, and the global model is also poisoned after global aggregation. (B) Inference Phase: Vehicles equipped with the learned model would predict wrong road conditions that threaten transportation safety, e.g., consider actual uneven roads as smooth. Although there are various countermeasures against poisoning attacks, they struggle to restore the mis-classification level to that of an attack-free scenario while ensuring robustness in various attack scenarios (even for the state-of-the-art countermeasure against TLFAs for FL-RCC, DEFEND [22]), because of the following three critical limitations: 1. Lack of poisoned local model detection tailored to TLFAs. Popular defensive mechanisms, such as FoolsGold [7] and FLAME [27], consider general poisoning attacks; thus, their feature extraction and detection algorithms are not specific to TLFAs. The image data used in FL-RCC are essentially Non-Independent and Identically Distributed (Non-IID), as vehicle driving behaviors vary across locations and over time. General detection methods can easily misidentify poisoned models as benign in such a heterogeneous environment, because legitimate updates themselves also exhibit large variance. Recent poisoning attack mitigation methods primarily focus on backdoor attacks [6] or untargeted attacks [42], rather than TLFAs. FLARE [21] and DEFEND [22] only utilize magnitudes for detection; more effective neuron-wise analysis is missing. 2. Shortage of malicious vehicular client exclusion after detection. Current countermeasures focus on model-level misbehavior detection but overlook vehicle-level exclusion of malicious clients based on those results. When local models are detected and filtered only during training, malicious clients would consistently contribute poisoned models to aggregation, thereby increasing the risk of poisoning and the burden on defensive mechanisms. FLARE [21] incorporates with a simple count-based client filtering method, and it is moderately effective according to evaluation results. DEFEND [22] designs partially adaptive client rating with fixed unit rating values; more adaptive exclusion should be developed. 3. Absence of already-corrupted global model remediation beyond detection. Even if a malicious client is eventually identified and successfully excluded, the state-of-the-art, including DEFEND [22], is passive, preventing only current and future poisonous contributions. The malicious updates submitted by the adversary in previous aggregation rounds may already have been deemed benign and integrated into the global model, leaving it in a corrupted state. This “residual” poison persists within the global model’s parameters, continuing to degrade performance and skew predictions long after the attacker is removed. Consequently, any strategy focusing solely on model detection and client exclusion is insufficient [43]. An active remediation mechanism is essential to cleanse the global model from past poisoning. The global model recovery literature, e.g., PeriRecover [10], presumes detection and exclusion, and focuses on remediation. How to integrate remediation together with detection and exclusion is missing. To fill this gap, building on our earlier work [21, 22], this paper proposes FedTrident, the first defense of its kind that systematically integrates poisoned local model detection, malicious vehicular client exclusion, and corrupted global model remediation for FL-RCC. In each FL round, FedTrident first pinpoints source and target classes (neurons) implicated by TLFAs via neuron-wise analysis of the output layer of each local model. With the two neurons recognized: 1) local model parameters directly connected to them are extracted and then clustered with a Gaussian Mixture Model (GMM) to detect poisoned models, which are then filtered out before global aggregation; 2) two core metrics evaluating TLFAs, Source Recall (SRE)555The fraction of source class samples that are correctly classified. and Attack Success Rate (ASR)666The ratio of samples with source label misclassified into target class., are calculated to track the global model performance during training: if performance drops below a threshold, the current global model is still considered contaminated even after the local model filter and thus discarded. Moreover, leveraging the aforementioned poisoned local model detection, FedTrident introduces an adaptive client rating strategy based on decision theory [31]. A client rating is decremented if its model detection result is bad in a round and incremented otherwise. Once its rating falls below a threshold, the client is identified as malicious with high confidence and promptly excluded from subsequent FL rounds. After exclusion, the adversary’s historical contributions to the global aggregation are also removed by utilizing machine unlearning, remedying the corrupted global model. Extensive experiments across six DNNs (ResNet-18 [8], ResNet-34 [8], MobileNet-V3 [9], EfficientNet-B1 [36], DenseNet-121 [11], and Deit-Tiny [38]) and three RCC tasks (friction, material, unevenness classification, and their combination) show that the proposed FedTrident outperforms eight baselines (FedAvg [26], Krum [4], Trimmed Mean (TMean) [46], Median [46], FoolsGold [7], FLAME [27], FLARE [21], and DEFEND [22]) in terms of four evaluation metrics (Global Accuracy (GAC), SRE, ASR, and Global Accuracy of Safety (GAS)). Moreover, FedTrident is resilient to various malicious client rates, diverse data heterogeneity levels, complicated multi-tasks, and dynamic attacks. In brief, the main contributions of this paper are: 1. The first complete defense of its kind that systematically integrates poisoned local model detection, malicious vehicular client exclusion, and corrupted global model remediation for FL-RCC against TLFAs. 2. An effective neuron-wise analysis method for detection, an adaptive client rating method for exclusion, and a retroactive machine unlearning method for remediation. 3. An extensive evaluation that demonstrates the superiority and resilience of the proposed methods in defending against TLFAs. Notably, when FL-RCC is hit by TLFAs, FedTrident maintains the same model performance as in the attack-free scenario and outperforms the best baseline defense scheme on average by 9.49% and 4.47% for SRE and ASR, respectively. Section I reviews recent studies on camera-based FL-RCC, TLFAs, and corresponding countermeasures. Section I details the system and adversary models. Our scheme, FedTrident, is introduced in Section IV and evaluated in Section V. Section VI concludes and discusses future research. For readability, the key abbreviations used in the paper are listed in TABLE I. I Background and Related Work This section first provides a basic background on FL-RCC, then introduces poisoning attacks that threaten current systems, and countermeasures from three perspectives: detection, exclusion, and remediation. TABLE I summarizes and compares existing solutions. I-A Federated Learning (FL)-based Road Condition Classification (RCC) RCC is a critical function for smart vehicles [24]. It enables timely adjustments to braking, steering, suspension, and other driver-assistance systems in response to local, unpredictable environmental changes, such as weather conditions. While here we focus on camera-based RCC [50, 29], the task can also rely on other sensors, such as inertial units [3, 39]. Nonetheless, cameras are or will soon be practically ubiquitous, and equally important, can support proactive detection: a vehicle can perceive and classify conditions such as a water puddle or cracked asphalt well before it makes contact. This contrasts sharply with sensors such as inertial units, which can only supply post-facto data (i.e., after the road puddle or crack is met). To leverage privacy-sensitive data while utilizing distributed on-board resources, the feasibility of FL-based RCC systems was recently explored. FedRD [48] demonstrates high-performing and privacy-preserving hazardous road damage detection. Follow-up works, FLRSC [40] and FedRSC [41], further support multi-label RCC tasks within an edge-cloud FL paradigm. However, current FL-RCC proposals primarily focus on improving classification performance and privacy guarantees. Securing these systems against active adversaries remains a largely open problem. TABLE I: The list of key abbreviations used in this paper. Abbreviation Meaning ITS Intelligent Transportation Systems DNN Deep Neural Network RCC Road Condition Classification FL Federated Learning TLFA Targeted Label-Flipping Attack Non-IID Non-Independent and Identically Distributed GMM Gaussian Mixture Model SRE Source Recall ASR Attack Success Rate GAC Global Accuracy GAS Global Accuracy of Safety MPA Model Poisoning Attack DPA Data Poisoning Attack SVM Support Vector Machine KD Knowledge Distillation VPKI Vehicular Public Key Infrastructure V2X Vehicle to Vehicle/Infrastructure RSCD Road Surface Classification Dataset I-B Poisoning Attacks Against FL-RCC Poisoning attacks in FL can be broadly classified as Model Poisoning Attacks (MPAs) [35, 44] and Data Poisoning Attacks (DPAs) [37, 13, 18]. MPAs demand significant adversarial expertise and computational resources to directly manipulate millions of model parameters [12, 34]. DPAs, in contrast, merely require the simpler operation of altering local data labels, making them more efficient to launch by resource-restricted on-board vehicle platforms. Furthermore, as the FL server can only access local model updates, and not client data, for privacy reasons, the act of data poisoning is, inherently, less visible than model poisoning. Within the DPA category, attacks can be either untargeted or targeted [34]. Untargeted DPAs aim to degrade the global model overall performance, but the resultant indiscriminate degradation is often conspicuous, making it more easily detected and countered by the FL system before actual model deployment. Targeted DPAs, notably TLFAs [37, 19], pose a more insidious and significant threat in the context of RCC. On the one hand, a targeted attack is easier to disguise as a benign outlier in a heterogeneous environment. On the other hand, the asymmetric risk inherent in the RCC task allows an adversary to focus on safety-critical misclassifications. To revisit our earlier example, an adversary forcing the model to misclassify “uneven” as “smooth” directly jeopardizes vehicle safety. In contrast, the opposite misclassification (“smooth” → “uneven”) primarily impacts traffic efficiency. Given their stealthiness, practicality, and high harm potential, TLFAs are the focus of our investigation. TABLE I: Comparative evaluation of available solutions (● Supported ◐ Partially Supported ○ Not Supported) Solutions Detection∗ Exclusion† Remediation‡ Highlights (+ pros and - cons) TMean/Median [46] ● ○ ○ Removes extremes or takes the median of client updates to limit outlier influence: + Simple, could work when most clients are honest and under IID data - Vulnerable to optimization-based and colluding attacks as well as