Poisoning-Resilient Federated Learning for MEC-IoT Environments

Using Blockchain
LUIS MIGUEL GARCÍA-SÁEZ, University of Castilla-La Mancha, Albacete, Spain
SERGIO RUIZ-VILLAFRANCA, University of Castilla-La Mancha, Albacete, Spain
JOSÉ ROLDÁN-GÓMEZ, University of Zaragoza, Zaragoza, Spain
JAVIER CARRILLO-MONDÉJAR, University of Zaragoza, Zaragoza, Spain
JOSÉ LUIS MARTÍNEZ, University of Castilla-La Mancha, Albacete, Spain
The rise of distributed architectures in Internet of Things (IoT) environments has signiicantly advanced both data processing
and artiicial intelligence. Notably, Multi-access Edge Computing (MEC) represents a distributed form of the Edge Computing
paradigm, focussing on heterogeneous protocol management. In contrast, Federated Learning (FL) is an application-level
framework designed to enable decentralised Machine Learning (ML) across devices without centralising data. Nevertheless,
the combination of both technologies enables the creation of more eicient, scalable, and responsive systems. However, their
integration into IoT brings substantial security challenges, including data poisoning, model manipulation, and the insertion of
false nodes, all of which threaten the reliability of FL systems. Blockchain technology emerges as a promising solution to these
challenges. It ofers a decentralised, transparent, and immutable framework that ensures the authenticity and veriication of
data across the network. Through blockchain, node interactions are automated and secured, enhancing the integrity and trust
in the learning process. This paper proposes a blockchain-based architecture for FL within MEC-IoT systems, designed to
mitigate security threats. The architecture emphasises data integrity, secure node interactions, and transparent audit trails
while maintaining optimal model performance and accuracy, even under attack. It highlights the low resource consumption
and minimal time overhead of blockchain integration, ensuring eiciency is not compromised. This integrated approach
improves data security, supports secure collaborative learning, and fosters a more resilient and trustworthy IoT ecosystem.
CCS Concepts: · Security and privacy → Distributed systems security; Network security; · Computing methodologies
→ Machine learning algorithms.
Additional Key Words and Phrases: Cybersecurity, Internet of Things, Multi-access Edge Computing, Blockchain, Smart
Contract, Federated Learning, Data Poisoning

1 Introduction
In recent years, the number of Internet of Things (IoT) devices has increased ivefold, rising from approximately 3.6
billion devices in 2015 to over 18 billion connected devices today [2]. The emergence of new network paradigms,
such as Multi-access Edge Computing (MEC), has brought numerous advantages to IoT devices. This is achieved
by bringing computational capabilities closer to the end user, thereby reducing latency for applications and
Authors’ Contact Information: Luis Miguel García-Sáez, University of Castilla-La Mancha, Albacete, Castilla-La Mancha, Spain; e-mail: luism.
garcia@uclm.es; Sergio Ruiz-Villafranca, University of Castilla-La Mancha, Albacete, Castilla-La Mancha, Spain; e-mail: sergio.rvillafranca@
uclm.es; José Roldán-Gómez, University of Zaragoza, Zaragoza, Aragon, Spain; e-mail: jroldan@unizar.es; Javier Carrillo-Mondéjar, University
of Zaragoza, Zaragoza, Aragon, Spain; e-mail: jcarrillo@unizar.es; José Luis Martínez, University of Castilla-La Mancha, Albacete, Castilla-La
Mancha, Spain; e-mail: joseluis.martinez@uclm.es.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that
copies are not made or distributed for proit or commercial advantage and that copies bear this notice and the full citation on the irst page.
Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy
otherwise, or republish, to post on servers or to redistribute to lists, requires prior speciic permission and/or a fee. Request permissions from
permissions@acm.org.
© 2025 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ACM 1557-6051/2025/9-ART
https://doi.org/10.1145/3767740

ACM Trans. Internet Technol.

2 • L. M. García-Sáez et al.

services compared to traditional Cloud Computing. These advances have facilitated the adoption of Federated
Learning (FL) techniques [47]. This approach has had a signiicant impact on various applications, including
hospitals and medical device communication networks [77], the Internet of Vehicles (IoV) [78], and the Industrial
Internet of Things (IIoT) [15].
This convergence of technologies represents an emerging paradigm in the development of network infras-
tructure and distributed models of Machine Learning (ML) and FL [52]. This interconnected environment brings
signiicant advancements in how data is processed and analysed by shifting processing and decision-making
closer to the MEC layer of the infrastructure. However, it also presents unique challenges in terms of data security
and privacy. In this context, IoT devices, which are often the source of data used in FL [81], may be vulnerable
to attacks that compromise the integrity of the learning process. Additionally, MEC architecture is designed to
process data close to its source and reduce communication latency with the edge server. However, it also adds
another layer of complexity to security management. This complexity is further enhanced by the distribution of
data processing across multiple MEC stations, where each edge server can process data sent by IoT devices. The
decentralised nature of these edge servers introduces additional security considerations as data is distributed and
processed across various nodes in the network [58].
In this environment, FL emerges as an innovative solution that enables IoT nodes to collaborate in the training
of Artiicial Intelligence (AI) models without centralising data. Each node uses its local data to train its version
of the model, preserving data privacy. However, despite the data remaining on the devices [44], the number of
attack vectors increases [16], posing signiicant security risks [18].
As MEC and IoT adoption expands, so do the associated security challenges. IoT nodes, often dispersed and
operating in potentially unsecured environments, become easy targets for attackers. The messages exchanged
by these devices often lack encryption due to their limited computational power, creating vulnerabilities that
attackers can exploit to compromise the FL process [27]. In response to these security challenges, the research
community has begun to focus on analysing these vulnerabilities and their impact on FL processes. However, few
studies ofer solutions to prevent the new attacks that are emerging in this ield [22].
Attacks aimed at compromising FL models, particularly through Byzantine attacks, are an increasingly signii-
cant threat [65]. Byzantine attacks aim to degrade the performance of the model through fake or malicious updates.
Among these attacks are data poisoning attacks, which are a research problem for the scientiic community and
whose impact is growing [64]. Data poisoning involves inserting false or misleading information into the training
data to degrade the accuracy and efectiveness of the model [9].
Real-world applications of MEC-IoT are particularly vulnerable to poisoning attacks. This vulnerability stems
from their distributed and resource-constrained nature. For instance, smart city deployments rely on edge-
based AI to process real-time sensor data [66]. In these systems, adversaries have successfully launched online
data poisoning attacks. These attacks manipulate urban service recommendations and predictions, even under
constrained computational conditions [84]. Similarly, MEC environments use location data for location-aware
analytics. Attackers can poison this location data to distort statistical outcomes. This manipulation severely
afects both service utility and user privacy [83].
Additionally, poisoning attacks have targeted IIoT systems. These attacks disrupt ML models used in predictive
maintenance and fault detection. Such disruptions can lead to unsafe operating conditions [12].
The distributed nature of FL, while beneicial for privacy and eiciency, complicates the detection and mitigation
of these attacks due to the lack of a central point for data integrity veriication. Furthermore, the inclusion of
malicious nodes in the network, which can manipulate and harm data or inal results, poses additional risks
[30]. These attacks range from the injection of false data to the subtle manipulation of model updates, critically
threatening the integrity and reliability of FL systems in MEC-IoT environments [26].
To address these security challenges, blockchain technology ofers a promising solution. The immutable and
transparent ledger of the blockchain, supported by a decentralised consensus mechanism, improves the integrity

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 3

and security of data transactions [14]. Integrating FL with an external blockchain not only strengthens resistance
to malicious attacks but also fosters trust among nodes, ensuring that model updates and shared data are veriiable
and non-repudiable.
In this work, we propose an enhanced security architecture based on the integration of blockchain and the
use of Smart Contracts (SCs). The main objective is to prevent attacks involving the inclusion of malicious
nodes in the MEC network or Byzantine attacks that degrade the model’s performance. We have designed a
node registration and authentication mechanism based on digital signatures and unique identiiers to ensure the
legitimacy of nodes. In addition, our system protects the parameters used during training, as well as the hashes
of the data used by each node, allowing the detection and mitigation of poisoning attacks. Given these aspects,
this work makes the following key contributions:
• Novel blockchain-based security architecture for FL in MEC-IoT: We propose a security framework
for FL in MEC-IoT environments, integrating a permissioned blockchain under Proof-of-Authority con-
sensus mechanism. This design combines eicient block validation, predictable latency, and decentralised
auditability throughout the learning process.
• Automated mitigation of poisoning attacks: The system employs dedicated SCs for the detection
and mitigation of both data and model poisoning attempts, enabling early identiication of compromised
updates in each learning round.
• Robust node registration and authentication for Sybil attack prevention: We introduce a dual-factor
registration and authentication mechanism, based on digital signatures and on-chain unique identiiers.
This mechanism is designed to efectively prevent Sybil attacks by ensuring that only legitimate clients
participate in the federation.
• Architecture validated in realistic and scalable scenarios: The validity of the proposal is established
through experimental validation with up to 200 clients in scalability and bandwidth consumption tests. In
addition, model performance is assessed under a wide range of conigurations, including diferent numbers
of clients, datasets, poisoning attack types, and system settings.
• Demonstrated scalability with low overhead: The results show that the integration of the blockchain
layer increases bandwidth consumption by only 6% with up to 200 clients, and the execution time overhead
remains below 7% for 20 clients. Even for federations with up to 500 clients, the projected temporal overhead
does not exceed 25%, conirming that the approach remains practical and eicient for large heterogeneous
MEC-IoT deployments seeking enhanced security.

The rest of the paper is structured as follows: Section 2 presents the key technologies involved in the proposal,
such as MEC, FL and blockchain, as well as the main attacks covered in our work. Section 3 discusses related
work in the area, pointing out some of the limitations of current solutions that are addressed in our proposal.
Section 4 details the environment deployed with the main proposal, whose results and viability are evaluated in
Section 5. Finally, Section 6 presents the most relevant conclusions of the proposal with possible improvements
and future work.