Non-IID data FoolsGold [7] ● ○ ○ Down-weights clients whose gradient histories are overly similar: + Directly exploits behavioral similarity as a robust, model-agnostic signal - Effectiveness drops with sophisticated diversification and non-Sybil strategies FLAME [27] ◐ ○ ○ Clusters client updates and injects calibrated noise plus clipping to erase backdoor: + Demonstrates practical backdoor mitigation with modest impact on benign accuracy - Challenged by adaptive attacks and extreme heterogeneity FreqFed [6] ◐ ○ ○ Uses frequency-domain analysis of model updates to distinguish poisoned contributions: + Effectively exposes backdoor and untargeted attacks - Heavily tied to assumed spectral patterns and model structures LFGurad [34] ● ○ ○ Uses last-layer activations with an SVM to flag malicious participants: + Tailored to vehicular networks with a concrete pipeline for attack detection - Depends on a representative, trusted auxiliary dataset FLDetector [49] ◐ ◐ ○ Checks temporal consistency of local updates via Hessian-informed trajectory prediction: + Works without a clean validation set on the server side - Fragile under strong non-IID and large number of malicious clients UL [43] ○ ○ ◐ Removes backdoor by historical update subtraction and improves accuracy by KD: + Requires no client participation and no knowledge of triggers - TLFAs, Non-IID data, and large-scale FL systems are unconsidered PeriRecover [10] ○ ○ ● Periodically reconstructs a clean model by reusing stored training states: + Achieves near-train-from-scratch recovery within short time - Requires extensive logging of training history and rests on strong smooth assumptions FLARE [21] ● ● ○ Combines cluster-based misbehavior detection with count-based client filter: + Improves performance compared to other baselines - Still leaves a noticeable gap to the no-attack baseline and remediation is untouched DEFEND [22] ● ● ○ Incorporates poisoned model detection with a partial adaptive client filter: + Tailored to TLFAs in FL-RCC, and maintains low ASR performance - Detection misses angle, exclusion lacks adaptation, and remediation is untouched FedTrident (Ours) ● ● ● A joint solution integrating detection, exclusion, and remediation for FL-RCC: + Accurately detects TLFA-poisoned local models + Adaptively excludes malicious vehicles based on detection results + Smoothly remediates corrupted global model after each exclusion + Resilient to various models, malicious client rates, Non-IID levels, and dynamic attacks • ∗ Detection represents poisoned local model detection. • † Exclusion represents malicious vehicular client exclusion. • ‡ Remediation represents corrupted global model remediation. I-C Defensive Mechanisms for FL-RCC A variety of defenses against generic DPAs in FL have been proposed, yet most overlook the specifics of RCC and TLFAs. Krum [4] first computes the sum of Euclidean distances between each local update, then chooses the update with the smallest summed distance as the available one for poisoning attack mitigation. TMean and Median [46] utilize statistics (e.g., mean and median) of model parameters to select several representative local models for aggregation, thus filtering out possibly poisoned models and alleviating attack influence. Based on the assumption that poisoned models are more similar to each other than benign models, FoolsGold [7] calculates the cosine similarity between local model’s output layers and then penalizes more similar contributions to mitigate potential negative attacks. CONTRA [2] likewise relies on cosine similarity to adjust client credibility. FLAME [27] combines differential privacy, model clustering, and weight clipping technologies, improving robustness at the cost of degraded clean accuracy. However, FL-RCC inherently operates in a Non-IID regime: spatially and temporally diverse driving patterns induce substantial variation in local data distributions. This intrinsic heterogeneity blurs the boundary between benign and malicious behavior [6], with poisoned updates remaining indistinguishable, substantially degrading existing RCC defenses. Therefore, fine-grained feature extraction and TLFA-specific detection explicitly robust to such heterogeneity are required. Recent novel countermeasures against DPAs have focused on mitigating backdoor attacks. Specifically, FreqFed [6] capitalizes on the discrete cosine transform to distinguish malicious updates in the frequency domain, while CrowdGuard [33] analyzes hidden layer outputs and executes iterative pruning. However, these methods are tailored to the specific characteristics of backdoor attacks, wherein adversaries elaborately falsify both the original image data (by adding triggers) and the corresponding labels. As such, they are ill-suited and not directly applicable to our problem, which concerns TLFAs (label-only attacks). Few defensive mechanisms are designed specifically for vehicular settings. LFGurad [34] introduces a hierarchical FL framework for vehicular networks, classifying malicious models via a multi-class Support Vector Machine (SVM) applied to output-layer activations, evaluated on structured traffic sign classification datasets. RoHFL [51] proposes a robust FL scheme with logarithm-based normalization to mitigate maliciously scaled model parameters. OQFL [45] employs quantum-behaved particle swarm optimization to adapt FL hyperparameters against adversarial attacks in autonomous driving. However, RoHFL and OQFL are primarily evaluated on generic datasets, such as MNIST and Fashion-MNIST, lacking any practical ITS considerations. Moreover, all three methods concentrate on passive, model-level anomaly detection, not considering a proactive mechanism for vehicle-level malicious client exclusion. The research on malicious client exclusion and corrupted model remediation is also limited. By exploiting the temporal consistency of model updates, FLDetector [49] predicts an expected update for each client based on their history. A client is flagged as malicious and deleted if its update consistently deviates from expectations. However, FLDetector does not perform well in realistic Non-IID settings, particularly with very high benign client variance. FLDetector is inefficient because it re-trains the global model from scratch, using the remaining clients after the exclusion, a costly approach. UL [43] leverages subtraction of historical updates to remove backdoors from the global model; while using Knowledge Distillation (KD) to improve high clean accuracy. However, it targets backdoor threats, not TLFAs. PeriRecover [10] precomputes diagonals of the Hessian matrix during the original training phase, and later uses this to estimate the “clean” gradients for periodic recovery. However, PeriRecover requires lots of extra computation and storage costs. FLARE [21] is part of the state-of-the-art in defending FL-RCC under TLFAs, combining HDBSCAN-based clustering for poisoned model detection with a count-based client filtering rule. However, FLARE provides only moderate protection, leaving a substantial gap between defended and TLFA-free performance. In a no-attack setting, SRE reaches about 80%, whereas under TLFAs with FLARE deployed, SRE still drops to roughly 60%; similarly, ASR increases from around 5% (no attack) to approximately 30%. By contrast, our FedTrident framework (Section V-B) attains the two values to the TLFA-free level. DEFEND [22] incorporates model misbehavior detection with partially adaptive client rating, which is the basis of FedTrident; however, its detection only considers magnitudes while missing angles, and its unit rating values are fixed, not fully adaptive. Moreover, from the perspective of defense integrity, neither FLARE nor DEFEND considers corrupted global model remediation. All in all, under TLFAs, no existing proposal uses joint detection, exclusion, and remediation to maintain resilient performance in various scenarios. TABLE I: The list of key notations used in this paper. Notation Meaning K The total number of clients/vehicles ℂC The entire client cluster E the number of road condition classes S The ordered label sequence L The output layer of RCC model kD_k The local dataset of client ckc_k nkn_k The number of samples in dataset kD_k T The total number of FL rounds ℂtC^t The participant sub-cluster in round t M The number of participants in a round ωtω^t The global model in round t ωkt _k^t The updated local model of client ckc_k in round t η The learning rate in local training qkq_k The aggregation weight of client ckc_k ℂg​o​o​dtC^t_good The identified good participant sub-cluster in round t P The number of initialized malicious clients ftf^t The source class in round t gtg^t The target class in round t di,jd_i,j The “label distance” between true label sis_i and predicted label sjs_j ni,jn_i,j The number of test samples with true label sis_i predicted as sjs_j ft′f^t The identified source class in round t gt′g^t The identified target class in round t ℂb​a​dtC^t_bad The identified bad participant sub-cluster in round t S​R​Et​h​rSRE^thr The threshold of SRE for validation A​S​Rt​h​rASR^thr The threshold of ASR for validation rm​a​xr^max The maximum rating value rm​i​nr^min The minimum rating value β The reward value γ The penalty value B The blacklist I System Model and Adversary Model This section describes the system model and adversarial model. For readability, the notations used in this paper are summarized in TABLE I. I-A System Model Vehicular Protocols for Secure and Private Communication: We consider an FL-RCC system comprising a trusted server and a large pool of participating vehicular clients, each enrolled through a cloud-based Vehicular Public Key Infrastructure (VPKI) [1, 15]. Vehicles are equipped with short-lived pseudonym certificates [14], i.e., syntactically unlinkable credentials with lifetimes of minutes to hours, providing authenticity, integrity, non-repudiation, and privacy (conditional anonymity with long-term unlinkability). This design is aligned with standardized security and privacy requirements for cooperative ITS and V2X Vehicle-to-Vehicle/Infrastructure) communications [1, 30, 16]. Misbehavior associated with one or more pseudonyms can be promptly acted upon via pseudonym resolution and revocation mechanisms [17]. During the FL operation, clients use their currently valid pseudonym to establish TLS channels [32] with the server, ensuring the secure and privacy-preserving transmission of model updates. FL Procedure: Assume a cluster of K clients, ℂ=c1,c2,…,cKC=\c_1,c_2,…,c_K\, collaboratively training an RCC model. The task comprises E road condition classes, and they form an ordered sequence S=[s1,s2,…,sE]S=[s_1,s_2,…,s_E], where larger indices correspond to more hazardous conditions. The output layer, L, of the RCC model thus contains E neurons, L=[l1,l2,…,lE]L=[l_1,l_2,…,l_E]. Each client, ckc_k, holds a private dataset kD_k with nkn_k image–label pairs, where images are captured by on-board cameras and could be labeled via driver feedback or annotation tools [52]. In each FL round t≤Tt≤ T, a subset of clients ℂt⊆ℂC^t with |ℂt|=M≤K|C^t|=M≤ K is randomly selected for participation. After receiving the current global model ωtω^t from the server as its current initialized local model ωkt _k^t, each participant ck∈ℂtc_k ^t performs local training on kD_k and obtains an updated model ωkt _k^t according to Equation (1), ωkt=ωkt−η​∇ωktℒk​(ωkt,k) _k^t=ω^t_k-η _ω^t_kL_k(ω^t_k,D_k) (1) where η is the learning rate and ℒkL_k denotes the local loss function of client ckc_k (e.g., cross-entropy). In round t, Equation (1) could be executed several times by ckc_k, not just once. If there are no poisoned local models, the server aggregates all received updates to form the newest global model, ωt=∑ck∈ℂtqkt​ωktω^t= _c_k ^tq^t_k\, _k^t, where qktq^t_k is the aggregation weight of client ckc_k in round t. While FedAvg [26] typically sets qktq^t_k proportional to nkn_k, we adopt a uniform weighting, qkt=1|ℂg​o​o​dt|q^t_k= 1|C^t_good|, to prevent adversaries from inflating their influence via falsified data size claims, where ℂg​o​o​dtC^t_good is the identified good participant sub-cluster in round t. If poisoned models are detected, only benign models will be aggregated as ωt=∑ck∈ℂg​o​o​dtqk​ωktω^t= _c_k ^t_goodq_k\, _k^t. This procedure is iterated until convergence, and the resulting global model is deployed to autonomous vehicles to support real-time RCC on unseen road surface images. Figure 2: Overview of FedTrident in FL round t: (1) poisoned local model detection based on neuron-wise analysis, (2) malicious vehicular client exclusion based on adaptive rating, and (3) corrupted global model remediation based on machine unlearning. I-B Adversary Model Assume P malicious clients are present in the system from the outset, with P<K2P< K2. Each adversarial client in round t flips labels from a more hazardous source class ftf^t to a less hazardous target class gtg^t (without modifying the input images, and i​d​x​(ft)>i​d​x​(gt)idx(f^t)>idx(g^t)), trains its local model on this poisoned dataset, and then submits corrupted updates to the server. Through aggregation, these updates bias the global model so that samples from class ftf^t are increasingly misclassified as class gtg^t (e.g., “uneven” misclassified as “smooth”, as illustrated in Fig. 1), thereby causing vehicles to underestimate road risk. This safety-critical and asymmetric degradation is more harmful than uniform accuracy loss from untargeted poisoning, where no specific hazardous misclassification is enforced. Note that if i​d​x​(ft)<i​d​x​(gt)idx(f^t)<idx(g^t), the attack goal is traffic efficiency rather than safety, e.g., flipping from actual “smooth” roads to “uneven”. Beyond DEFEND [22], we assume attackers can adopt dynamic strategies, varying the chosen source and/or target classes across FL rounds, aiming to evade detection and undermine defense mechanisms. For example, considering “water” images are more similar to “wet” images than to “dry” images, attackers can flip from “water” to “wet” at the beginning, then from “water” to “dry”, to bypass defenses and disguise their final target (“dry”). We assume adversaries cannot compromise the trusted server and have no control over the random client selection process, ℂtC^t, on the server side. Malicious clients may be introduced gradually as registered entities with valid credentials but with adversarially implemented FL-RCC functionality, or as originally benign clients (vehicles) that are compromised later, e.g., by malware causing them to deviate from the prescribed protocol. Capturing TLFA Impact on Transportation Safety: Conventional metrics (e.g., SRE and GAC) treat all misclassifications equally, ignoring the asymmetric impact of TLFAs on safety. For example, misclassifying s2s_2 (wet) or s6s_6 (ice) as s1s_1 (dry) is scored identically by standard metrics, although confusing a highly hazardous class s6s_6 (ice) with a benign class s1s_1 (dry) is substantially more dangerous than confusing s2s_2 (wet) with s1s_1 (dry). Similarly, predicting s6s_6 (ice) as s4s_4 (snow) or as s1s_1 (dry) yields the same penalty, despite the latter representing a much more severe underestimation of transportation safety. This motivates a safety-aware metric that incorporates the distance between true and predicted classes in the ordered label space S. Following the idea in FLARE [21], we leverage a weighted label distance di,jd_i,j between true label sis_i and predicted label sjs_j, defined as Equation (2), di,j=(e2)|i−j|d_i,j= ( e2 )^|i-j| (2) where e is Euler’s number. Correct predictions have di,i=1d_i,i=1, while larger index gaps yield exponentially higher penalties, reflecting more severe safety violations. di,jd_i,j is incorporate into a weighted confusion matrix X with element X​[i,j]=di,j⋅ni,jX[i,j]=d_i,j· n_i,j, where ni,jn_i,j is the number of test samples with true label sis_i predicted as sjs_j. Based on X, GAS is defined as Equation (3), G​A​S=∑i=1Eni,i∑i=1E∑j=1Edi,j⋅ni,jGAS= _i=1^En_i,i _i=1^E _j=1^Ed_i,j· n_i,j (3) Lower GAS values indicate stronger safety degradation, i.e., more dangerous underestimations. The same weighting principle can be applied to derive TLFA-aware variants of SRE, ASR, and other metrics; we adopt GAS as it aggregates the full distance structure across all (i,j)(i,j) pairs. Algorithm 1 Protocol of FedTrident 1:Initialize global model ω0ω^0, blacklist =∅B= , S​R​Eo​l​d=0SRE^old=0, A​S​Ro​l​d=1ASR^old=1, and rating value rk​(0)=δ​(rm​a​x−rm​i​n)r_k(0)=δ(r^max-r^min) and Δ​ωk,s​u​m0=0 ω^0_k,sum=0 for each client ckc_k 2:for each round t∈[1,T]t∈[1,T] do 3: ℂt←C^t← Randomly select M clients from ℂ−C-B 4: The server sends ωt−1ω^t-1 to all clients in ℂtC^t 5: for each client ck∈ℂtc_k ^t in parallel do 6: Update local model ωktω^t_k 7: Send ωktω^t_k back to the server 8: end for 9: The server receives ωktω^t_k from ℂtC^t 10: for each ωktω^t_k the server do 11: Δk,Lt=ωk,lt−ωlt−1|l∈L ^t_k,L=\ω^t_k,l-ω^t-1_l|l∈ L\ ⊳ Parameter changes 12: Calculate ℓ2 _2-norm magnitudes ‖Δk,lt‖2|| ^t_k,l||_2 for l∈Ll∈ L 13: end for 14: ‖Δl1t‖2,…,‖ΔlEt‖2←\|| ^t_l_1||_2,...,|| ^t_l_E||_2\← Neuron-wise magnitudes 15: ‖Sl1t‖2,…,‖SlEt‖2←\||S^t_l_1||_2,...,||S^t_l_E||_2\← Combine angles 16: ft′,gt′f^t ,g^t ← Top-2(‖Sl1t‖2,…,‖SlEt‖2\||S^t_l_1||_2,...,||S^t_l_E||_2\)⊳ ft′<gt′f^t <g^t 17: Ut←Δk,lt|ck∈ℂt,l∈ft′,gt′U^t←\ ^t_k,l|c_k ^t,l∈\f^t ,g^t \\ 18: ℂg​o​o​dt,ℂb​a​dtC^t_good,C^t_bad = GMM(UtU^t) ⊳ Detection 19: ωt=A​g​g​e​r​e​g​a​t​e​ωkt|ck∈ℂg​o​o​dtω^t=Aggeregate\ω^t_k|c_k ^t_good\ 20: for each ωkt​(ck∈ℂg​o​o​dt)ω^t_k(c_k ^t_good) the server do 21: Δ​ωk,s​u​mt=Δ​ωk,s​u​mt−1+(ωkt−ωt−1) ω^t_k,sum= ω^t-1_k,sum+(ω^t_k-ω^t-1) 22: end for 23: S​R​En​e​w,A​S​Rn​e​wSRE^new,ASR^new ← Validate (ωtω^t) 24: Δ​S​R​E/A​S​R=S​R​E/A​S​Rn​e​w−S​R​E/A​S​Ro​l​d SRE/ASR=SRE/ASR^new-SRE/ASR^old 25: if Δ​S​R​E<S​R​Et​h​r SRE<SRE^thr or Δ​A​S​R>A​S​Rt​h​r ASR>ASR^thr then 26: ωt=ωt−1ω^t=ω^t-1 27: end if 28: S​R​Eo​l​d=S​R​En​e​wSRE^old=SRE^new, A​S​Rko​l​d=A​S​Rkn​e​wASR^old_k=ASR^new_k 29: for ck∈ℂtc_k ^t the server do 30: if ck∈ℂb​a​dtc_k ^t_bad then 31: rk​(t)=m​a​x​rk​(t−1)−γkt,rm​i​nr_k(t)=max\r_k(t-1)- _k^t,r_min\ 32: if rk​(t)≤rm​i​nr_k(t)≤ r^min A​n​dAnd ck∉c_k then 33: Add ckc_k in B ⊳ Exclusion 34: ωt=ωt−1M​Δ​ωk,s​u​mtω^t=ω^t- 1M ω^t_k,sum ⊳ Remediation 35: end if 36: else 37: rk​(t)=m​i​n​rk​(t−1)+βkt,rm​a​xr_k(t)=min\r_k(t-1)+ _k^t,r^max\ 38: end if 39: end for 40:end for 41:return ωTω^T IV FedTrident: Our Scheme In this section, we introduce our proposed FedTrident: a poisoned local model detection, malicious vehicular client exclusion, and corrupted global model remediation mechanism for FL-RCC. Fig. 2 illustrates the overall workflow of FedTrident in each round. IV-A Scheme Overview The overall protocol is described in Algorithm 1. Line 1 initializes a client blacklist B, an old SRE value, an old ASR value, and for each client ckc_k a rating value rk​(0)r_k(0). Lines 2-8 randomly select clients not in the blacklist to execute local model training and upload it for each round, protected by security and privacy protocols described in the system model, such as pseudonym certificates and authenticated TLS. Lines 9-16 analyze neuron-wise magnitudes and angles regarding output layer L to identify source and target classes as ft′f^t and gt′g^t . Lines 17-18 detect poisoned models via a Gaussian Mixture Model (GMM) based on UtU^t: value changes of parameters connected to ft′f^t and gt′g^t . Line 19 forms a new global model ωtω^t by only aggregating good models. Lines 20-22 update the accumulated historical contribution Δ​ωk,s​u​mt ω^t_k,sum for each good client. Lines 23-28 validate the new global model ωtω^t based on SRE and ASR values to decide accept or discard it. Lines 29-39 update rating values rk​(t)r_k(t) and the blacklist B to exclude malicious clients. Each of the detected outliers in ℂo​u​tC^t_out, sends model parameters over each of the secure channels in a non-repudiable manner. Given the use of a valid pseudonym (contributions of a given client are anonymized, yet they can be linked to each other across FL rounds), client rating can be reduced, so that a deemed malicious client can be excluded from future FL processes, while rendering a client’s participation in different FL executions unlinkable. Line 34 remediate the corrupted global model after exclusion. IV-B Poisoned Local Model Detection Intuition: The detection module builds on the observation [12] that the model parameters directly connected to the source and target neurons exhibit the most pronounced discrepancies between benign and TLFA-poisoned updates. Intuitively, adversarial clients pursuing targeted label flipping optimize objectives that conflict with honest training, and this conflict is primarily captured by these neuron-adjacent parameters. Consequently, FedTrident detects TLFAs more efficiently by concentrating on this critical subset, rather than relying on the entire model (e.g., TMean [46]) or the full output layer (e.g., FoolsGold [7]). Using the dimension reduction method Uniform Manifold Approximation and Projection (UMAP) [25], Fig. 3 illustrates that features derived from these neuron-wise parameters provide clearer separation between poisoned and benign models compared to alternative feature choices. Fig. 4 depicts the detailed workflow of poisoned local model detection in round t. Figure 3: Comparison of poisoned and benign models based on three kinds of features: (A) whole model parameters, (B) output layer parameters, and (C) neuron-wise parameters (with two more distinctive clusters). Feature Extraction: Thus, in each FL round t and for each output neuron l∈Ll∈ L, we define the client-specific parameter difference as Equation (4), Δk,lt=ωk,lt−ωlt−1 ^t_k,l=ω^t_k,l-ω^t-1_l (4) where ωk,ltω^t_k,l and ωlt−1ω^t-1_l are parameters associated with output neuron l in the local and global models, respectively. We then compute the ℓ2 _2-norm (magnitude) of Δk,lt ^t_k,l as Equation (5), ∥Δk,lt∥2=∑i=1dl(Δk,l,it)2,ck∈ℂt;l∈L ^t_k,l _2= _i=1^d_l ( ^t_k,l,i )^2, c_k ^t;l∈ L (5) where dld_l is the number of