2 Technical Background
This section presents a review of the technologies utilised in our proposal. First, in Section 2.1, we introduce the
key characteristics of a MEC environment combined with IoT. Next, in Section 2.2, we review the fundamental
principles of FL processes, followed by an examination of the main Byzantine and poisoning attacks in Section
2.3. Finally, Section 2.4 analyses the main features of blockchain technology and justiies its viability as a solution
to enhance security and prevent certain attacks during FL process in MEC-IoT environments.

ACM Trans. Internet Technol.

4 • L. M. García-Sáez et al.

2.1 MEC Environment with IoT Devices

Before the term Multi-access Edge Computing was settled, the concept of Mobile Edge Computing was used,
gaining prominence in the 2010s. Mobile Edge Computing initially became popular to address the speciic needs
of mobile applications, aiming to extend cloud computing services to the network’s edge [4]. The original idea
was to leverage base stations and other edge network elements to provide processing and storage capabilities
close to end users. This strategy aimed to improve the eiciency, latency, and energy consumption of mobile
and IoT applications compared to traditional cloud computing models. Additionally, MEC is designed to handle
heterogeneous traic management, which is especially important in IoT environments where both standard-
ised/public protocols and proprietary protocols coexist. This capability allows MEC to optimise network resources
and maintain performance across a wide variety of communication protocols and devices. These advantages
underscore the crucial role of MEC in supporting technologies such as 5G [70] and IoV [74].
Over time, the concept evolved into Multi-access Edge Computing, a term adopted by the European Telecommu-
nications Standards Institute (ETSI) to relect a broader and more inclusive vision. This evolution acknowledges
that edge processing can beneit not only mobile devices and their users but also a wide range of real-time services
and applications [23]. As a result, the combination of MEC capabilities with IoT devices has found extensive
applications in various sectors, including smart cities [68], Industry 4.0 [51], and IoV.

2.2 Federated Learning Process

FL is a rapidly evolving ield with signiicant privacy implications for ML processes. FL is a ML approach in
which multiple clients collaboratively train a model under the coordination of a central server, without sharing
raw data [8]. Despite the existence of a global model, each client trains its own local model using its own data.
This training occurs independently and focusses on the speciic data that each client has. The goal is to learn
from locally available data without sharing it with the server or other devices.
As detailed in Figure 1, the FL process involves a sequence of actions. A common misconception is the absence
of a central server in FL processes. Although model training is conducted locally on each node or device, a central
server is required to receive locally trained models or model updates from devices, aggregate them to improve
the global model, and then distribute this updated model back to devices [79].
Once the clients receive the updated global model from the server, they can choose to either replace their local
model entirely with the global one or use the global model to ine-tune and enhance their local models. This
strategy depends on the speciic FL approach and the requirements that must be met.
The primary challenges in this ecosystem are the lack of security and robustness in IoT devices. This vul-
nerability allows certain attacks to occur during the FL process conducted by the nodes, which can negatively
impact the overall performance of the model. These attacks may involve altering training data, manipulating
model parameters, or introducing nodes with compromised local models. Consequently, numerous studies have
emerged that thoroughly analyse the threats that could afect such environments and the tactics attackers might
use to undermine security [26].

2.3 Atacks in Federated Learning

FL environments are exposed to a large number and variety of malicious attacks. The most common are the
so-called “Byzantine attacksž. Byzantine attacks in FL refer to a type of threat in which one or more clients act
maliciously or incorrectly, compromising the integrity of the global model being trained. Some solutions have
been proposed in the literature to defend against Byzantine attacks; however, they still represent a problem in FL
environments, and a variety of works continue proposing possible defences [59, 67].
Nowadays it is becoming more common to speak about poisoning attacks. Byzantine attacks generally cover all
poisoning attacks that can be carried out against a FL process. Two categories of poisoning can be distinguished:

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 5

Federated Learning Process

Server Global model Server side
Global model
1
update

Local model
2
update

Client side

Local model 1 Local model 2 Local model 3 Local model N

Client 1 Client 2 Client 3 Client N

Fig. 1. Federated Learning Process

data poisoning and parameter poisoning [62]. Data poisoning typically involves injecting or manipulating the
training data to degrade the global model’s performance [69]. By contrast, parameter poisoning, also known as
model poisoning, targets the model updates themselves, either during transmission or aggregation. The goal
is to manipulate the training results without raising immediate suspicion. Poisoning attacks can be carried out
by attackers in multiple ways, most often employing Man-in-the-Middle (MitM) attacks together with network
traic interception and manipulation techniques and tools.
Despite the emergence of various defensive strategies in response [45], these attacks can be extremely efective.
Even a single malicious client can signiicantly reduce the performance of the overall model, potentially making it
completely useless. Within these two broad categories, multiple speciic poisoning methods have been identiied.
They may exploit diferent parts of the FL pipeline, ranging from targeted data manipulations to subtle distortion
of parameter updates. Among them, we can highlight the following speciic attacks [72]:
• Label Flipping Attack: The attacker alters the labels of a subset of training data to confuse the model
during training, degrading its accuracy by causing incorrect classiications. This attack is relatively easy to
carry out and requires only access to the dataset [31].
• Targeted Dropping Attack: This attack focusses on selectively removing critical or important data from
the training set, reducing the overall efectiveness of the model. Instead of targeting labels, it directly
impacts the data itself.
• Clean-Label Attack: Minimal but efective perturbations are introduced to the input data without changing
the original labels. Unlike label lipping, these poisoned data points appear as normal instances in the
dataset, making this attack particularly diicult to detect, as the altered data show no obvious diferences
in labels compared to their content [76].
• Parameter Tampering (Poisoning) Attack: This attack targets the parameters sent by the server to
the clients, aiming to compromise the learning process from the server’s side. If an attacker manages to
manipulate these parameters, they can signiicantly inluence the model’s behaviour, biasing the learning
process, or reducing its accuracy.

ACM Trans. Internet Technol.

6 • L. M. García-Sáez et al.

hash previous
Merkle Tree
timestamp
block

hash root
Block 7
Hash0 Transact0
Hash01
hash previous Hash1 Transact1
timestamp
block
Hash2 Transact2
hash root Hash23
Block 8 Hash3 Transact3

Hash4 Transact4
hash previous Hash45
timestamp
block Hash5 Transact5

hash root
Block 9

Fig. 2. Merkle Tree Structure

In our work, we focus on defending against both data poisoning and parameter poisoning attacks. The present
work is also designed to defend against the speciic attacks mentioned above, as they are all diferent types of
data or parameter poisoning attacks.

2.4 Blockchain Network

A blockchain network is a Peer-to-Peer (P2P) network consisting of nodes that can communicate directly with
each other. Blockchain is a form of Distributed Ledger Technology (DLT) [53], featuring a distributed database,
known as the ledger, across all nodes in the network. This ledger, commonly referred to as the blockchain, records
all transactions performed within the network, which are validated by all nodes through consensus mechanisms.
The ledger is composed of a consecutive chain of blocks, each containing information related to validated
transactions and other parameters that ensure the integrity of the ledger. The structure of the blockchain is
known as a Merkle Tree [60], as depicted in Figure 2. Each block essentially contains:
• Block Hash: A single hash that represents all transactions within the block, enabling quick veriication
without having to review each transaction individually.
• Previous Block Hash: This creates a dependency so that if a block is altered, all subsequent blocks will
have invalid hashes, thereby revealing the tampering.
• Timestamp: This timestamp ensures that the data are recorded in a speciic time sequence, providing a
chronological order of transactions.
The transaction hashes are combined in pairs to form the hashes of the next level, continuing this process until
reaching the root hash. This structure ensures that any change to a single transaction will alter the root hash,

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 7

which can be immediately detected by comparing it to the agreed-upon root hash within the network. Thus,
Merkle Tree is essential for ensuring data integrity in the blockchain, as it makes altering transactions without
detection extremely diicult. This design is crucial for the scalability and security of blockchain systems.
An additional crucial element in both the design and functionality of a blockchain network is the consensus
mechanism. The consensus mechanism establishes trust among the network participants. The most widely
adopted mechanisms include Proof-of-Work (PoW), Proof-of-Stake (PoS), Practical Byzantine Fault Tolerance
(PBFT), and Proof-of-Authority (PoA) [35]. PoW is the foundational mechanism used by Bitcoin, relying on
computationally intensive tasks to validate transactions and secure the network [25]. Despite its strong security
guarantees, PoW is resource-intensive, limiting its scalability and eiciency, particularly in MEC-IoT scenarios.
In contrast, PoS, PBFT, and PoA provide more energy-eicient alternatives [55]. PoS, employed by Ethereum
2.0, selects validators based on the amount of cryptocurrency they stake as collateral, drastically reducing energy
consumption. PBFT, on the other hand, achieves consensus through a voting mechanism among designated
validator nodes, ofering high transaction throughput and fast inality. Nevertheless, while PBFT is well-suited
for permissioned networks with known participants, its scalability diminishes in large-scale decentralised
scenarios. PoA improves on scalability and eiciency by assigning transaction validation responsibilities to
pre-approved, trusted nodes (authorities). It ofers high performance, minimal computational overhead, and
predictable transaction throughput, making it especially suitable for private and consortium blockchain networks.

In addition, SCs are another fundamental element in most current blockchain networks [39]. They were
introduced with the advent of the Ethereum network [10]. Now, SCs are key in the development of applications
and programs within blockchain networks. An SC is a computer program embedded in the blockchain that
automatically executes when certain conditions or requirements are met, or can be triggered to perform speciic
actions. It allows processes such as veriication, execution, and fulilment of the contract’s terms to be carried
out automatically. Since the execution occurs within the blockchain, the SC remains immutable and distributed,
providing a high level of security.