parameters associated with output neuron l. To identify the neurons most impacted by TLFAs, we first aggregate the magnitudes over all participating clients for each output neuron according to Equation (6). ∥Δlt∥2=∑ck∈ℂt∥Δk,lt∥2,l∈L ^t_l _2= _c_k ^t ^t_k,l _2, l∈ L (6) Then, we compute the consensus direction (mean vector) for neuron l as μlt=1|ℂt|​∑ck∈ℂtΔk,ltμ^t_l= 1|C^t| _c_k ^t ^t_k,l. After that, we measure the angular inconsistency IltI^t_l by calculating the average cosine similarity between each client’s update and the consensus direction, as shown in Equation (7). Ilt=1−1|ℂt|​∑ck∈ℂtΔk,lt⋅μlt∥Δk,lt∥2​∥μlt∥2I^t_l=1- 1|C^t| _c_k ^t ^t_k,l·μ^t_l ^t_k,l _2 μ^t_l _2 (7) If the mean update vector is effectively zero (∥μlt∥2≈0 μ^t_l _2≈ 0), IltI^t_l is set to 0. A larger IltI^t_l indicates a higher degree of directional disagreement among clients, which is a strong footprint of targeted poisoning attacks. Finally, we compute a combined score SltS^t_l that weights the accumulated magnitude by the angular inconsistency, as defined in Equation (8). Slt=∥Δlt∥2×(1+Ilt)S^t_l= ^t_l _2×(1+I^t_l) (8) The two neurons with the highest combined scores SltS^t_l, denoted as ft′f^t and gt′g^t , are selected, with i​d​x​(ft′)<i​d​x​(gt′)idx(f^t )<idx(g^t ), and they are interpreted as the source and target neurons in round t, respectively. Next, we focus on the parameters directly connected to these two neurons, which are expected to encode the strongest attack footprint. Specifically, we construct the feature set UtU^t according to Equation (9). Ut=Δk,lt|ck∈ℂt,l∈ft′,gt′U^t=\ ^t_k,l|c_k ^t,l∈\f^t ,g^t \\ (9) Figure 4: Workflow of poisoned local model detection in round t. Steps (1) and (4) extract neuron-wise features and are executed in parallel for each local model. Steps (2) and (3) identify source and target neurons in TLFAs. Step (5) executes the local model clustering based on GMM. Output layer parameters are marked in blue, while identified source and target neuron parameters are marked in red. Clustering and Filtering: We feed TLFA-specific features UtU^t into a Gaussian Mixture Model (GMM) to partition client updates into two clusters, interpreted as one benign cluster ℂg​o​o​dtC^t_good and one poisoned cluster ℂb​a​dtC^t_bad. Unlike hard clustering approaches, such as KMeans [12] and HDBSCAN [21], GMM provides soft probabilistic assignments, avoiding brittle decision boundaries and better accommodating heterogeneity in client data and training dynamics (we consider this issue in both feature extraction and cluster algorithm design to ensure high detection accuracy). When the separation between benign and poisoned updates is ambiguous, GMM models the underlying parameter distributions to explicitly represent uncertainty, leading to more stable and calibrated detection. Following the empirical evidence in [12] and the visualization in Fig. 3, the denser cluster is identified as the poisoned cluster, and its corresponding local models are discarded prior to global aggregation. Model Validation: As the source and target classes (i.e., the TLFA objective) in each round are inferred via neuron-wise analysis, we can further leverage such information to consistently track the robustness of the global model over training, using two critical metrics, SRE and ASR. If SRE decreases or ASR increases, beyond predefined thresholds S​R​EthrSRE^thr or A​S​RthrASR^thr, compared to the previous round, the current global model is regarded as potentially compromised and is discarded. This validation step is optional and intended for deployments that can sustain additional computational overhead. Even without this independent validation, FedTrident remains effective in detecting poisoned models through its clustering-based filtering mechanism. IV-C Malicious Vehicular Client Exclusion To mitigate the long-term impact of persistent adversaries on the global model, FedTrident maintains a rating score rk∈[rm​i​n,rm​a​x]r_k∈[r^min,r^max] for each vehicular client ckc_k based on the previous detection results. The score is updated at each round t according to Equation (10), rk​(t)=min⁡rk​(t−1)+βkt,rmax,if ωkt goodmax⁡rk​(t−1)−γkt,rmin,if ωkt badr_k(t)= cases \\,r_k(t-1)+ _k^t,\;r^max\, \,&if $ _k^t$ good\\[4.30554pt] \\,r_k(t-1)- _k^t,\;r^min\, \,&if $ _k^t$ bad cases (10) where βkt,γkt∈(0,rm​a​x] _k^t, _k^t∈(0,r^max] are values controlling the reward and penalty steps, respectively. By default, βkt _k^t and γkt _k^t are constants, but they can also be adaptive, e.g., stage-wise. Under this adaptive mechanism, rkr_k decreases when ckc_k’ updates are detected as poisoned in round t and increases when they are deemed benign. By aggregating evidence over rounds, the scheme is robust to occasional detection noise or benign anomalies (e.g., limited local data and stochastic training variance), avoiding premature permanent exclusion. Once rkr_k falls below rm​i​nr^min, client ckc_k is labeled malicious with high confidence and added to blacklist, B, thus removed from subsequent client selection, preventing sustained poisoning of the training process. This cumulative scoring reduces false positives while maintaining high sensitivity to persistent adversarial behavior. As mentioned in the system model, we leverage standardized V2X security and privacy protocols in FedTrident, notably VPKI and pseudonyms, to ensure unlinkability, authenticity, and non-repudiation. With these V2X protocols, FedTrident can smoothly implement the malicious vehicular client exclusion strategy after the poisoned local model detection strategy. IV-D Corrupted Global Model Remediation The exclusion of a malicious client cac_a in round TcaT_c_a is not sufficient to remove its influence from the final global model ωTω^T; the historical updates Δ​ωcat ω^t_c_a contributed by cac_a over rounds t∈[1,Tca]t∈[1,T_c_a] should also be eliminated. In each round t, the global model ωtω^t could be seen by updating ωt−1ω^t-1 with the aggregated contribution from all participating clients. Let Δ​ωt ω^t denote this aggregated update; then, the final global model can be expressed as the composition of the initial model ω0ω^0 and the sequence of updates from round 1 to T. The direct strategy is to reconstruct an “unlearned” model by removing attacker cac_a’s updates from the training trajectory. Due to the incremental nature of FL, each global model ωtω^t affects subsequent local training and aggregation. To analyze this dependency, we introduce εt _t as a correction term at round t. If in each round, a constant number of clients, M, involved in aggregation, the initial approximation that excludes malicious client cac_a’s contributions can be written as Equation (11). ωTca′=ω0+M−1​∑t=1TcaΔ​ωt−1M−1​∑t=1TcaΔ​ωcat+∑t=1Tcaεtω^T_c_a =ω^0+ MM-1 _t=1^T_c_a ω^t- 1M-1 _t=1^T_c_a ω^t_c_a+ _t=1^T_c_a _t (11) If M is large, the factor M−1 MM-1 is negligible for the aggregated updates Δ​ωt ω^t. The accumulated corrections εt _t are also smaller if unlearning at the early round TcaT_c_a compared to unlearning at the final round T. Such that, the unlearning procedure could be simplified and approximated to Equation (12), where Δ​ωcat=0 ω^t_c_a=0 if ca∉ℂtc_a ^t (not selected as participant in round t) or ca∈ℂb​a​dtc_a ^t_bad (selected as participant in round t but having its contribution(s) filtered out of aggregation). ωTca′=ωTca−∑t=1Tca1|ℂg​o​o​dt|​Δ​ωcatω^T_c_a =ω^T_c_a- _t=1^T_c_a 1|C^t_good| ω^t_c_a (12) Equation (12) requires to separately storing Δ​ωcat ω^t_c_a in every round t, as |ℂg​o​o​dt||C^t_good| varies over rounds. To further reduce complexity, we simplify Equation (12) as Equation (13), ωTca′=ωTca−1Mca​∑t=1TcaΔ​ωcatω^T_c_a =ω^T_c_a- 1M_c_a _t=1^T_c_a ω^t_c_a (13) where McaM_c_a is the averaged |ℂg​o​o​dt||C^t_good| for those t that ca∈ℂg​o​o​dtc_a ^t_good. In this way, only the accumulated historical update, Δ​ωk,s​u​mt=Δ​ωk,s​u​mt−1+(ωkt−ωt−1) ω^t_k,sum= ω^t-1_k,sum+(ω^t_k-ω^t-1), is stored for each client, instead of every individual raw update, Δ​ωkt=ωkt−ωt−1 ω^t_k=ω^t_k-ω^t-1. Such that, Equation (13) could be rewritten as Equation (14). ωTca′=ωTca−1Mca​Δ​ωca,s​u​mTcaω^T_c_a =ω^T_c_a- 1M_c_a ω^T_c_a_c_a,sum (14) In this way, we effectively and efficiently subtract the historical averaged contributions of attacker cac_a from the global model ωcatω^t_c_a to suppress its influence. IV-E Complexity Analysis Let dwd_w, dod_o, and ded_e denote the dimensionalities of the full DNN model, the output layer, and a single output neuron, respectively. In each round, the computational cost of FedTrident consists of: 1. ​(M​do)O(Md_o) to compute output-layer parameter deviations for M clients; 2. ​(M​E​de)O(MEd_e) to calculate neuron-wise scores for E output neurons across M clients; 3. ​(E​log⁡E)O(E E) to recognize the source and target neurons from the E candidates; 4. ​(M​de)O(Md_e) to perform GMM-based clustering on the neuron-wise features of M clients; 5. ​(M)O(M) to update the blacklist B, rating scores rkr_k, and accumulated historical updates Δ​ωk,sumt ω^t_k,sum involving M clients. Given dw≫do≫ded_w d_o d_e and E bounded by the number of classes, the dominant term is ​(M​do)O(Md_o), yielding the overall per-round complexity of FedTrident as ​(M​do)O(Md_o), which is the same as state-of-the-art methods FLARE [21] and DEFEND [22]. In contrast, defenses operating on the full model or pairwise client relations incur substantially higher costs, e.g., Median with ​(M​log⁡(M​dw))O(M (Md_w)), Trimmed Mean (TMean) with ​(M​log⁡(P​dw))O(M (Pd_w)), Krum with ​(M2​dw)O(M^2d_w), and FoolsGold with ​(M2​do)O(M^2d_o). Therefore, FedTrident is computationally efficient. IV-F Advantage Analysis The neuron-wise analysis can identify the attack goal of TLFAs, even if dynamic adversaries change their goals during the training. FedTrident takes full advantage of such information for critical feature extraction and model validation in each round, thus maximizing its mitigation effect. Moreover, our scheme readily generalizes to DNN-based autonomous driving tasks beyond RCC, as the proposed neuron-wise analysis targets TLFAs at the output layer and is agnostic to the underlying classification semantics. Consequently, it can be applied to any DNN architecture that defines source–target label relationships. Finally, poisoned local model detection, malicious vehicular client exclusion, and corrupted global model remediation operate as an integrated, mutually reinforcing pipeline: 1) the detection module provides round-wise, neuron-wise evidence of poisoned models; 2) the exclusion module aggregates these outcomes over time to isolate persistently malicious clients; and 3) the remediation module leverages both exclusion signals and historical contributions to repair compromised global models. Together, they ensure immediate attack suppression, long-term adversary containment, and final model integrity, forming a coherent FedTrident framework rather than three isolated modules. V Evaluation V-A Experimental Settings We simulate an FL-RCC system with one server and K=100K=100 vehicular clients implemented in PyTorch, running on an NVIDIA A100 Tensor Core GPU (40 GB) and an Ice Lake CPU (16 cores, 128 GB RAM). We also utilize an edge device suitable for vehicles, NVIDIA Jetson Orin Nano (1024-core Ampere GPU, 6-core Arm Cortex-A78AE CPU, and 8GB LPDDR5 RAM), to conduct real-world benchmarking experiments. In each round, the server randomly selects 20 clients (20% participation), requesting them to perform local training. The default training configurations are listed in TABLE IV, and we build upon the FL framework of [37]777https://github.com/git-disl/DataPoisoning_FL. TABLE IV: Default training configurations used in this paper. Term Value Loss Function Cross-Entropy Batch Size 64 Learning Rate (LR) 0.03 Momentum for LR 0.5 Optimizer SGD Local Epoch 3 Total Round 60 Figure 5: Image examples of RSCD dataset: (A) Friction level, (B) Material level, and (C) Unevenness level. Figure 6: Local data distribution of 100 clients generated using the Dirichlet distribution with different α values based on RCC @ Friction dataset. V-A1 RCC Datasets and Tasks We utilize the Road Surface Classification Dataset (RSCD)888https://thu-rsxd.com/rscd/ for our evaluation. It contains 1 million real-world samples captured by vehicle-mounted cameras. We resize each image (360×240×3360× 240× 3) to 224×224×3224× 224× 3 for efficiency. We create four data subsets; three of them are for three crucial RCC tasks, classification on a specific dimension, and the last one involves all three RCC tasks, representing a more complicated situation: • RCC @ Friction, which contains 58,800 training samples, 14,550 testing samples, and 6 labels (dry, wet, water, fresh-snow, melted-snow, and ice); • RCC @ Material, which includes 57,000 training images and 15,000 testing images with 4 categories (asphalt, concrete, mud, and gravel); • RCC @ Unevenness, which consists of 57,542 training pictures and 18,000 testing pictures labeled by smooth, slight-uneven, or severe-uneven; and • RCC @ All, which comprises 54,000 training examples, 16,200 testing examples, and in total 27 classes. TABLE V: Summary of practical model information with both Jetson and A100, for the Friction task. Device Model Params Inference Memory Type Type (FP32, M) Latency (ms) (Peak, M) Jetson ResNet-18 42.65 9.93 60.97 ResNet-34 81.21 16.43 101.07 MobileNet-V3 5.81 17.26 16.53 EfficientNet-B1 24.88 38.14 43.87 DenseNet-121 26.55 50.79 45.24 DeiT-Tiny 21.08 15.69 32.10 A100 ResNet-18 42.65 2.18 82.77 ResNet-34 81.21 4.03 165.52 MobileNet-V3 5.81 4.36 120.95 EfficientNet-B1 24.88 9.62 72.54 DenseNet-121 26.55 13.24 93.82 DeiT-Tiny 21.08 4.21 32.10 Similar to the literature, e.g., [12], this paper adopts the Dirichlet distribution to create Non-IID training data for each client. As illustrated in Fig. 6, a lower IID level α in the Dirichlet distribution represents a more heterogeneous data distribution (α=+∞α=+∞ for IID); the default α is 1.0 in the experiments. By default, 30 of the 100 preselected clients are malicious (30% malicious client rate). If included in the FL process, they execute the TLFAs by shifting the labels in their training datasets 1) from water to dry for Friction; 2) from gravel to asphalt for Material; 3) from severe-uneven to smooth for Unevenness, and 4) from wet-mud to dry-asphalt-smooth for RCC @ All. Testing datasets remain unchanged during training and are only used for inference. TABLE VI: Overall results within default configurations on three RCC tasks. All values are ratios in %. Model Type Method RCC @ Friction RCC @ Material RCC @ Unevenness SRE↑ ASR↓ GAC↑ GAS↑ SRE↑ ASR↓ GAC↑ GAS↑ SRE↑ ASR↓ GAC↑ GAS ↑ ResNet-18 FedAvg-NA‡[26] 72.2872.28 5.845.84 85.2685.26 75.2775.27 82.2482.24 3.073.07 80.3680.36 71.8471.84 67.9067.90 9.939.93 74.6574.65 66.6566.65 FedAvg[26] 44.8844.88 30.8530.85 72.8372.83 63.2363.23 35.4935.49 44.1344.13 70.1770.17 62.1962.19 46.7446.74 50.3450.34 69.1469.14 60.4960.49 Krum[4] 48.8948.89 22.9222.92 81.4481.44 66.9366.93 23.0923.09 21.8421.84 58.8758.87 48.6648.66 45.7045.70 53.3853.38 48.5448.54 39.9339.93 TMean[46] 45.8445.84 18.4818.48 80.7880.78 68.5468.54 34.2734.27 40.4340.43 55.7555.75 47.8047.80 44.3744.37 25.2325.23 52.6552.65 45.7245.72 Median[46] 48.4448.44 22.5222.52 81.5681.56 68.4368.43 46.8546.85 25.0725.07 73.8773.87 64.8964.89 47.3347.33 34.5534.55 65.4565.45 58.1958.19 [8] FoolsGold[7] 50.6450.64 15.5615.56 81.6481.64 70.4670.46 42.5342.53 35.2035.20 72.5372.53 63.2663.26 49.3549.35 26.3326.33 70.7170.71 60.8360.83 FLAME[27] 51.2051.20 21.2821.28 63.3263.32 55.9255.92 40.6640.66 45.2045.20 52.5152.51 43.2043.20 16.2916.29 69.5269.52 41.3641.36 34.3434.34 FLARE[21] 61.7261.72 14.6414.64 82.8082.80 72.1972.19 64.0864.08 14.6914.69 77.0977.09 68.9268.92 55.1355.13 28.1328.13 67.9867.98 60.0260.02 DEFEND[22] 74.20¯† 74.20 2.84¯ 2.84 84.93¯ 84.93 72.76¯ 72.76 80.11¯ 80.11 2.88¯ 2.88 78.61¯ 78.61 69.43¯ 69.43 79.85¯ 79.85 7.32¯ 7.32 73.71¯ 73.71 62.33¯ 62.33 FedTrident (Ours) 88.04∗88.04 1.72 85.16 75.12 87.47 1.89 79.77 71.76 80.17 5.68 74.16 67.21 ResNet-34 FedAvg-NA 72.1272.12 4.844.84 85.7485.74 79.1579.15 83.9283.92 3.073.07 80.5880.58 73.4673.46 68.7268.72 5.875.87 76.0176.01 69.1869.18 FedAvg 14.9214.92 56.9656.96 76.4976.49 70.4170.41 33.6533.65 41.4441.44 70.5970.59 62.7862.78 31.0031.00 40.6240.62 63.4363.43 57.3957.39 Krum 23.7623.76 38.9238.92 66.5666.56 55.6655.66 45.2845.28 23.4723.47 65.0065.00 55.2155.21 16.1316.13 34.2834.28 55.1455.14 49.6649.66 TMean 25.3225.32 44.7644.76 76.0076.00 68.0368.03 42.7742.77 32.3732.37 71.1571.15 62.8562.85 36.7536.75 28.0528.05 65.0765.07 58.6358.63 Median 38.2038.20 26.6826.68 80.2780.27 73.5773.57 47.2847.28 25.0425.04 74.6874.68 66.6066.60 17.9317.93 33.0333.03 61.9361.93 57.2157.21 [8] FoolsGold 43.8443.84 35.9635.96 80.8480.84 73.5573.55 44.4844.48 28.0828.08 74.3974.39 66.3566.35 34.1834.18 29.2029.20 66.9466.94 60.8360.83 FLAME 41.2841.28 28.1828.18 62.2362.23 57.4657.46 27.5727.57 23.8023.80 59.0359.03 51.7451.74 61.85¯ 61.85 12.28¯ 12.28 62.1162.11 53.0353.03 FLARE 57.4057.40 20.3620.36 82.9982.99 75.3775.37 57.6357.63 23.6323.63 75.3975.39 66.2066.20 50.4050.40 17.3817.38 68.9768.97 62.4262.42 DEFEND 60.96¯ 60.96 7.64¯ 7.64 83.18¯ 83.18 75.82¯ 75.82 67.92¯ 67.92 11.20¯ 11.20 75.59¯ 75.59 67.64¯ 67.64 60.5560.55 14.7314.73 70.03¯ 70.03 63.98¯ 63.98 FedTrident (Ours) 69.28 2.36 84.23 77.61 84.80 3.63 79.77 72.09 73.25 4.97 73.86 66.69 MobileNet-V3 FedAvg-NA 72.1672.16 5.405.40 84.8784.87 77.2377.23 83.2083.20 2.932.93 78.4578.45 69.7069.70 71.1371.13 6.906.90 73.2473.24 66.5066.50 FedAvg 32.1632.16 40.9640.96 78.1978.19 70.4570.45 27.8727.87 46.7146.71 67.9567.95 60.3160.31 26.4026.40 43.7543.75 61.2861.28 55.3255.32 Krum 25.8425.84 19.9219.92 59.5059.50 45.6845.68 36.0536.05 58.0558.05 45.2645.26 36.6036.60 8.058.05 35.8735.87 49.3849.38 44.1744.17 TMean 38.2038.20 33.2433.24 79.3579.35 71.1471.14 38.7538.75 36.8336.83 69.3969.39 60.5460.54 45.0845.08 21.5721.57 67.9567.95 60.8860.88 Median 44.7244.72 27.4827.48 79.5479.54 70.6470.64 45.5245.52 24.5924.59 71.9871.98 63.5463.54 18.3518.35 36.8736.87 60.0560.05 54.8354.83 [9] FoolsGold 45.8045.80 28.8428.84 80.0880.08 71.8571.85 46.9146.91 28.5328.53 72.1172.11 63.2263.22 55.0755.07 20.2820.28 69.7969.79 62.3162.31 FLAME 46.7346.73 19.8419.84 58.1458.14 45.9845.98 33.3933.39 22.5922.59 56.3856.38 48.2148.21 52.4552.45 19.9519.95 59.8359.83 50.8850.88 FLARE 47.2447.24 21.9221.92 80.3480.34 72.0772.07 51.0051.00 20.0820.08 72.9372.93 64.3564.35 54.6754.67 16.1816.18 69.9369.93 62.5062.50 DEFEND 63.40¯ 63.40 7.24¯ 7.24 81.80¯ 81.80 74.07¯ 74.07 67.92¯ 67.92 9.76¯ 9.76 74.47¯ 74.47 66.23¯ 66.23 61.87¯ 61.87 13.67¯ 13.67 71.16¯ 71.16 63.64¯ 63.64 FedTrident (Ours) 76.96 2.84 82.56 76.33 85.28 2.21 77.93 68.90 77.93 5.33 71.59 63.94 EfficientNet-B1 FedAvg-NA 75.6875.68 3.403.40 86.0886.08 74.1874.18 79.2579.25 4.754.75 80.1580.15 73.5073.50 80.5380.53 8.088.08 74.4874.48 67.3067.30 FedAvg 38.1238.12 32.9632.96 80.4880.48 68.4468.44 51.1751.17 25.2025.20 74.6374.63 65.8365.83 39.4239.42 29.4229.42 65.4865.48 57.6657.66 Krum 4.924.92 69.3269.32 64.4964.49 50.4350.43 42.8842.88 20.1320.13 52.6452.64 42.1842.18 43.6743.67 26.6526.65 66.9866.98 58.4158.41 TMean 46.5246.52 27.0427.04 81.4681.46 69.0969.09 26.2726.27 47.3947.39 69.3069.30 58.4458.44 43.5543.55 26.7826.78 66.8666.86 58.3758.37 Median 53.8853.88 22.1622.16 82.5482.54 69.9169.91 54.5954.59 20.1920.19 75.4975.49 66.0166.01 44.9344.93 28.0228.02 66.6366.63 58.7258.72 [36] FoolsGold 59.8059.80 16.7616.76 83.6483.64 73.23¯ 73.23 61.1561.15 17.8417.84 77.8477.84 68.3168.31 38.3238.32 26.3226.32 66.4866.48 59.4659.46 FLAME 52.3652.36 20.9620.96 82.5682.56 71.3271.32 31.9731.97 14.3214.32 59.1959.19 50.4850.48 50.2550.25 20.1520.15 70.4770.47 62.3362.33 FLARE 62.0462.04 16.0816.08 83.4683.46 72.1772.17 65.7365.73 12.8812.88 77.5677.56 69.6969.69 59.2759.27 17.6517.65 70.6070.60 62.7862.78 DEFEND 80.40¯ 80.40 5.40¯ 5.40 84.43¯ 84.43 73.1473.14 82.99¯ 82.99 3.31¯ 3.31 77.87¯ 77.87 69.81¯ 69.81 79.13¯ 79.13 7.98¯ 7.98 72.87¯ 72.87 63.12¯ 63.12 FedTrident (Ours) 84.40 3.92 84.76 75.38 84.16 3.15 79.50 71.06 80.75 5.52 72.91 64.74 DenseNet-121 FedAvg-NA 77.9677.96 5.165.16 86.1886.18 80.5780.57 77.0977.09 4.194.19 81.7381.73 74.5674.56 73.1373.13 6.406.40 76.7176.71 69.9669.96 FedAvg 29.7229.72 41.1241.12 78.9378.93 72.0972.09 33.2033.20 41.6541.65 71.6371.63 64.3264.32 15.7015.70 45.6745.67 60.3860.38 55.7755.77 Krum 28.2028.20 28.0428.04 66.4266.42 54.0954.09 4.084.08 63.5563.55 54.6554.65 48.3848.38 6.176.17 39.8339.83 51.5051.50 47.8747.87 TMean 25.7625.76 37.8437.84 78.5178.51 72.1472.14 43.6843.68 35.6035.60 73.2873.28 64.9964.99 31.3831.38 26.0026.00 66.2766.27 60.5060.50 Median 26.3626.36 31.5231.52 78.8278.82 72.5372.53 52.6452.64 33.5233.52 72.8872.88 63.5763.57 37.5837.58 23.9223.92 68.1268.12 62.0362.03 [11] FoolsGold 34.8034.80 36.5236.52 80.0680.06 73.3773.37 52.7252.72 24.3524.35 76.1876.18 67.9367.93 43.7343.73 24.7024.70 69.8069.80 63.2963.29 FLAME 19.0419.04 23.3623.36 63.1663.16 52.7752.77 41.7941.79 16.3316.33 60.8560.85 52.7852.78 52.6052.60 17.2317.23 56.7656.76 47.8247.82 FLARE 53.8853.88 20.7220.72 82.7182.71 75.5375.53 57.8957.89 16.3216.32 77.1977.19 68.7868.78 47.8047.80 17.0517.05 71.4171.41 64.9064.90 DEFEND 59.52¯ 59.52 10.64¯ 10.64 83.36¯ 83.36 76.34¯ 76.34 71.76¯ 71.76 11.60¯ 11.60 78.57¯ 78.57 71.44¯ 71.44 56.50¯ 56.50 11.43¯ 11.43 72.42¯ 72.42 66.94¯ 66.94 FedTrident (Ours) 74.68 6.40 85.12 78.22 85.04 2.37 81.18 73.61 72.25 4.10 74.54 67.74 Deit-Tiny FedAvg-NA 77.3277.32 3.443.44 86.5486.54 76.8176.81 80.6180.61 3.793.79 80.3180.31 72.6172.61 78.8078.80 7.027.02 74.0874.08 66.6366.63 FedAvg 25.5225.52 48.4048.40 77.8977.89 63.9463.94 44.8844.88 30.8530.85 72.8372.83 62.5062.50 30.0330.03 45.4745.47 60.9360.93 52.1752.17 Krum 17.4817.48 38.0438.04 67.1567.15 59.3159.31 50.4850.48 31.8131.81 72.8272.82 62.7262.72 40.7340.73 27.6027.60 66.9466.94 57.3457.34 TMean 34.8834.88 40.8440.84 64.0364.03 54.9254.92 41.7641.76 45.5545.55 47.3747.37 40.5640.56 41.7341.73 37.5037.50 64.9364.93 55.7855.78 Median 33.6433.64 45.7245.72 78.9178.91 