3 Related Work
This section examines some existing studies and proposals that use blockchain to enhance security in FL
environments [29].
In recent years, signiicant eforts have been made to integrate blockchain technology with Edge Computing
and FL in IoT environments, focussing on enhancing data security, reliability, and authentication mechanisms.
Begum et al. [13] introduced an eicient compression and encryption technique for data protection based
on the Burrows-Wheeler Transform (BWT), Move-to-Front Transform (MTF), and Run-Length Encoding (RLE).
Their method achieves high compression rates and robust encryption through secret keys, with the aim of
optimising storage and transmission. Babu et al. [11] proposed “Sec-edgež, a trusted blockchain system designed
to strengthen identiication and authentication in edge-based 5G networks. Their solution leverages blockchain
decentralisation to manage edge devices securely, focusing primarily on authentication mechanisms. Aguru et
al. [6] presented “Reliable-RPLž, a reliability-aware Routing Protocol for Low-power and Lossy Networks (RPL)
enhanced with blockchain. This approach signiicantly improves routing reliability through trust-based metrics,
facilitating the detection and mitigation of malicious nodes.
Despite these valuable contributions, the discussed methods exhibit several limitations. Begum et al.’s approach
is susceptible to plaintext-based attacks and does not explicitly consider malicious node scenarios. The scalability
and adaptability of Babu et al.’s Sec-edge framework beyond speciic 5G contexts remain limited, and Aguru et al.’s
Reliable-RPL introduces substantial overhead unsuitable for lightweight IoT devices. These gaps underscore the
need for more specialised proposals that address speciic threats within FL environments, such as data poisoning

ACM Trans. Internet Technol.

8 • L. M. García-Sáez et al.

and model manipulation. The following works discuss targeted solutions explicitly designed to mitigate these
sophisticated threats in FL contexts.
Xu et al. [75] proposed BESIFL, a blockchain-based FL framework that identiies and removes malicious nodes
by analysing their detrimental efects on model accuracy. This approach leverages blockchain technology to
enhance security and trust in FL environments. However, the system is primarily based on random node selection
and lacks mechanisms for proactive mitigation of sophisticated attacks. In a similar vein, Fang et al. [20] proposed
BCFL, which focusses on enhancing trust and eiciency in FL processes. Despite its strengths, BCFL provides
limited protection against advanced threats, such as targeted poisoning attacks. Furthermore, it does not include
continuous dataset integrity veriication or a robust authentication scheme capable of preventing Sybil attacks.
Additionally, both frameworks ofer minimal insight into performance scalability and the computational impact
of blockchain integration.
Besides, several innovative proposals use blockchain as a system to detect and monitor the entire FL process.
Many of these approaches involve storing and analysing local updates of network nodes on the blockchain to
dynamically detect potential poisoning attacks, as seen in the work by Preuveneers et al. [56]. However, a major
drawback of this proposal is the signiicant increase in total latency due to communication with the blockchain.
Similarly, Al Mallah et al. [7] propose blockchain-based monitoring to identify malicious activities, but their
solution lacks clarity regarding the speciic iltering mechanisms used for legitimate miners, and does not provide
comprehensive performance metrics such as latency or execution overhead, critical for evaluating real-world
feasibility.
Other proposals rely on a scoring or reputation system for nodes [33]. Lei Feng et al. [21] suggest the use of a
blockchain system combined with node scores, calculated based on an entropy value. This entropy is used to
evaluate and weigh the importance and reliability of local models trained by the nodes during learning. The
blockchain records these weights along with local model updates and the global model. This mechanism helps
identify and mitigate malicious updates by detecting and excluding malicious nodes from the network. While
robust and efective, this approach introduces complexity through entropy calculations, which must be carefully
balanced to ensure equitable contributions from nodes and the quality of the global model.
Some authors, such as Adi Paramartha Putra et al. propose comprehensive FL frameworks [5] supported
by blockchain to guarantee the traceability and immutability of actions taken, using SCs, and implementing a
system of incentives and penalties for nodes participating in the learning process. Kalapaaking et al. [32], propose
another FL framework combined with blockchain, where blockchain is used as a monitoring system that records
the necessary information during the training process for auditing purposes. However, most of these frameworks
address vulnerabilities and potential attack vectors in FL environments in a very general way, without focussing
on speciic attacks or their impact.
In addition, Kasyap and Tripathy propose PrivateFL [34], a FL framework that integrates a permissioned
blockchain (Hyperledger Fabric) to enhance privacy and security against Byzantine attacks. They introduce the
Vertically Partitioned Secure Aggregation (VPSA) algorithm, which vertically partitions local model updates
across diferent peers in the blockchain network, ensuring that no single peer has access to the full update. This
partitioning not only helps in securing the data, but also enables Byzantine robustness by allowing for a more
controlled and secure aggregation process.
Thus, some recent studies aim for greater decentralisation by replacing the central server that coordinates FL
with a blockchain network [43, 80]. This blockchain is used to store the global model and send local updates from
the nodes. Many of these studies incorporate the design of speciic consensus algorithms for FL processes [17].
These studies often focus on rewarding honest devices 1 more frequently, ensuring that only legitimate updates
are used to update the global model. This approach seeks to minimise the risk of malicious nodes inserting false

1 Honest devices are those that send correct updates of their local model

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 9

updates into the blockchain. However, this is not a direct solution to poisoning attacks and does not prevent an
attacker with full control over a node from continuing to send incorrect updates of its local model.
Finally, Table 1 presents a comparison of the works mentioned above. Key features of them are analysed, such
as the blockchain solution taken, the authentication method used, attacks covered, and the type of blockchain
employed for the implementation. Broadly, the literature leverages blockchain in FL through two complementary
yet distinct paradigms. In the irst, the ledger operates as an active component of the training loop. SCs logic
triggers every round, local model updates are persistently recorded on-chain. In several cases, the parameter-
aggregation step is executed directly within the blockchain itself or the chain is polled continuously as a live
monitoring oracle. While this design maximises transparency and tamper-resistance, it imposes a substantial
computational and bandwidth burden on resource-constrained edge devices. The second paradigm is lighter and
more economical. The blockchain is consulted only at strategically important checkpoints. It acts as an immutable
repository for concise cryptographic digests or other key artefacts. These are veriied by the nodes during critical
stages of the FL worklow. By avoiding constant interaction, this approach preserves most security guarantees
whilst minimising latency and energy consumption. This design principle underpins the architecture proposed in
this work. Based on these diferences, we distinguish between Active/Passive blockchain approaches in the table.
Despite the diversity of approaches presented in the literature, some existing proposals do not incorporate
robust authentication mechanisms at the node level. This is a crucial aspect when trying to prevent Sybil attacks
and the insertion of malicious participants into FL environments. Many solutions depend on reputation or scoring
systems, typically using heuristic evaluations or entropy values. This can help identify and kick malicious nodes.
It can also detect when legitimate participants are being poisoned. However, these methods add complexity and
computational overhead while ofering no attack guarantees. That’s due to the fact that accurate calibration
of the voting system is required and does not prevent nodes from sending poisoned updates in the initial
rounds of poisoning. Other approaches monitor model updates actively or store complete learning histories on
blockchain. This leads to high communication latency and resource demands, key concerns for IoT and MEC
systems with limited resources. In addition, few studies quantify the scalability and computational costs of
blockchain integration. Without these metrics, assessing the feasibility of large-scale deployments in the real
world remains a challenge.
To overcome these limitations, our work introduces a modular and lightweight blockchain architecture. Our
architecture is built upon permissioned Ethereum with PoA consensus algorithm. This design leverages the
lexibility of SCs to deliver precise security enforcement without incurring unnecessary overhead. The system
implements a dual-factor authentication scheme based on digital signatures and unique blockchain-issued
identiiers. This approach ensures the legitimacy of the participating nodes and efectively prevents unauthorised
access [42]. Instead of storing entire model updates, our solution focusses on validating the parameters and
datasets used in each training round. This strategy enables early detection and mitigation of both data and
parameter poisoning attacks. The blockchain is used passively, only during key stages of the FL process. This
selective utilisation helps minimise latency and preserve system responsiveness. Through this design, we provide
a generalisable and scalable security layer. It explicitly targets the most pressing threats in FL environments. This
approach is supported by comprehensive experimental evaluation. The system has been tested with up to three
widely adopted ML and FL datasets: Fashion-MNIST, Iris-Flower, and MNIST [46]. Our tests demonstrate the
system’s efectiveness in protecting against sophisticated poisoning attempts while maintaining low computational
and temporal impact.

4 Blockchain Integration for Secure Federated Learning

To protect the network against previously described attacks and improve security during the FL process, blockchain
technology has been integrated. This technology ofers unique characteristics and properties that efectively

ACM Trans. Internet Technol.

10 • L. M. García-Sáez et al.