65.4165.41 47.3347.33 41.2841.28 51.8151.81 43.7143.71 55.7255.72 14.6514.65 77.01 66.25 [38] FoolsGold 53.6053.60 25.0825.08 82.6182.61 70.9270.92 65.2365.23 14.7514.75 76.85¯ 76.85 65.92¯ 65.92 45.2345.23 17.3317.33 68.5968.59 60.3660.36 FLAME 45.6045.60 25.8425.84 57.5457.54 46.9246.92 43.5743.57 19.9219.92 42.3642.36 35.3635.36 49.4749.47 33.6333.63 60.3460.34 53.4753.47 FLARE 58.8458.84 17.8017.80 83.0283.02 72.0272.02 52.2752.27 29.0929.09 72.1972.19 63.8363.83 53.7053.70 18.8818.88 68.7768.77 61.2061.20 DEFEND 80.76¯ 80.76 4.84¯ 4.84 84.58¯ 84.58 72.76¯ 72.76 82.11¯ 82.11 4.75¯ 4.75 65.5565.55 65.0365.03 78.52¯ 78.52 7.63¯ 7.63 69.1469.14 62.3762.37 FedTrident (Ours) 87.84 1.00 85.54 78.12 85.81 2.48 78.23 69.60 82.42 2.33 72.69¯ 72.69 65.33¯ 65.33 • ∗ Bold numbers are the best performance. • † Numbers with underline are the second-best values. • ‡ NA denotes No Attack. Others without this symbol are all under attack. V-A2 RCC Models To evaluate the generality and compatibility of each method, we train six popular DNN models under FL for the RCC tasks: • ResNet-18 and ResNet-34 [8]: the residual framework can better support deeper networks. • MobileNet-V3 [9]: the architecture is suitable for mobile and resource-constrained environments. • EfficientNet-B1 [36]: the model can scale depth, width, and resolution uniformly. • DenseNet-121 [11]: the dense convolutional network can adopt shorter connections between layers. • Deit-Tiny [38]: the data-efficient image transformer model can achieve high performance through attention. We choose these models because they are all lightweight DNN versions, thus suitable for vehicles. The detailed model size (MB), inference latency (ms), and peak memory (MB) of each model on both Jetson and A100 are summarized in TABLE V. It clearly shows that the current edge device can support RCC tasks in real time. Figure 7: Confusion matrices of FedTrident with ResNet-18 in three RCC tasks. Classes in green and red are source and target classes, respectively. Figure 8: Confusion matrices of FedTrident with EfficientNet-B1 in three RCC tasks. Classes in green and red are source and target classes, respectively. Figure 9: Confusion matrices of FedTrident with DeiT-Tiny in three RCC tasks. Classes in green and red are source and target classes, respectively. Figure 10: ASR curves of malicious client rates with ResNet-18. Figure 11: ASR curves of malicious client rates with EfficientNet-B1. Figure 12: ASR curves of malicious client rates with DeiT-Tiny. V-A3 Compared Methods We compare the following eight methods in the experiments: FedAvg [26], Krum [4], TMean [46], Median [46], FoolsGold [7], FLAME [27], FLARE [21], and our proposed FedTrident (rm​a​x=1.00r^max=1.00, rm​i​n=0.00r^min=0.00, rk​(0)=0.80r_k(0)=0.80, βkt=0.05 _k^t=0.05, γkt=0.15×N​Ckt _k^t=0.15× NC_k^t, and S​R​Et​h​r/A​S​Rt​h​r=0.1SRE^thr/ASR^thr=0.1, where N​CktNC_k^t is the current number of times it has been continuously identified as poisoned). V-A4 Evaluation Objectives and Metrics We evaluate FedTrident, in comparison to the baseline methods (Section V-A3) in terms of (i) detection effectiveness; (i) attack mitigation; (i) robustness against a gamut of adversaries, notably including dynamic ones (Section I-B); and (iv) generalization based on multiple models (Section V-A2) and tasks (Section V-A1. The following four evaluation metrics quantify different performance aspects: • SRE: Source Recall, the proportion of the correct predictions for the source class si​d​x​(f)s_idx(f) to the total number of samples in the source class computed by Equation (15). S​R​E=ni​d​x​(f),i​d​x​(f)∑i=1Eni​d​x​(f),iSRE= n_idx(f),idx(f)Σ _i=1^En_idx(f),i (15) • ASR: Attack Success Rate, the ratio of samples with the source label si​d​x​(f)s_idx(f) misclassified into the target class si​d​x​(g)s_idx(g) based on Equation (16). A​S​R=ni​d​x​(f),i​d​x​(g)∑i=1Eni​d​x​(f),iASR= n_idx(f),idx(g)Σ _i=1^En_idx(f),i (16) • GAC: Global Accuracy, the ratio of all correct predictions to the total number of testing instances calculated by Equation (17). G​A​C=∑i=1Eni,i∑i=1E∑j=1E×ni,jGAC= Σ _i=1^En_i,iΣ _i=1^EΣ _j=1^E× n_i,j (17) • GAS: Global Accuracy of Safety, defined by Equation (3). V-B Overall Results Analysis V-B1 Key Findings FL-RCC is vulnerable to TLFAs (Section V-B2), and the state-of-the-art is insufficient in thwarting TLFAs (Section V-B3). FedTrident not only outperforms defense baselines but also shows no performance gap compared to FedAvg-NA, i.e., it achieves under-attack detection and mitigation that lead to model performance equivalent to that of FL without attack (Section V-B4). It is also stable and compatible across tasks and models (Section V-B4). Moreover, FedTrident remains robust even against a high rate of adversarial clients, even when they dynamically change their attack pattern (Section V-C). We elaborate on these findings in the rest of this section. V-B2 TLFA Influence The TLFA influence on FL-RCC can be analyzed based on the results of FedAvg and FedAvg-NA; NA denotes “No Attack” and acronyms for methods without NA imply the method is under TLFAs in TABLE VI. Specifically, if no defense is implemented, TLFAs reduce SRE by 42.95%, increase ASR by 35.69%, decrease GAC by 9.57%, and drop GAS by 9.99% on average. Such significant performance deterioration (notably in SRE and ASR) shows the vulnerability of FL-RCC to TLFAs. V-B3 Baseline Performance As per TABLE VI, the effectiveness of most of the baseline methods (including FedAvg, Krum, TMean, Median, FoolsGold, FLAME, and FLARE) is limited; even when comparing the best among them in a group (that is, evaluations for a specified model-task combination) to FedAvg-NA, the average gap is 18.43%, 12.26%, 3.56%, and 4.49% for SRE, ASR, GAC, and GAS, respectively. Such observations of innegligible performance gap manifest that most existing solutions are insufficient in thwarting TLFAs in FL-RCC. As for the best and most recent baseline DEFEND, it is still worse than FedAvg-NA by 4.75%, 2.82%, 3.51% and 3.79% for the four metrics, respectively. Figure 13: ASR and SRE curves of IID levels with EfficientNet-B1 in Friction. V-B4 FedTrident Performance Our solution, FedTrident, is the best countermeasure in all 18 groups in terms of the two most important metrics, SRE and ASR. Notably, compared to the best baseline, the average improvements are 9.49%, 4.47%, 1.23%, and 2.32% for SRE, ASR, GAC, and GAS, respectively. Moreover, the average SRE value over groups is 81.14%, ASR value is 3.44%, GAC value is 79.08%, and GAS value is 71.30%, which are very close to the performance of FedAvg-NA (76.34%, 5.23%, 80.30%, and 72.51%). FedTrident is even better than FedAvg-NA in terms of SRE and ASR. This performance boost over the defense baselines with no gap to the FedAvg-NA demonstrates the superiority and effectiveness of FedTrident. TABLE VII: Results on RCC @ All dataset. All values are ratios in %. Model Type Method SRE↑ ASR↓ GAC↑ GAS↑ ResNet-18 FedAvg-NA‡[26] 73.1773.17 0.170.17 60.6460.64 27.0327.03 FedAvg[26] 42.0042.00 30.1730.17 59.4959.49 25.8225.82 Krum[4] 45.3345.33 25.3325.33 50.2750.27 21.6121.61 TMean[46] 46.1746.17 22.5022.50 59.7859.78 26.1426.14 Median[46] 59.8359.83 24.0024.00 59.6059.60 26.2226.22 [8] FoolsGold[7] 45.6745.67 24.8324.83 59.7559.75 26.1726.17 FLAME[27] 49.9449.94 23.7123.71 59.5959.59 26.0326.03 FLARE[21] 58.8358.83 19.3319.33 59.8559.85 26.2626.26 DEFEND[22] 68.50¯† 68.50 9.00¯ 9.00 59.90¯ 59.90 26.56¯ 26.56 FedTrident (Ours) 74.83∗74.83 0.00 60.43 26.69 EfficientNet-B1 FedAvg-NA 77.1777.17 0.330.33 64.1064.10 28.5928.59 FedAvg 26.1726.17 42.8342.83 62.0762.07 25.9725.97 Krum 44.8344.83 27.5027.50 50.2250.22 22.3022.30 TMean 51.8351.83 26.1726.17 63.09 27.3127.31 Median 51.0051.00 22.6722.67 62.7562.75 27.3027.30 [36] FoolsGold 54.0054.00 23.3323.33 62.77¯ 62.77 27.4627.46 FLAME 53.3353.33 22.5522.55 62.4462.44 27.4027.40 FLARE 59.1759.17 19.5019.50 62.0462.04 27.3227.32 DEFEND 68.67¯ 68.67 11.67¯ 11.67 62.1962.19 27.47¯ 27.47 FedTrident (Ours) 77.17 0.67 61.7561.75 27.51 Deit-Tiny FedAvg-NA 75.5075.50 0.330.33 64.0664.06 28.4328.43 FedAvg 23.6723.67 39.5039.50 61.9861.98 27.0927.09 Krum 42.5042.50 31.4531.45 48.5948.59 20.9120.91 TMean 55.8355.83 18.6718.67 62.8462.84 27.7027.70 Median 46.1746.17 25.3325.33 61.5961.59 26.7726.77 [38] FoolsGold 47.6747.67 20.8320.83 62.76¯ 62.76 27.6527.65 FLAME 42.1142.11 32.7632.76 58.2458.24 27.7327.73 FLARE 49.1749.17 16.8316.83 60.9460.94 26.7026.70 DEFEND 61.50¯ 61.50 9.83¯ 9.83 62.4362.43 27.81¯ 27.81 FedTrident (Ours) 71.17 1.17 63.14 27.96 • ∗ Bold numbers are the best performance. • † Numbers with underline are the second-best values. • ‡ NA denotes No Attack. Others without this symbol are all under attack. TABLE VIII: Results with dynamic attacks based on EfficientNet-B1. All values are ratios in %. RCC Task Method SRE↑ ASR↓ GAC↑ GAS↑ Friction FedAvg[26] 37.2037.20 36.8836.88 78.9878.98 70.5570.55 Krum[4] 3.123.12 67.3667.36 64.5264.52 55.9955.99 TMean[46] 52.2052.20 27.0427.04 82.2582.25 74.4774.47 Median[46] 49.0849.08 23.3623.36 81.4081.40 73.3473.34 FoolsGold[7] 51.8851.88 20.5620.56 82.5282.52 74.9174.91 FLAME[27] 43.2243.22 34.5634.56 58.2458.24 47.7747.77 FLARE[21] 64.9264.92 18.2018.20 84.2584.25 76.3876.38 DEFEND[22] 69.60¯† 69.60 10.16¯ 10.16 84.46¯ 84.46 76.44¯ 76.44 FedTrident (Ours) 78.92∗78.92 2.92 84.58 76.56 Material FedAvg 60.1660.16 29.8129.81 77.7377.73 64.5864.58 Krum 67.0167.01 25.2825.28 54.6154.61 45.0845.08 TMean 56.9356.93 25.9725.97 72.9172.91 69.51¯ 69.51 Median 69.3369.33 23.6623.66 78.41¯ 78.41 67.8167.81 FoolsGold 65.4165.41 18.6118.61 75.8175.81 66.2966.29 FLAME 68.6968.69 13.5913.59 68.3368.33 60.1760.17 FLARE 72.4372.43 13.3313.33 76.8376.83 67.3967.39 DEFEND 75.07¯ 75.07 9.04¯ 9.04 77.5177.51 69.0969.09 FedTrident (Ours) 84.16 1.47 78.80 70.37 Unevenness FedAvg 38.8338.83 31.3231.32 65.4065.40 60.1960.19 Krum 20.7320.73 49.3349.33 52.6052.60 46.4946.49 TMean 42.6742.67 25.4725.47 67.6467.64 63.1663.16 Median 43.9843.98 24.6224.62 67.6267.62 60.6360.63 FoolsGold 46.7546.75 22.4722.47 69.7069.70 62.9262.92 FLAME 61.8861.88 20.9620.96 56.5356.53 47.1347.13 FLARE 52.1352.13 22.7022.70 68.3868.38 63.3763.37 DEFEND 63.40¯ 63.40 10.57¯ 10.57 70.91¯ 70.91 64.35¯ 64.35 FedTrident (Ours) 81.70 4.73 72.82 65.44 • ∗ Bold numbers are the best performance. • † Numbers with underline are the second-best values. The normalized confusion matrices of FedTrident for three tasks are illustrated in Fig. 9 (with ResNet-18), Fig. 9 (with EfficientNet-B1), and Fig. 9 (with DeiT-Tiny); source classes are marked in green and target classes are marked in red for readability. These confusion matrices exhibit strong diagonals across all classes, including the source–target pairs that define the TLFA objectives in each RCC task (water→ , gravel→ , and severe-uneven→ ). These results indicate consistently high per-class prediction accuracy and demonstrate clearly that FedTrident effectively prevents adversaries from realizing their targeted misclassifications that would otherwise jeopardize transportation safety. Moreover, the nine matrices (three RCC tasks × three DNN models) show uniformly strong performance, highlighting FedTrident’s stability and compatibility across tasks and models. Observations on Model Type: Lightweight models such as MobileNet-V3 and DeiT-Tiny show higher ASR with FedAvg and baseline defenses, indicating greater susceptibility to TLFAs. Their compact parameterization and limited representational redundancy make them more sensitive to localized neuron perturbations introduced by malicious clients. Despite the diversity of model types, ranging from convolutional (e.g., ResNet-18 and EfficientNet-B1) to transformer-based (DeiT-Tiny), FedTrident consistently achieves the best or second-best results across all metrics and tasks. Its SRE values remain high and ASR values remain low for most configurations, significantly outperforming baseline defenses. This demonstrates that FedTrident generalizes well across different feature extraction paradigms, not being tied to any specific model type. TABLE IX: The ablation results of FedTrident within default configurations. All values are ratios in %. Model Type Method RCC @ Friction RCC @ Material RCC @ Unevenness SRE↑ ASR↓ GAC↑ GAS↑ SRE↑ ASR↓ GAC↑ GAS↑ SRE↑ ASR↓ GAC↑ GAS ↑ ResNet-18 Detection 61.0461.04 14.0414.04 83.3183.31 72.4272.42 72.1172.11 10.2410.24 77.4077.40 68.7868.78 63.1763.17 11.2211.22 73.6373.63 66.4866.48 Detection + Exclusion‡ 75.02¯† 75.02 3.80¯ 3.80 84.69¯ 84.69 74.39 81.33¯ 81.33 4.53¯ 4.53 79.54¯ 79.54 71.03 79.85¯ 79.85 8.80¯ 8.80 73.71¯ 73.71 66.56 FedTrident (Full) 88.04∗88.04 1.72 85.16 75.12 87.47 1.89 79.77 71.76 80.17 5.68 74.16 67.21 EfficientNet-B1 Detection 64.5264.52 11.0411.04 83.8283.82 73.4173.41 75.8175.81 8.598.59 78.99¯ 78.99 70.1070.10 66.4366.43 11.9311.93 71.7471.74 64.3264.32 Detection + Exclusion 81.60¯ 81.60 5.32¯ 5.32 84.09¯ 84.09 74.17¯ 74.17 82.99¯ 82.99 4.18¯ 4.18 78.2278.22 71.52¯ 71.52 75.78¯ 75.78 8.90¯ 8.90 72.26¯ 72.26 64.71¯ 64.71 FedTrident (Full) 84.40 3.92 84.76 75.38 84.16 3.15 79.50 71.06 80.75 5.52 72.91 64.74 DeiT-Tiny Detection 74.0474.04 9.209.20 84.2284.22 72.4572.45 72.4572.45 8.248.24 74.1974.19 67.7767.77 67.1867.18 9.289.28 69.9869.98 62.4762.47 Detection + Exclusion 80.76¯ 80.76 4.12¯ 4.12 84.60¯ 84.60 75.75¯ 75.75 82.21¯ 82.21 4.77¯ 4.77 78.67 68.00¯ 68.00 78.52¯ 78.52 7.63¯ 7.63 71.46¯ 71.46 64.31¯ 64.31 FedTrident (Full) 87.84 1.00 85.54 78.12 85.81 2.48 78.23¯ 78.23 69.60 82.42 2.33 72.69 65.33 • ∗ Bold numbers are the best performance. • † Numbers with underline are the second-best values. • ‡ Detection denotes poisoned local model detection, and Exclusion represents malicious vehicular client exclusion. V-C Resilience Analysis of FedTrident V-C1 Results on Different Malicious Client Rates As shown in Fig. 12 (with ResNet-18), Fig. 12 (with EfficientNet-B1), and Fig. 12 (with DeiT-Tiny), increasing the proportion of malicious clients from 0% to 40% in steps of 10% does not induce a commensurate rise in ASR when FedTrident is implemented. Take DeiT-Tiny as an example, FedTrident’s ASR values remain within 1.00%-5.60% on Friction, 0.93%-5.68% on Material, and 2.33%-7.78% on Unevenness, which are always better than baselines. In contrast, FedAvg’s ASR values degrade sharply as the fraction of malicious clients increases: on Friction, it rises from 8.20% to 47.08%, on Material from 10.21% to 46.16%, and on Unevenness from 7.02% to 54.93%. Even for one of the best baseline defenses, FLARE, the increasing trend is worrying (7.01→ 35.24%, 8.95%→ 38.53%, and 6.80%→ 34.57%). These results underscore the strong sensitivity of TLFAs to attacker prevalence under both vanilla FL-RCC and state-of-the-art countermeasure, whereas FedTrident maintains low ASR values even at high malicious client rates, consistently across RCC tasks and model types. V-C2 Results on Different Data Heterogeneity Levels As shown in Fig. 13 (in the Friction task using EfficientNet-B1), we vary the IID level from 1.0 (strongly non-IID) to +∞+∞ (fully IID), in which the value is the parameter α in the Dirichlet distribution. The results show that the ASR values of FedAvg gradually increase from 18.52% to 32.96% when the data becomes more heterogeneous; accordingly, the SRE values degrade from 60.32% to 38.12%. Although one of the state-of-the-art defense baselines, FLARE, can always (no matter the IID level) improve model performance over FedAvg, it is still much worse than FedAvg-NA. As for the other state-of-the-art defense baseline, DEFEND, has significant improvement compared to FLARE; however, it is still a little bit worse than FedAvg-NA in term of ASR. Surprisingly, FedTrident is even slightly better than FedAvg-NA in all data distribution cases, as its ASR and SRE values remain at [3.36%,3.92%][3.36\%,3.92\%] and [78.88%,84.40%][78.88\%,84.40\%], respectively. Such stability and high performance clearly show that FedTrident is robust to varying levels of data heterogeneity. V-C3 Results on Multi-task Beyond separate RCC tasks, the performance of each method in many more multiple task classification that simultaneously involves friction, material, and unevenness, could be analyzed based on TABLE VII. The average SRE and ASR values of the best baseline are 66.22% and 10.17%, respectively; compared to FedAvg-NA (75.28% and 0.28%), the performance gap is 9.08% and 9.89% for ASR and SRE, respectively. As for FedTrident, it can sustain high SRE (74.39%) and low ASR (0.61%) values in such a challenging task. Note that the calculation of ASR and SRE relies on the source and target classes; if the total number of classes is huge (e.g., 27 in our case), it is difficult for the FL-RCC system to identify and thwart TLFAs. The neuron-wise analysis of FedTrident could recognize the attack goal of TLFAs successfully, thus benefiting the FL-RCC system in such a complex task. V-C4 Results on Dynamic Attacks Instead of static attacks whose source and target classes are fixed during FL training, we consider dynamic attacks where adversaries can change the two classes based on their attack goal. The setting in the Friction task is to flip from water to wet in the first 10 rounds, then from water to dry in the last 50 rounds. Likewise, the interim classes are gravel and slight-uneven in Material and Unevenness, respectively. As summarized in TABLE VIII, all defense baselines struggle to deal with the dynamic attacks, and their worst performance could be 3.12%, 67.36%, 52.60%, and 45.08% for SRE, ASR, GAC, and GAS, respectively. FedTrident can always achieve the best, leading to average improvements (compared to the best baseline) of 12.24% for SRE, 6.88% for ASR, 0.81% for GAC, and 0.83% for GAS. These results demonstrate that even under dynamic attacks, the detection module of FedTrident can accurately identify the source and target classes in each round; thus, the exclusion and remediation modules can also function effectively. V-C5 Ablation Study The poisoned local model detection serves as the basic module of FedTrident that the second module (malicious vehicular client exclusion) relies on; the final module, corrupted global model remediation, takes the exclusion module’s results as input. To evaluate the effectiveness of each module, we present an ablation study of FedTrident in Table IX. Results show that combining the detection module with the exclusion module can, on average, improve performance by 11.26%, 4.64%, 1.11%, and 1.36% for SRE, ASR, GAC, and GAS, respectively, compared to only using the detection module. Moreover, the full FedTrident, integrating all three modules, achieves the overall best performance; compared to detection + exclusion, SRE, ASR, GAC, and GAS values are further optimized by 4.78%, 2.71%, 0.61%, and 0.88%, respectively. Such a comparison shows that all three modules in FedTrident can help improve performance. VI Conclusions We propose FedTrident for FL-RCC against TLFAs, with three modules: 1) poisoned local model detection based on neuron-wise analysis to identify target goals and GMM to distinguish poisoned models from benign ones; 2) malicious vehicular client exclusion adjusting client ratings based on model-level detection to preclude persistent poisoning; and 3) corrupted global model remediation that capitalizes on machine unlearning to correct the already-corrupted global model after each exclusion. Holistic evaluation involving various RCC tasks and DNN models indicates that under TLFAs, FedTrident is superior to state-of-the-art countermeasures, and could achieve the same performance as an attack-free scenario. Moreover, FedTrident is resilient to diverse malicious client rates, varying data heterogeneity levels, complex tasks, and dynamic attacks. We will extend FedTrident to safeguard other ITS tasks beyond RCC, e.g., world model-based driving. Moreover, we will investigate TLFAs in the context of self-supervised FL and adopt FedTrident to such situations. Finally, we will have more practical considerations, e.g., executing TLFAs and evaluating FedTrident in real-world large-scale vehicular communication and computation environments. Acknowledgments This work was supported in parts by WASP, VR, and in kind by the KAW Foundation granting access to Berzelius at the National Supercomputer Centre. References [1] I. S. 1609.2 (2023) IEEE Standard for Wireless Access in Vehicular Environments–Security Services for Application and Management Messages. IEEE Std 1609.2-2022 (Revision of IEEE Std 1609.2-2016) (), p. 1–349. Cited by: §I-A. [2] S. Awan, B. Luo, and F. Li (2021) CONTRA: Defending Against Poisoning Attacks in Federated Learning. In ESORICS, Virtual. External Links: ISBN 978-3-030-88418-5 Cited by: §I-C. [3] A. Basavaraju, J. Du, F. Zhou, and J. Ji (2020) A Machine Learning Approach to Road Surface Anomaly Assessment Using Smartphone Sensors. IEEE Sensors Journal 20 (5), p. 2635–2647. Cited by: §I-A. [4] P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer (2017) Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent. In NeurIPS, Long Beach, CA, USA. External Links: ISBN 9781510860964 Cited by: §I, §I-C, §V-A3, TABLE VI, TABLE VII, TABLE VIII. [5] Y. Chen, S. Yang, R. Wang, Z. Li, Q. Li, Z. Tong, Y. Cao, and F. Zhou (2025) Enhancing Road Surface Recognition via Optimal Transport and Metric Learning in Task-Agnostic Intelligent Driving Environments. Expert Systems with Applications 266, p. 125978. External Links: ISSN 0957-4174 Cited by: §I. [6] H. Fereidooni, A. Pegoraro, P. Rieger, A. Dmitrienko, and A. Sadeghi (2024) FreqFed: A Frequency Analysis-Based Approach for Mitigating Poisoning Attacks in Federated Learning. In NDSS, San Diego, CA, USA. Cited by: item 1, §I-C, §I-C, TABLE I. [7] C. Fung, C. J. Yoon, and I. Beschastnikh (2020) The Limitations of Federated Learning in Sybil Settings. In RAID, San Sebastian, Spain. Cited by: item 1, §I, §I-C, TABLE I, §IV-B, §V-A3, TABLE VI, TABLE VII, TABLE VIII. [8] K. He, X. Zhang, S. Ren, and J. Sun (2016) Deep Residual Learning for Image Recognition. In CVPR, Las Vegas, NV, USA. Cited by: §I, 1st