Table 1. Comparison of existing approaches in literature alongside with our proposal

Active / Bandwidth Latency

Reference Year Proposal Approach Auth. Mechanism Attacks Covered Datasets Blockchain Type
Passive Impact Impact

Blockchain +
[56] 2018 autoencoders for None Passive Parameter poisoning CICIDS2017 N/A +5 to 15% Not speciied
anomaly detection

Blockchain + Permissioned
[21] 2022 SC Active Parameter poisoning MNIST N/A N/A
reputation system (Hyperledger Fabric)

Blockchain as Not speciied (likely

[7] 2022 Digital signature Active Parameter poisoning Private dataset N/A +5 to 40%
monitoring system permissioned)

Sybil + Parameter Permissioned

[75] 2023 SC-based blockchain Basic (attribute vector) Active MNIST N/A N/A
poisoning (Hyperledger Fabric)

Blockchain + custom Scoring method + Conceptual (platform

[20] 2024 Active N/A MNIST N/A +4.25%
consensus algorithm attributes not deined)

SCs + double Permissioned

[5] 2024 Double signature Active N/A MNIST N/A -20 to 25%
signature system (Ethereum)

CIFAR-10,
SCs + multisignature Not speciied (suggests
[32] 2024 Multisignature + SC Passive N/A Fashion-MNIST, N/A +5 to 20%
scheme permissioned)
MedMNIST

CIFAR-10,
Custom aggregation Parameter & Data Permissioned
[34] 2024 Double signature Active Fashion-MNIST, N/A +24.5%
+ double signature poisoning (Hyperledger Fabric)
MNIST

Blockchain + secure Conceptual (platform

[80] 2024 None Active N/A N/A N/A N/A
aggregation not deined)

SCs + secure
Digital Signatures + Parameter & Data Fashion-MNIST, Permissioned
Our proposal 2025 authentication Passive +1 to 6% +5 to 20%
Node ID (SC) poisoning + Sybil Iris-Flower, MNIST (Ethereum PoA)
system

mitigate the deiciencies in the learning process and ensure the validity of the data. Key features include the
immutability of data stored in the ledger, the public nature of the ledger, which provides transparency and
traceability to transactions, and the ability to execute SCs.
SCs are the primary tool used to combat poisoning attacks and ensure the legitimacy of nodes participating in
the FL process. They allow for the deinition of customised and speciic rules that determine their functionality,
execution conditions, and access policies. This control ensures that access to the SCs and their internal functional-
ities is restricted to authorised network nodes. Using these features and their automation capabilities, we created
a combined communication architecture that enables automatic management and queries within the blockchain
during the FL process. This real-time integration helps mitigate the efects of previously described attacks.

4.1 Blockchain Architecture and Atack Mitigation

The proposed solution focusses on detecting and mitigating both the inclusion of malicious nodes in the network
(Sybil attacks) and the poisoning of data and model parameters. In this context, a Sybil attack is a type of attack in
distributed systems, P2P networks, and decentralised computing environments, in which the attacker introduces
multiple false identities (called Sybil nodes) into a system in order to gain a disproportionate advantage or
inluence the behaviour of the system [19]. To achieve this, a blockchain architecture based on the use of SCs has
been designed, with the goal of providing an adaptable solution that mitigates the impact of these attacks on the
FL process.
For the deployment of the blockchain network, we have decided to use an Ethereum blockchain. The selection
of Ethereum as the foundational technology can be attributed to several key characteristics that diferentiate it
from other platforms. Firstly, its advanced support for SCs facilitates the execution of self-enforcing agreements

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 11

without the need for intermediaries. Additionally, Ethereum boasts a comprehensive ecosystem of development
tools that further enhances its usability for developers. Moreover, its inherent lexibility allows for operation
within public and permissioned network conigurations. These attributes collectively position Ethereum as a
highly suitable framework for the implementation of scalable and adaptable security solutions, thereby enabling
efective responses to the various threats encountered in MEC-IoT environments.
Under the PoA consensus protocol, a network of 5 blockchain nodes has been deployed. PoA difers from
other consensus algorithms (such as PoW or PBFT) in that it requires a small number of designated validators to
authenticate and add new blocks [36]. Validators are often referred to as “authoritiesž.
Unlike PoW, PoA does not require computationally intensive mining. This lower resource usage helps maintain
tight latency budgets and reliability, especially given the limited capabilities of many edge devices. In the proposed
design, consensus is managed by a total of 5 validator nodes, all of which are deemed to meet the requisite
trust requirements. This simpliied structure serves to eliminate the overhead associated with large-scale or
untrusted participants [49]. Using 5 validator nodes balances fault tolerance and overhead for PoA efectively.
This coniguration compares favourably with other consensus algorithms that typically require larger validation
groups. Byzantine Fault Tolerance (BFT)-based protocols often require at least 3� + 1 nodes to tolerate � malicious
or crashed participants, rapidly increasing communication overhead. Similarly, public PoS networks face their
own challenges. They tend to rely on large pools of randomised stakers to ensure robust decentralisation. This
approach introduces greater complexity and latency to the system. By contrast, PoA ofers a more eicient
alternative. Its reliance on a carefully vetted set of authorities enables strong resilience with only ive nodes. Even
if one fails or acts maliciously, the remaining four can override its decisions.
This proposal uses an Ethereum permissioned network platform, which has been speciically conigured to meet
the requirements of the intended research. This setup enables stringent control over the testing environment, thus
eliminating the inancial burdens associated with gas fees and the high latencies typically encountered in public
networks. However, our work maintains the concept of gas as a metric to evaluate the relative computational
cost of operations performed within the network.
In the context of Ethereum, gas is a unit of measurement that is employed to calculate the computational
cost of operations that are performed on the blockchain network. Such operations may include the execution of
SCs or the transfer of data. The computational cost of operations performed on the Ethereum Virtual Machine
(EVM) is determined by the amount of gas required, with the cost being ixed for each operation [1]. This ensures
that operations consume resources in line with their processing demand, which is fundamental to maintaining
network eiciency. In contrast to a public network, gas does not have a tangible economic cost in permissioned
networks because there are no economic incentives for nodes within this controlled environment. This approach
enables the validation of SCs eiciency and the simulation of computational impact.
Although there is no tangible economic cost associated with a permissioned Ethereum network, it is possible to
perform a computational estimation of the gas expenditure incurred for each transaction [37]. The gas consumed
by a transaction is the sum of the costs associated with the individual operations (opcodes) executed within
the transaction [63]. The costs associated with each individual transaction are integrated within the EVM and
deined in the Ethereum Yellow Paper [71]. Consequently, the total gas consumption can be estimated as follows:

︁
�
Total Gas Used = Base Gas + Gas(������� )
�=1

The gas cost for processing a transaction consists of two main components: the Base Gas, which is a ixed
gas cost of 21,000 gas for a standard transaction, and the Gas (������� ), which represents the gas cost for each
operation (������) executed during the transaction. The total gas consumed depends on the number (�) of
operations (�������) executed as part of the transaction.

ACM Trans. Internet Technol.

12 • L. M. García-Sáez et al.

The total cost in ETH for a transaction is:

Total Cost (ETH) = Total Gas Used × Gas Price

The Total Gas Used refers to the total gas consumed by the transaction, calculated using the formula above. The
Gas Price is the price per unit of gas, which is set in Gwei (1 Gwei = 10−9 ETH).
In Figure 3, we can see an overall view of the environment that combines both the blockchain network and
the MEC-IoT network. The lower part of the igure identiies the MEC-IoT network, where the nodes execute
the FL algorithm. This MEC-IoT network communicates with the blockchain network, which is depicted in
the upper part of the igure. A series of SCs have been designed to allow the diferent nodes in the MEC-IoT
network to interact with the blockchain and access the various functionalities of these SCs while the FL process
is carried out. Once these SCs are introduced into the network’s ledger, they become immutable and unalterable,
making them resistant to attacks. The SCs for this solution have been implemented in Solidity [28], the native
programming language of the Ethereum platform. This choice leverages the maturity of the Ethereum ecosystem.
It includes a robust suite of development tools (such as Remix and Trule) and its widespread deployment in
various blockchain applications [50]. The deployment allows for precise control over node membership and
access, ensuring that only authorised participants can interact with the SCs. This controlled setup supports
rigorous testing and iterative development processes. Furthermore, it facilitates scalability and adaptability when
deployed in MEC-IoT scenarios. Thus, the environment enables comprehensive evaluation prior to real-world
implementation, ensuring that the developed solutions meet the necessary standards.
MEC-IoT nodes interact with the SCs deployed on the blockchain through a communication interface designed
to ensure eicient and secure operations. This interface allows MEC-IoT nodes to run the necessary functions
without having to store the blockchain, signiicantly reducing their resource requirements. The blockchain nodes,
meanwhile, manage transaction validation and network updates, ensuring the integrity of the stored information.
This modular design separates the roles between MEC-IoT nodes and blockchain nodes, facilitating the scalability
and robustness of the system. The function of the MEC server is of paramount importance in the architecture.
The MEC server acts as the primary coordinator for the FL process, managing key tasks such as global parameter
distribution, local update veriication, and inal model aggregation.

Blockchain SC 1 SC N
network
MEC-IoT network

Node 1 Node 3
Node 1 Node 3

Node 2 Node N
Server
Node 2 Node N
Ledger

Fig. 3. Structure of the proposed architecture

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 13

Smart Contract Registration and Authentication

Public
key Control
Node registration
functions
Unique
ID 1 nodeAuthenticated
IoT
Node Node authentication
Signature 2 addressNode
hash
3 idNode

Success/Failure

Fig. 4. Authentication Contract for node registration and authentication

The irst SC, referred to as “Authentication Contractž, has been speciically designed to ensure the legitimacy
of all network nodes and prevent potential Sybil attacks. Figure 4 illustrates the behaviour and interaction low
with this SC. Before interacting with this contract, each node will generate a public-private key pair, making each
node responsible for the security of its private key. To secure private keys, AES-256 encryption [40] is employed,
using a securely derived key from a password via a robust key derivation function such as PBKDF2 with SHA-256
[38]. This approach ensures an additional layer of security by enhancing key entropy and resilience against
brute-force attacks, making it signiicantly more challenging for attackers to access a node’s private key, even if
they obtain physical access to the node.
Through this SC, the network nodes must register on the blockchain platform, allowing the network to
recognise the existence of the node and store its public key. Upon registration, the node will be assigned a unique
Node Identiier (ID), which will be used for a dual authentication system based on the public-private key pair and
the node’s ID. The IDs are generated through an internal control mechanism of the SC, taking the public key of
the node as input, ensuring their unicity in the network, given the impossibility of having 2 nodes registered
with the same public key.
To authenticate the node, it must digitally sign a piece of content using its private key. The blockchain will then
verify the authenticity by retrieving the node’s public key using the hash of the signature and data, and checking
if the node is registered in the system. Finally, it will ensure that this public key is linked to the requesting node’s
ID and not to another node. In this way, we make it diicult for an attacker to be able to introduce fake nodes
without being detected, by using the immutable ledger of the blockchain to store the IDs and public keys of
legitimate nodes, discarding any nodes that are not in the registry.
This Authentication Contract is essential for the proper functioning of the network, as node authentication will
determine whether the node can access the functions of the second SC. The second SC, referred to as “Poisoning
Mitigation Contractž, has been speciically designed to counteract data and model parameter poisoning attacks in
FL:
Data Poisoning. To prevent data poisoning during training and evaluation processes, this SC is responsible for
storing certain information. Initially, it will store four identifying hashes for the data and labels of the global
dataset to be used. This allows for quick identiication and detection of poisoning attacks, such as Label Flipping

ACM Trans. Internet Technol.

14 • L. M. García-Sáez et al.

or Targeted Dropping, if an attacker modiies any data or labels. Additionally, each node generates 10 partitions
from the initial dataset and randomly selects one for training. The contract will also store a combined hash for
the data and labels of each subset selected by the nodes, ensuring data traceability from start to inish.

Parameter Poisoning. To counteract these attacks, the contract is designed to communicate with the MEC server.
The parameters sent by the server to each client participating in the process will be stored on the blockchain.
Before starting the training and evaluation phases, each client will verify that the parameters received from the
server match those stored on the blockchain. This prevents an attacker from intercepting and maliciously altering
the model parameters during client-server communication.
Thanks to the dual authentication process based on digital signatures and node IDs, implemented in the irst
SC, we ensure the legitimacy of all network nodes. An attacker will not be able to introduce a node into the
network on a surreptitious basis without being detected. The public keys of legitimate nodes are registered on
the blockchain, so if an unknown public key is detected, it will be immediately identiied. Additionally, each node
must pass the relevant SC authentication process to access the functionalities of the FL process. The dual-factor
authentication of this SC function ensures that even if an attacker gains access to a node’s private key, they
would still need to obtain the node’s unique ID, which was assigned by the blockchain.
At the start of each training round, the server retrieves the latest global model parameters, publishes them on
the blockchain through the Poisoning Mitigation Contract, and forwards them to participating IoT nodes. Each
node veriies these parameters against the on-chain version before training locally on its dataset partition. Upon
completion, nodes submit hashes of their updated models to the contract, indicating a valid training round. The
server then gathers these veriied local models and combines them via a FedAvg-like strategy [48], producing a
new global model that is once again stored on the blockchain for veriiability. Should a node attempt to introduce
a poisoned model, the on-chain record of historical hashes enables the server to detect inconsistencies. In such
cases, the server can exclude the compromised node’s contribution from the aggregation and revert to the previous
trusted model when an attack is discovered after aggregation.
To further mitigate poisoning attacks once the FL process has begun, a communication scheme has been
designed. The following is a detailed, numbered, step-by-step explanation of how the system detects and mitigates
poisoning attempts. It follows the nine main steps shown in Figure 5. Each step speciies which entity (server or
client) performs the action. The process highlights how the MEC server coordinates the FL worklow and ensures
secure model updates.

1. Store Initial Parameters (Server). Before sending global model updates, the server records the initial model
parameters on the blockchain. This creates a tamper-evident baseline.

2. Send Parameters to Clients (Server). The server retrieves the latest global model parameters from the blockchain
or local storage, stores them on-chain if needed for transparency, and then distributes these parameters to
participating IoT nodes.

3. Store Dataset Hash (Server). The server calculates the global dataset’s hash and records it in the Poisoning
Mitigation Contract. By maintaining this reference on the blockchain, nodes can subsequently ascertain whether
training data have been compromised.

4. Obtain and Verify Data Hash (Client). On receiving the dataset, the client compares its locally computed
dataset hash with the hash stored in the contract (Step 3). If they do not match, the client halts training and lags
possible data poisoning.

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 15

Blockchain Network
Blockchain
Smart Contract Store model parameters 1

Send parameters to
2
clients

Store dataset hash 3

3
Obtain and verify data
4
1 hash

Store subset data hash 5

MEC-IoT
6 Obtain and verify model
6
Network 5 parameters
4
7 Obtain and verify subset
7
data hash
2 8
Store new valid local
8
model
9
Return local model
9
parameters
Client node
Server node

Fig. 5. Communication scheme with the Poisoning Mitigation Contract

5. Store Subset Data Hash (Client). Before training on a local dataset partition, it is necessary for the client
to create and store a hash of that partition on the blockchain. This step ensures detection of data poisoning or
inconsistencies, even at the partition level (e.g. partial tampering).

6. Obtain and Verify Model Parameters (Client). The client checks whether the model parameters received from
the server (Step 2) align with the values listed on the blockchain. If a diference is detected, the client discards
these parameters and signals potential parameter poisoning.

7. Obtain and Verify Subset Data Hash (Client). The client retrieves its previously stored subset hash and
cross-checks it with its local partition. Any discrepancy points to potential data poisoning or corruption in the
partition.

8. Store New Valid Local Model (Client). After conirming both the dataset and parameters, the client completes
local training. It then calculates a hash of its newly trained model and stores that hash on-chain. This step
preserves a trustworthy record of the local update.

9. Return Local Model Parameters (Client). Upon completion of the training phase in this round, each client is
required to return its parameters to the server. The server also compare these returned parameters against the
on-chain hash (Step 8) to detect inconsistencies or poisoning.

ACM Trans. Internet Technol.

16 • L. M. García-Sáez et al.

Veriied local model updates are collected and then aggregated by the server using a custom approach to
generate a new global model. The approach selected for the implementation is a custom version of FedAvg. The
server then writes these updated parameters to the blockchain, ensuring that subsequent nodes see a tamper-
evident global state. Subsequently, a similar procedure is applied during the evaluation phase. The system veriies
the integrity of both the model parameters and the evaluation data by cross-referencing them with the blockchain.
Upon completion of the evaluation, performance metrics are transmitted back to the MEC server. This marks the
conclusion of the initial training round within the FL process. Following rounds of the FL process are deined by
an iterative process, leading to the eventual convergence of the inal model parameters. This detailed procedure
ensures continuous traceability of both data and model parameters throughout the entire FL process. As a result,
the system remains capable of detecting poisoning attacks at any stage.
In addition, a historical record of the valid and integrated updates of the local model of each of the nodes has
been implemented. This historical record is implemented in order to have a valid model in case of parameter
poisoning in any learning round. In this case, in that training round, the blockchain is accessed and that node
obtains the last valid model trained, which is the one from the last valid training round carried out.
In case of detecting data poisoning in a training round, the poisoned node checks through the blockchain
the validity of the model parameters received from the server. In case of validity and correspondence with the
parameters stored by the server in that round within the blockchain, in that training round, those parameters
are returned by the node to the server. This ensures that the parameters added by the server in the last training
round are returned, which ofer better performance than the last valid parameters of the local model of that node.
Whenever a poisoning attack is detected, a warning is displayed to indicate the presence of poisoning on the
afected node. In response, the system uses the blockchain to retrieve the last valid local model for that node or
the model received from the server during that training round.
Thanks to the architecture implemented and the communication scheme designed for IoT nodes interacting
with the blockchain, we have successfully prevented the inclusion of malicious nodes. This mechanism ensures
that such nodes cannot negatively afect the performance of our model. We have also managed to detect and
reduce the impact and risk of poisoning attacks. These attacks could otherwise degrade model performance
by manipulating the data used for training and evaluation, or by altering the model parameters sent by the FL
coordinator server to the client nodes.

5 System Evaluation
This section provides a comprehensive evaluation of the proposed system. The analysis focusses on assessing
the impact of the poisoning attacks mentioned above, as well as the efectiveness and eiciency of integrating
blockchain into the FL process within the MEC-IoT environment. Initially, we devise a comprehensive suite
of experimental scenarios that vary the size of the participating node set. Each scenario is tested on several
benchmark datasets and is subjected to a spectrum of data poisoning and parameter poisoning attacks. These
range from subtle label lipping to aggressive parameter tampering, revealing the impact of threats of difering
severity on the model’s performance. Secondly, we evaluate the impact of the blockchain on the system and
the total learning time. This evaluation includes an assessment of network bandwidth consumption caused
by blockchain operations. We analyse how blockchain operations, which include blockchain transactions and
consensus mechanism activities, afect available bandwidth. Additionally, we examine the blockchain’s ability to
scale efectively and be deployed in learning processes with a large number of nodes. This comprehensive analysis
helps us to understand the full resource footprint of blockchain integration in distributed learning environments.
For the initial setup of the MEC-IoT environment, the MECInOT emulator was used [61]. This emulator
facilitates the deployment of MEC-IoT topologies for experimentation in a cybersecurity context. Among its many
features, MECInOT ofers a realistic environment for conducting experiments and obtaining data similar to what

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 17

would be collected in a real topology, without the need for physical devices. Furthermore, MECInOT provides
great lexibility in determining the number of IoT devices to deploy in the network through virtualisation and
also supports the inclusion of real network devices.