item, TABLE VI, TABLE VI, TABLE VII. [9] A. Howard, M. Sandler, G. Chu, L. Chen, B. Chen, M. Tan, W. Wang, Y. Zhu, R. Pang, V. Vasudevan, et al. (2019) Searching for MobileNetV3. In ICCV, Seoul, South Korea. Cited by: §I, 2nd item, TABLE VI. [10] Y. Hu, M. Fang, Y. Jia, H. Liu, and N. Z. Gong (2025) Periodic Recovery From Poisoning Attacks in Machine Learning. IEEE Transactions on Dependable and Secure Computing 22 (5), p. 5033–5046. External Links: Document Cited by: item 3, §I-C, TABLE I. [11] G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger (2017) Densely Connected Convolutional Networks. In CVPR, Honolulu, HI, USA. Cited by: §I, 4th item, TABLE VI. [12] N. M. Jebreel, J. Domingo-Ferrer, D. Sánchez, and A. Blanco-Justicia (2024) LFighter: Defending Against the Label-flipping Attack in Federated Learning. Neural Networks 170, p. 111–126. Cited by: §I-B, §IV-B, §IV-B, §V-A1. [13] Y. Jiang, W. Zhang, and Y. Chen (2023) Data Quality Detection Mechanism Against Label Flipping Attacks in Federated Learning. IEEE Transactions on Information Forensics and Security 18 (), p. 1625–1637. Cited by: §I-B. [14] M. Khodaei, H. Jin, and P. Papadimitratos (2018) SECMACE: Scalable and Robust Identity and Credential Management Infrastructure in Vehicular Communication Systems. IEEE Transactions on Intelligent Transportation Systems 19 (5), p. 1430–1444. Cited by: §I-A. [15] M. Khodaei, H. Noroozi, and P. Papadimitratos (2023) SECMACE+: Upscaling Pseudonymous Authentication for Large Mobile Systems. IEEE Transactions on Cloud Computing 11 (3), p. 3009–3026. Cited by: §I-A. [16] M. Khodaei and P. Papadimitratos (2015) The Key to Intelligent Transportation: Identity and Credential Management in Vehicular Communication Systems. IEEE Vehicular Technology Magazine 10 (4), p. 63–69. Cited by: §I-A. [17] M. Khodaei and P. Papadimitratos (2021) Scalable & Resilient Vehicle-Centric Certificate Revocation List Distribution in Vehicular Communication Systems. IEEE Transactions on Mobile Computing 20 (7), p. 2473–2489. Cited by: §I-A. [18] D. Khuu, M. Sober, D. Kaaser, M. Fischer, and S. Schulte (2024) Data Poisoning Detection in Federated Learning. In ACM SAC, Avila, Spain. Cited by: §I-B. [19] L. Lavaur, Y. Busnel, and F. Autrel (2024) Systematic Analysis of Label-flipping Attacks Against Federated Learning in Collaborative Intrusion Detection Systems. In ARES, Vienna, Austria. Cited by: §I-B. [20] S. Li and Y. Dai (2024) BackdoorIndicator: Leveraging OOD Data for Proactive Backdoor Detection in Federated Learning. In USENIX Security, Philadelphia, PA, USA. Cited by: §I. [21] S. Liu and P. Papadimitratos (2025) Safeguarding Federated Learning-based Road Condition Classification. In IEEE CNS, Avignon, France. Cited by: item 1, item 2, §I, §I, §I, §I-C, TABLE I, §I-B, §IV-B, §IV-E, §V-A3, TABLE VI, TABLE VII, TABLE VIII. [22] S. Liu and P. Papadimitratos (2026) DEFEND: Poisoned Model Detection and Malicious Client Exclusion Mechanism for Secure Federated Learning-based Road Condition Classification. In ACM SAC, Thessaloniki, Greece. Cited by: item 1, item 2, item 3, §I, §I, §I, §I-C, TABLE I, §I-B, §IV-E, TABLE VI, TABLE VII, TABLE VIII. [23] S. Liu, L. You, R. Zhu, B. Liu, R. Liu, H. Yu, and C. Yuen (2024) AFM3D: An Asynchronous Federated Meta-Learning Framework for Driver Distraction Detection. IEEE Transactions on Intelligent Transportation Systems 25 (8), p. 9659–9674. Cited by: §I. [24] F. Malin, I. Norros, and S. Innamaa (2019) Accident Risk of Road and Weather Conditions on Different Road Types. Accident Analysis & Prevention 122, p. 181–188. External Links: ISSN 0001-4575 Cited by: §I-A. [25] L. McInnes, J. Healy, and J. Melville (2020) UMAP: Uniform Manifold Approximation and Projection for Dimension Reduction. arXiv preprint arXiv:1802.03426. Cited by: §IV-B. [26] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas (2017) Communication-efficient Learning of Deep Networks from Decentralized Data. In AISTATS, Fort Lauderdale, FL, USA. Cited by: §I, §I, §I-A, §V-A3, TABLE VI, TABLE VI, TABLE VII, TABLE VII, TABLE VIII. [27] T. D. Nguyen, P. Rieger, R. De Viti, H. Chen, B. B. Brandenburg, H. Yalame, H. Möllering, H. Fereidooni, S. Marchal, M. Miettinen, et al. (2022) FLAME: Taming Backdoors in Federated Learning. In USENIX Security, Boston, MA, USA. Cited by: item 1, §I, §I-C, TABLE I, §V-A3, TABLE VI, TABLE VII, TABLE VIII. [28] M. Nolte, N. Kister, and M. Maurer (2018) Assessment of Deep Convolutional Neural Networks for Road Surface Classification. In ITSC, Vol. , Maui, HI, USA. Cited by: §I. [29] M. Otoofi, L. Laine, L. Henderson, W. J. B. Midgley, L. Justham, and J. Fleming (2024) FrictionSegNet: Simultaneous Semantic Segmentation and Friction Estimation Using Hierarchical Latent Variable Models. IEEE Transactions on Intelligent Transportation Systems 25 (12), p. 19785–19795. Cited by: §I-A. [30] P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, and J. Hubaux (2008) Secure Vehicular Communication Systems: Design and Architecture. IEEE Communications Magazine 46 (11), p. 100–109. Cited by: §I-A. [31] P. Papadimitratos and Z.J. Haas (2006) Secure Data Communication in Mobile Ad Hoc Networks. IEEE Journal on Selected Areas in Communications 24 (2), p. 343–356. Cited by: §I. [32] E. Rescorla (2018) The Transport Layer Security (TLS) Protocol Version 1.3. Technical report Cited by: §I-A. [33] P. Rieger, T. Krauß, M. Miettinen, A. Dmitrienko, and A. Sadeghi (2024) CrowdGuard: Federated Backdoor Detection in Federated Learning. In NDSS, San Diego, CA, USA. Cited by: §I-C. [34] K. Sameera, P. Vinod, R. R. KA, and M. Conti (2024) LFGurad: A Defense Against Label Flipping Attack in Federated Learning for Vehicular Network. Computer Networks 254, p. 110768. Cited by: §I, §I-B, §I-B, §I-C, TABLE I. [35] V. Shejwalkar and A. Houmansadr (2021) Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning. In NDSS, Virtual. Cited by: §I-B. [36] M. Tan and Q. Le (2019) EfficientNet: Rethinking Model Scaling for Convolutional Neural Networks. In ICML, Long Beach, CA, USA. Cited by: §I, 3rd item, TABLE VI, TABLE VII. [37] V. Tolpegin, S. Truex, M. E. Gursoy, and L. Liu (2020) Data Poisoning Attacks Against Federated Learning Systems. In ESORICS, Guildford, UK. Cited by: §I-B, §I-B, §V-A. [38] H. Touvron, M. Cord, M. Douze, F. Massa, A. Sablayrolles, and H. Jégou (2021) Training Data-efficient Image Transformers & Distillation through Attention. In ICML, Virtual. Cited by: §I, 5th item, TABLE VI, TABLE VII. [39] B. Varona, A. Monteserin, and A. Teyseyre (2020) A Deep Learning Approach to Automatic Road Surface Monitoring and Pothole Detection. Personal and Ubiquitous Computing 24 (4), p. 519–534. Cited by: §I-A. [40] I. V. Vondikakis, I. E. Panagiotopoulos, and G. J. Dimitrakopoulos (2023) An Adaptive Federated Learning Framework for Intelligent Road Surface Classification. In ITSC, Vol. , Bilbao, Spain. Cited by: §I-A. [41] I. V. Vondikakis, I. E. Panagiotopoulos, and G. J. Dimitrakopoulos (2024) FedRSC: A Federated Learning Analysis for Multi-Label Road Surface Classifications. IEEE Open Journal of Intelligent Transportation Systems 5 (), p. 433–444. Cited by: §I, §I-A. [42] N. Wang, Y. Xiao, Y. Chen, Y. Hu, W. Lou, and Y. T. Hou (2022) FLARE: Defending Federated Learning against Model Poisoning Attacks via Latent Space Representations. In ASIA CCS, Nagasaki, Japan. Cited by: item 1. [43] C. Wu, S. Zhu, P. Mitra, and W. Wang (2024) Unlearning Backdoor Attacks in Federated Learning. In IEEE CNS, Taipei, Taiwan. Cited by: item 3, §I-C, TABLE I. [44] D. Wu, Q. Guo, Y. Qi, S. Qi, and Q. Li (2025) AMA: Adaptive Model Poisoning Attacks towards Federated Learning. IEEE Transactions on Dependable and Secure Computing (), p. 1–14. External Links: Document Cited by: §I-B. [45] W. Yamany, N. Moustafa, and B. Turnbull (2023) OQFL: An Optimized Quantum-Based Federated Learning Framework for Defending Against Adversarial Attacks in Intelligent Transportation Systems. IEEE Transactions on Intelligent Transportation Systems 24 (1), p. 893–903. Cited by: §I-C. [46] D. Yin, Y. Chen, R. Kannan, and P. Bartlett (2018) Byzantine-robust Distributed Learning: Towards Optimal Statistical Rates. In ICML, Stockholm, Sweden. Cited by: §I, §I-C, TABLE I, §IV-B, §V-A3, TABLE VI, TABLE VI, TABLE VII, TABLE VII, TABLE VIII, TABLE VIII. [47] L. You, S. Liu, B. Zuo, C. Yuen, D. Niyato, and H. V. Poor (2023) Federated and Asynchronized Learning for Autonomous and Intelligent Things. IEEE Network 38 (2), p. 286–293. Cited by: §I. [48] Y. Yuan, Y. Yuan, T. Baker, L. M. Kolbe, and D. Hogrefe (2021) FedRD: Privacy-preserving Adaptive Federated Learning Framework for Intelligent Hazardous Road Damage Detection and Warning. Future Generation Computer Systems 125, p. 385–398. External Links: ISSN 0167-739X Cited by: §I-A. [49] Z. Zhang, X. Cao, J. Jia, and N. Z. Gong (2022) FLDetector: Defending Federated Learning Against Model Poisoning Attacks via Detecting Malicious Clients. In KDD, Washington, DC, USA. Cited by: §I-C, TABLE I. [50] T. Zhao, J. He, J. Lv, D. Min, and Y. Wei (2023) A Comprehensive Implementation of Road Surface Classification for Vehicle Driving Assistance: Dataset, Models, and Deployment. IEEE Transactions on Intelligent Transportation Systems 24 (8), p. 8361–8370. Cited by: §I-A. [51] H. Zhou, Y. Zheng, H. Huang, J. Shu, and X. Jia (2023) Toward Robust Hierarchical Federated Learning in Internet of Vehicles. IEEE Transactions on Intelligent Transportation Systems 24 (5), p. 5600–5614. Cited by: §I-C. [52] Y. Zhou, L. Cai, X. Cheng, Q. Zhang, X. Xue, W. Ding, and J. Pu (2024) OpenAnnotate2: Multi-Modal Auto-Annotating for Autonomous Driving. IEEE Transactions on Intelligent Vehicles (), p. 1–13. Cited by: §I-A. Sheng Liu (Graduate Student Member, IEEE) received the B.Eng. degree and the master’s degree from the School of Intelligent Systems Engineering, Sun Yat-sen University, China, in 2021 and 2024, respectively. He is currently pursuing a Ph.D. degree with the Networked Systems Security (NSS) Group at KTH Royal Institute of Technology, Stockholm, Sweden. His research interests include trustworthy AI, federated learning, security, privacy, and intelligent transportation. Panagiotis Papadimitratos (Fellow, IEEE) received the Ph.D. degree from Cornell University, Ithaca, NY, USA. At KTH Royal Institute of Technology, Stockholm, Sweden, he leads the Networked Systems Security (NSS) Group and is a member with the Steering Committee of the Security Link Center. He serves or served as a member for the ACM WiSec and CANS conference steering committees and the PETS Editorial and Advisory Boards; the Program Chair for ACM WiSec’16, TRUST’16, and CANS’18 conferences; the General Chair for ACM WISec’18, PETS’19, and IEEE EuroS&P’19 conferences; an Associate Editor for IEEE TRANSACTIONS ON MOBILE COMPUTING, IEEE/ACM TRANSACTIONS ON NETWORKING, and IET Information Security journals; and the Chair for the Caspar Bowden PET Award. He is a fellow of the Young Academy of Europe, a Knut and Alice Wallenberg Academy Fellow, and an ACM Distinguished Member.