5.1 System Configuration

The attacks presented throughout this work have been implemented in our testing environment to measure their
potential impact on performance and to demonstrate how our solution efectively mitigates their efects. Multiple
diferent tests have been performed with up to 50 client nodes to evaluate the performance of the presented
solution and up to 15 client nodes to evaluate the impact of poisoning attacks over the global trained model.
Ten rounds of training [54] were conducted using a multivariate logistic regression algorithm, with a custom
learning strategy, similar to the FedAvg one. FedAvg [41] is one of the most widely used strategies in FL. In this
approach, the global model is obtained by averaging the updated models provided by all participating clients in
each round. In addition, a centralised evaluation is performed by the server after aggregating the parameters
into the global model. This approach ofers several advantages, as it provides a consistent basis for evaluating
the model regardless of the diversity of data among diferent clients, and ensures an objective assessment of the
global model’s performance, thus avoiding biases that might arise due to variability in client data.
For our experiments, we drew on three well-known benchmarks that cover both image and tabular data.
First, MNIST [3] provides 60 000 training and 10 000 test images of handwritten digits (28 × 28-pixel greyscale,
classes 0ś9), and remains a staple for assessing image recognition pipelines[24, 82]. To introduce greater visual
variability, we added Fashion-MNIST [73], which keeps the same 28 × 28 format but replaces digits with ten
clothing categories. That gives a harder classiication task that is still lightweight enough for edge devices. Finally,
to validate our approach on non-image data, we included the classic Iris-Flower dataset [57], which contains
four numeric features per sample and three target species. This dataset ofers a compact, tabular classiication
problem that complements our image-based experiments. Together, these datasets allow us to test the proposed
framework across heterogeneous data modalities and diiculty levels.
The existing implementation has undergone testing utilising a particular algorithm; however, the design
framework has been conceived to support adaptability toward various ML algorithms. This adaptability is
predicated on the notion that the security and traceability components ofered by the blockchain function
autonomously from the type of model employed, while required adjustments for other algorithms can be made at
the integration and parameter handling layers. Thus, with appropriate adaptations, the system could be extended
to address the needs of further algorithms in future work. Such adaptations could include modiications in the
manner in which model updates are handled, as well as the data formats used in algorithms such as deep neural
networks or boosting methods.

5.2 Atack Implementation and Performance Evaluation

Data and parameter poisoning attacks have been performed in diferent scenarios, with the aim of observing how
these attacks afect the performance of the model in the proposed solution. We use one small interception point
per attack type, so that the rest of the FL pipeline stays exactly as it is.

Parameter poisoning ś network proxy. The attacker controls the link between the client and the server. We
insert a transparent proxy that relays every message, but tweaks the tensors as they pass. It adds a tiny or large
perturbation to the model parameters on the way to the client. The speciic impact will depend on the particular
implementation of the attack used for each experimental scenario. From both endpoints, the round appears
normal, yet the values have already been corrupted in transit.

ACM Trans. Internet Technol.

18 • L. M. García-Sáez et al.

Data poisoning ś local loader hook. Because raw data never leave the device, the attacker must tamper inside
the client. A short hook is placed in the data-loading routine, which is run once, just before the irst local
epoch. This hook quietly edits a chosen slice of the resident dataset, removing, relabelling, or slightly perturbing
samples. Subsequently, the training process is continued without modiication, although using data that has been
compromised.
In the experiments, we have considered diferent degrees of attack severity in order to analyse the resilience of
the proposed solution under a wide range of threat conditions. For data poisoning, we have applied three levels
of manipulation. First, a mild target dropping, where only a small fraction of the training samples are altered.
Second, a label lipping attack, in which a percentage of the evaluation labels are inverted to mislead the model
during assessment. Finally, a combined attack that uses both target dropping and label lipping to maximise
disruption. In the case of parameter poisoning, we designed three corresponding levels. One approach applies a
lightweight perturbation that introduces low-magnitude noise. Another variant uses a medium impact attack,
adding a broader band of random noise to the parameters. The third is a critical attack, where the parameter
vectors received from the server are fully inverted and further disturbed, pushing the global model into highly
unstable regions.
5.2.1 Evaluation Metrics. In ML, multiple metrics are used to evaluate the performance of classiication models.
Before deining these metrics, we introduce the following concepts:
• True Positives (TP): Correctly predicted positive class instances.
• True Negatives (TN): Correctly predicted negative class instances.
• False Positives (FP): Negative instances wrongly classiied as positive.
• False Negatives (FN): Positive instances wrongly classiied as negative.
Using these deinitions, we can derive the following evaluation metrics:
• Precision: The proportion of true positive predictions among all positive predictions. Precision indicates
how accurate the model is when predicting the positive class.
TP
Precision =
TP + FP

• Recall: The proportion of actual positive observations that were predicted correctly. Recall measures the
model’s ability to identify all positive instances.
TP
Recall =
TP + FN

• F1-Score: The harmonic mean of precision and recall, representing a balance between the model’s ability
to correctly identify positive cases and its minimisation of false positive and false negative errors.
Precision · Recall
F1-Score = 2 ·
Precision + Recall

In this work, the F1-Score is used to evaluate the performance of the model, as it balances the correct identii-
cation of positive cases (recall) and the avoidance of false classiications (precision). Moreover, the F1-Score is
particularly robust in scenarios with imbalanced datasets, which is a common occurrence in FL environments
where heterogeneous data sources may co-exist.
In FL systems, especially under poisoning attacks, precision and recall become critical. Misclassifying a poisoned
sample as clean (FN) or a clean sample as poisoned (FP) can have signiicant downstream consequences. The

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 19

F1-Score helps to ensure that both types of errors are minimised, making it a reliable metric in these challenging
scenarios.
We also deined the following metrics used to measure the impact of blockchain network on the learning
process:
• Execution Time (ET): This timeframe covers from the moment the process is initiated by the server until
all clients complete their training rounds and the inal version of the global model is obtained. Used as
primary performance measure.
• Delay: Metric to refer the time diference in the learning process when using the proposed solution or not.
5.2.2 Performance Evaluation. To determine how both the timing and nature of an attack inluence learning
dynamics, we consider 4 test scenarios. These test cases combine data poisoning and parameter poisoning
attacks mentioned above. We also incorporate two diferent injection moments, an early poisoning that strikes
immediately after round 2, and a late poisoning that strikes after round 5. Each case runs on a federation in which
40% of the clients behave maliciously, letting us trace the efect of the same defence across distinct stages of the
training process.
The initial experiment is a 10-node experiment using the MNIST dataset. The data level attack employs
controlled target dropping, subtly altering 30% of the training data. Besides that, the parameter level attack injects
a small amount of zero-mean Gaussian noise into model updates. Figure 6 plots Precision, Recall, and F1-Score
(left-to-right) over 10 FL rounds, comparing the baseline against the 4 deined poisoning scenarios. In every
panel, the blue line is the optimal case, which serves as the reference performance. Two curves track data level
poisoning. The orange line shows the early poisoning attack (40% of clients corrupted after round 2) and the
green line shows the late poisoning attack (after round 5). The remaining two curves capture parameter level
poisoning. The red line corresponds to the early variant, while the purple line represents the late variant.

  

 
3UHFLVLRQ


)6FRUH
5HFDOO

 


2SWLPDO&DVH 2SWLPDO&DVH 2SWLPDO&DVH

3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ  3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ  3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ


3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ 3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ 3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ

3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ

3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ

 
              

7UDLQLQJ5RXQG 7UDLQLQJ5RXQG 7UDLQLQJ5RXQG

Fig. 6. MNIST Dataset Ð Evolution of Precision, Recall, and F1-Score under poisoning atacks (no blockchain solution)

Across all three metrics, the optimal case climbs rapidly and levels of near its peak. Early data poisoning
(orange) knocks the scores down soon after the attack, but gradual recovery follows. Late data poisoning (green)
allows higher initial performance; therefore, the subsequent fall is steeper, yet the model retains a better overall
trajectory. Parameter poisoning is more destructive. The early variant (red) plunges every metric to its lowest
values with only partial rebound, whereas the late variant (purple) preserves early progress, but still erodes inal
performance markedly.
The consistent ordering of the curves in all subplots underscores that, without any defence, poisoning attacks
are capable of considerably degrading the performance of the model. Late parameter and data attacks prove

ACM Trans. Internet Technol.

20 • L. M. García-Sáez et al.

 


 


 


  



3UHFLVLRQ



)6FRUH
  

5HFDOO

  


  


         





 2SWLPDO&DVH 2SWLPDO&DVH 2SWLPDO&DVH

3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ


3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ  3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ

3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ

3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ  3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ



              

7UDLQLQJ5RXQG 7UDLQLQJ5RXQG 7UDLQLQJ5RXQG

Fig. 7. MNIST Dataset Ð Evolution of Precision, Recall, and F1-Score under poisoning atacks (with blockchain solution)

the most detrimental. That’s because injecting the corruption after round 5 leaves the federation with virtually
no enough time to recover or re-stabilise. Early attacks corrupt a larger part of the training process, but the
additional rounds that follow give the model a chance to recover some performance. The blue baseline, untouched
by any poisoning, continues to mark the performance ceiling.
As illustrated in Figure 7, the proposed solution is applied to the same scenario. With blockchain defence in
place, poisoning ceases to be a practical threat. All poisoned runs inish the tenth round between 0.892 and 0.916 F1-
Score, whereas the clean baseline ends at 0.917 F1-Score. The residual loss therefore stays below 0.3% for both
data poisoning cases (early 0.9148, late 0.9164) and peaks at only 2.8% for the most severe parameter poisoning
case (early 0.8916). Compared to the unprotected scenario, where late parameter poisoning cut the inal F1-Score
by about 24%, the solution reduces the worst-case damage by more than 90%. Our mitigation treats both forms of
corruption in the same way, allowing the scenario to isolate how attack timing and type inluence overall model
performance. This also suggests that blockchain not only mitigates the immediate impact of poisoning, but also
enhances the long-term stability of the model.
The second experiment is a 5-node experiment using the Iris-Flower dataset. The data level attack employs
severe target dropping, altering 40% of the training data. Furthermore, during evaluation, the labels 30% of the
remaining target class instances are lipped, forcing the model to contend with contradictory signals. At the
same time, a moderate parameter poisoning attack is carried out. Each malicious client injects a broader band of
zero-mean Gaussian noise than in the MNIST study. This added noise disturbs the client’s weight vector before it
is uploaded to the server after training is complete.
Without protection (Figure 8) the baseline line (blue) increases rapidly and settles at 0.973 F1-Score. Early data
poisoning (orange) drags the score down to 0.690 F1-Score by the end of round 10, while the late data attack
(green) inishes only slightly higher at 0.713 F1-Score. After the round 2 poisoning, the model’s performance
plateaus from round 4 onwards. Similarly, following the round 5 poisoning, performance plateaus from round
6 onwards, indicating that the attack efectively establishes a ceiling on its maximum achievable performance.
Parameter poisoning is harsher still. The early variant (red) ends at 0.574 F1-Score, and the late variant (purple)
bottoms out at 0.547 F1-Score. These traces oscillate sharply from round to round. The large random perturbations
applied to the local weights sometimes yield brief gains. However, they more often cause abrupt drops. As a
result, the federation never converges on a stable global model. In percentage terms, the worst attack removes ≈
44% of the model’s inal efectiveness. This demonstrates that, even on a small, three-class tabular task, a handful
of malicious clients can cripple learning when no countermeasure is in place.
With the blockchain layer enabled (Figure 9) the same attacks are largely neutralised. Every poisoned run
now converges between 0.915 and 0.972 F1-Score, keeping the loss in worst case under 6% relative to the

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 21

  



 

3UHFLVLRQ

)6FRUH
5HFDOO
 







2SWLPDO&DVH 2SWLPDO&DVH 2SWLPDO&DVH

3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ 3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ 3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ

3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ 3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ 3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ

 
3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ

3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ


              

7UDLQLQJ5RXQG 7UDLQLQJ5RXQG 7UDLQLQJ5RXQG

Fig. 8. Iris-Flower Dataset Ð Evolution of Precision, Recall, and F1-Score under poisoning atacks (no blockchain solution)

  



 



3UHFLVLRQ

)6FRUH

  
5HFDOO










        


 

2SWLPDO&DVH 2SWLPDO&DVH 2SWLPDO&DVH

3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ


 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ

3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ  3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ

3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ  3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ

              

7UDLQLQJ5RXQG 7UDLQLQJ5RXQG 7UDLQLQJ5RXQG

Fig. 9. Iris-Flower Dataset Ð Evolution of Precision, Recall, and F1-Score under poisoning atacks (with blockchain solution)

clean benchmark. The curves re-align with the optimal trajectory within one or two rounds after the injected
corruption. Compared to the unprotected scenario in which the worst run lost approximately 44% of its inal
F1-Score, the blockchain layer reduces this damage to roughly 0.1-5.9%, cutting the impact by more than 88%.
The last experiment is a 15-node experiment using the Fashion-MNIST dataset. The data level attack employs
moderate label lipping, altering 35% of the evaluation set instances. In parallel, an aggressive parameter poisoning
attack is carried out. Before client training, the attacker replaces the server’s weight vector with its sign-inverted
counterpart and adds a small random term. This update systematically steers the aggregation step toward the
worst performing region of the parameter space, maximising the degradation of the global model. The following
equation is employed in order to calculate the parameters of the malicious update:

� mal = −� server + �, � ∼ N (0, 0.05∥� server ∥) (1)

where:
• N denotes the normal (Gaussian) distribution (not to be confused with N, the set of natural numbers).
• � server denotes the parameter vector broadcast by the server at the start of the round.
• � mal is the poisoned update that the malicious client sends back after tampering.

ACM Trans. Internet Technol.

22 • L. M. García-Sáez et al.

• � is a random vector drawn from a zero-mean multivariate Gaussian with standard deviation 0.05 ∥� server ∥
along each dimension.
• ∥� server ∥ is the L2 -norm of the server’s parameter vector, used as a scale reference for the noise term.
In Figure 10, the clean baseline (blue) climbs steadily and settles at 0.82 F1-Score at round 10. Early data
poisoning (orange) drags the score down to 0.664 F1-Score. Late data poisoning (green) ends at 0.531 F1-Score.
However, in this scenario only the labels of the evaluation data are lipped, while the training data remain
unaltered. This setup allows the model to show slightly better recovery compared to the previous experiment. The
efect is especially noticeable in the early poisoning case, where the system has more rounds to adjust and stabilise
after the attack. The early data attack allows the system to partially recover over subsequent rounds, while the
late data attack leaves much less time for correction, resulting in a much slower and more limited recovery.
Parameter poisoning shows the most destructive efect in this scenario. Despite compromising only 40%
of the nodes, the impact on the global model is extremely critical due to the aggressive nature of the attack.
The early variant (red) drops the F1-Score to just 0.007, while the late variant (purple) bottoms out at 0.0004
F1-Score, nullifying the model’s learning capability. This result conirms that, under such aggressive parameter
manipulation, even a limited proportion of malicious clients is enough to completely destabilise the learning
process. As a consequence, the attack is able to eliminate almost 100% of the model’s inal efectiveness.

  



  

3UHFLVLRQ

)6FRUH

5HFDOO

  

2SWLPDO&DVH 2SWLPDO&DVH 2SWLPDO&DVH

3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ 3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ 3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ


3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ 3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ 3RLVRQHGDW5RXQG'DWD1R6ROXWLRQ

3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ

  
3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV1R6ROXWLRQ



  

              

7UDLQLQJ5RXQG 7UDLQLQJ5RXQG 7UDLQLQJ5RXQG

Fig. 10. Fashion-MNIST Dataset Ð Evolution of Precision, Recall, and F1-Score under poisoning atacks (no blockchain
solution)

When the blockchain-based defence is active (Figure 11), all poisoned runs recover and converge close to
the clean baseline. By round 10, all attack scenarios remain between 0.775 and 0.817 F1-Score, compared to the
clean 0.820 F1-Score. The worst-case drop is limited to ≈ 5%, and all curves realign with the optimal trajectory
within one or two rounds after the attack. In this protected scenario, the best attack case reaches 99.6% of the
clean baseline, while even the worst case maintains around 94.5% of the baseline performance. This represents
a notable improvement compared to the unprotected setting, where the worst attack reduced the F1-Score to
0.0004, efectively eliminating almost 100% of the model’s inal efectiveness.
Finally, an analysis of the blockchain impact on network performance was performed, evaluating both execution
time and network bandwidth consumption. As shown in Figure 12, the integration of the blockchain layer results
in a moderate and stable overhead on ET, ranging from 5% to 7% for up to 20 clients and increasing smoothly to
15% with 50 clients. This demonstrates the good performance of our solution in terms of eiciency, as well as its
scalability to FL processes with a high number of nodes. Signiicantly, the analysis is extended to larger federations,
which are typical of MEC-IoT environments with hundreds of nodes. In this context, a comprehensive testing

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 23

 


 



 
3UHFLVLRQ

)6FRUH
  

5HFDOO


   




 
 
         

2SWLPDO&DVH 2SWLPDO&DVH 2SWLPDO&DVH

 
3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ

3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ  3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ 3RLVRQHGDW5RXQG'DWD:LWK6ROXWLRQ

 3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ


3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ 3RLVRQHGDW5RXQG3DUDPV:LWK6ROXWLRQ

              

7UDLQLQJ5RXQG 7UDLQLQJ5RXQG 7UDLQLQJ5RXQG

Fig. 11. Fashion-MNIST Dataset Ð Evolution of Precision, Recall, and F1-Score under poisoning atacks (with blockchain
solution)

was conducted on 100 and up to 200 clients, thus conirming that the measured overhead remains consistently
below 20%.
From a technical perspective, this evolution is characterised by sublinear growth of the overhead as the number
of clients increases. This is mainly due to the compact nature of blockchain transactions and the eiciency of
PoA consensus. These characteristics ensure that the additional synchronisation and validation steps introduced
by the blockchain do not scale with the same intensity as the base ET. In practice, as the system scales, the
relative impact of the blockchain overhead tends to saturate, approaching an asymptotic limit. Based on the
results obtained so far, this limit can be estimated at approximately 25% for federations of up to 500 clients. This
value remains signiicantly lower than many proposals analysed in the literature, which can easily exceed 25ś40%
overhead even with a smaller number of clients.
In this context, the temporal cost remains fully manageable and well within the operational constraints of
MEC-IoT environments, thereby conirming that the security beneits of blockchain integration are achieved
without compromising scalability or overall eiciency. In addition, the analysis of bandwidth consumption (Figure
13) shows that blockchain integration introduces only a minor overhead at the communication level. The increase
in transmitted data stays between 1.5% and 3.2%, even as the number of clients scales up to 50 and remains
below 6% for federations of up to 200 clients. In general, the results show that the solution maintains a minimal
communication cost, validating the suitability of the approach for scalable FL environments, even as the system
scales to hundreds of nodes.

6 Conclusions and Future Work

The presented work ofers an innovative and strategic solution to address security challenges in FL within
MEC-IoT environments. By implementing a blockchain infrastructure based on the use of SCs, this architecture
efectively addresses speciic vulnerabilities such as data poisoning, manipulation of local learning models, and
the insertion of malicious nodes into the network. It does so while maintaining a low impact on the overall
network and global model performance and ensuring the integrity of the global FL model.
One of the key strengths of this proposal lies in its ability to provide a decentralised, transparent, and immutable
framework through the integration of blockchain. This approach guarantees the authenticity and veriication of
the data used by the nodes, which is crucial for ensuring the validity of the local models generated and later
aggregated by the server. The blockchain acts as a unifying element that ofers resistance against attacks, and the
lexibility provided by SCs allows for easy scalability to address other potential future vulnerabilities and attacks.

ACM Trans. Internet Technol.

24 • L. M. García-Sáez et al.


 
1R%ORFNFKDLQ

:LWK%ORFNFKDLQ
 

2YHUKHDG



([HFXWLRQ7LPHV




2YHUKHDG


 



 


 


 

 

 











    


        

1XPEHURI&OLHQWV

Fig. 12. Network ET overhead under blockchain integration

Additionally, by ofering a solution that is not only secure but also eicient, it meets the latency and overhead
challenges required for the proper functioning of the MEC network.
With regard to future work, this project opens up numerous avenues and possibilities for further development,
paving the way for advancements that can build upon the proposed architecture, address emerging challenges,
and broaden its applicability across diverse scenarios and technological landscapes:
• Expansion to broader attack coverage: Although the proposed architecture focusses on mitigating
speciic attacks such as poisoning and Sybil attacks, future research could expand to cover a wider range of
vulnerabilities and attacks, such as inference attacks, data reconstruction attacks, or other more sophisticated
threats.
• Towards decentralised FL aggregation: Although the current architecture uses blockchain to secure
communication and node validation, it still relies on a central server to aggregate model updates. This
central point may become a vulnerability, as attackers could target it directly. Future work could explore
the use of blockchain itself as the aggregation mechanism, enabling a fully decentralised FL process that
removes the need for a trusted central coordinator.
• Enhancing node contribution weighting: Improving the current implementation by developing a model
that allows weighting the contributions of poisoned nodes to the global model without needing to use an
already validated model and discard the current one. This functionality would be highly beneicial, though
it requires careful selection and calibration of the model to be used.

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 25

 
1R%ORFNFKDLQ

:LWK%ORFNFKDLQ

2YHUKHDG



%\WHV7UDQVPLWWHG0%



2YHUKHDG


 







 



 

 





 

   

        

1XPEHURI&OLHQWV

Fig. 13. Network bandwidth consumption and overhead under blockchain integration

• Assessing large-scale FL deployments: The computational cost and latency introduced by blockchain
integration remain an important concern in real-world MEC-IoT networks. This issue becomes especially
relevant in large-scale FL scenarios with hundreds or thousands of participating nodes. Future research
should explore possible solutions to address these challenges. Approaches such as hierarchical blockchain
models, sharding strategies, of-chain channels, or adaptive consensus mechanisms could help maintain
system eiciency and responsiveness as the network scales.
• Comparative analysis of blockchain frameworks: Evaluating the performance, scalability, and security
trade-ofs of diferent blockchain platforms. This includes comparing Hyperledger, Ethereum, and other
alternatives. Such an analysis could provide valuable insights into the most suitable framework for secure
and eicient FL in MEC-IoT environments.
• Extending resilience analysis to additional attack vectors: Although this work has focussed on
defending against poisoning and Sybil attacks, it would be valuable to investigate the resilience of the
system against a wider set of threats, such as inference attacks, backdoor attacks, or denial-of-service
scenarios. This evaluation would provide a more comprehensive understanding of the robustness and
applicability of the proposed architecture.

ACM Trans. Internet Technol.

26 • L. M. García-Sáez et al.

Acknowledgments
This work has been funded by the University of Castilla-La Mancha through the predoctoral contract 2024-
UNIVERS-12844, supported by the European Social Fund Plus (ESF+), by the Regional Government of Castilla-La
Mancha (JCCM) through project SBPLY/21/180501/000195, and by the R&D project PID2024-158682OB-C32,
funded by the Spanish Ministry of Science and Innovation (MCIN) and the European Regional Development
Fund: “a way of making Europež. This work has also been partially supported by projects PID2022-142332OA-I00,
TED2021-131115A-I00, and PID2023-151467OA-I00, funded by MICIU/AEI/10.13039/501100011033, and by the
EINA UNIZAR Strategic Cybersecurity Project grant, funded by the Spanish National Cybersecurity Institute
(INCIBE) and the European Union NextGenerationEU/PRTR. This work is also supported by the Department
of University, Industry, and Innovation of the Government of Aragon under the Strategic Projects Program for
Research Groups (DisCo research group, ref. T21-23R).

References
[1] 2024. Gas and fees. https://ethereum.org/en/developers/docs/gas/ Last access: 06/05/2025.
[2] 2024. Internet of Things (IoT): Connected devices in the world 2015-2027. https://t.ly/4xx1W Last access: 06/05/2025.
[3] 2024. Papers with Code - MNIST Dataset. https://paperswithcode.com/dataset/mnist Last access: 06/05/2025.
[4] Nasir Abbas, Yan Zhang, Amir Taherkordi, and Tor Skeie. 2018. Mobile Edge Computing: A Survey. IEEE Internet of Things Journal 5, 1
(Feb. 2018), 450ś465. doi:10.1109/JIOT.2017.2750180 Conference Name: IEEE Internet of Things Journal.
[5] Made Adi Paramartha Putra, Nyoman Bogi Aditya Karna, Revin Naufal Alief, Ahmad Zainudin, Dong-Seong Kim, Jae-Min Lee, and
Gabriel Avelino Sampedro. 2024. PureFed: An Eicient Collaborative and Trustworthy Federated Learning Framework Based on
Blockchain Network. IEEE Access 12 (2024), 82413ś82426. doi:10.1109/ACCESS.2024.3411091
[6] Aswani Devi Aguru, Amrit Pandey, Suresh Babu Erukala, Ali Kashif Bashir, Yaodong Zhu, Rajesh Kaluri, and Thippa Reddy Gadekallu.
2024. Reliable-RPL: A Reliability-Aware RPL Protocol Using Trust-Based Blockchain System for Internet of Things. IEEE Transactions on
Reliability (Dec. 2024). https://doi.org/10.1109/TR.2024.3508652
[7] Ranwa Al Mallah and David Lopez. 2022. Blockchain-based Monitoring for Poison Attack Detection in Decentralized Federated Learning.
In 2022 International Conference on Electrical, Computer, Communications and Mechatronics Engineering (ICECCME). IEEE, Maldives,
Maldives, 1ś6. doi:10.1109/ICECCME55909.2022.9988067
[8] Mohammed Aledhari, Rehma Razzak, Reza M. Parizi, and Fahad Saeed. 2020. Federated Learning: A Survey on Enabling Technologies,
Protocols, and Applications. IEEE Access 8 (2020). doi:10.1109/ACCESS.2020.3013541
[9] Saier Alharbi, Yifan Guo, and Wei Yu. 2024. Collusive Backdoor Attacks in Federated Learning Frameworks for IoT Systems. IEEE
Internet of Things Journal (2024), 1ś1. doi:10.1109/JIOT.2024.3368754 Conference Name: IEEE Internet of Things Journal.
[10] Henri Arslanian. 2022. Ethereum. In The Book of Crypto: The Complete Guide to Understanding Bitcoin, Cryptocurrencies and Digital
Assets, Henri Arslanian (Ed.). Springer International Publishing, Cham, 91ś98. doi:10.1007/978-3-030-97951-5_3
[11] Erukala Suresh Babu, Amogh Barthwal, and Rajesh Kaluri. 2023. Sec-edge: Trusted blockchain system for enabling the identiication
and authentication of edge based 5G networks. Computer Communications 199 (Feb. 2023), 10ś29. doi:10.1016/j.comcom.2022.12.001
[12] Nathalie Baracaldo, Bryant Chen, Heiko Ludwig, Amir Safavi, and Rui Zhang. 2018. Detecting Poisoning Attacks on Machine Learning
in IoT Environments. In 2018 IEEE International Congress on Internet of Things (ICIOT). 57ś64. doi:10.1109/ICIOT.2018.00015
[13] M. Baritha Begum, N. Deepa, Mueen Uddin, Rajesh Kaluri, Maha Abdelhaq, and Raed Alsaqour. 2023. An eicient and secure compression
technique for data protection using burrows-wheeler transform algorithm. Heliyon 9, 6 (June 2023), e17602. doi:10.1016/j.heliyon.2023.
e17602
[14] Muhammad Nasir Mumtaz Bhutta, Amir A. Khwaja, Adnan Nadeem, Haiz Farooq Ahmad, Muhammad Khurram Khan, Moataz A.
Hanif, Houbing Song, Majed Alshamari, and Yue Cao. 2021. A Survey on Blockchain Technology: Evolution, Architecture and Security.
IEEE Access 9 (2021), 61048ś61073. doi:10.1109/ACCESS.2021.3072849 Conference Name: IEEE Access.
[15] Parimala Boobalan, Swarna Priya Ramu, Quoc-Viet Pham, Kapal Dev, Sharnil Pandya, Praveen Kumar Reddy Maddikunta, Thippa Reddy
Gadekallu, and Thien Huynh-The. 2022. Fusion of Federated Learning and Industrial Internet of Things: A survey. Computer Networks
212 (July 2022), 109048. doi:10.1016/j.comnet.2022.109048
[16] Nader Bouacida and Prasant Mohapatra. 2021. Vulnerabilities in Federated Learning. IEEE Access 9 (2021), 63229ś63249. doi:10.1109/
ACCESS.2021.3075203
[17] Hang Chen, Syed Ali Asif, Jihong Park, Chien-Chung Shen, and Mehdi Bennis. 2021. Robust Blockchained Federated Learning with
Model Validation and Proof-of-Stake Inspired Consensus. (2021). doi:10.48550/ARXIV.2101.03300
[18] Shweta Kumari Choudhary, Arpan Kumar Kar, and Yogesh K Dwivedi. 2024. How does Federated Learning Impact Decision-Making in
Firms: A Systematic Literature Review. (Feb. 2024). doi:10.17705/1CAIS.05419

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 27

[19] John R. Douceur. 2002. The Sybil Attack. In Peer-to-Peer Systems, Peter Druschel, Frans Kaashoek, and Antony Rowstron (Eds.). Springer,
Berlin, Heidelberg, 251ś260. doi:10.1007/3-540-45748-8_24
[20] Fake Fang, Libo Feng, Jiale Xie, Junhong Liu, Zehui Yuan, Xian Deng, Peng Wu, Peiyin Luo, and Yifan Liu. 2024. BCFL:A Trustworthy
and Eicient Federated Learning Framework Based on Blockchain In IoT. In 2024 27th International Conference on Computer Supported
Cooperative Work in Design (CSCWD). 2394ś2399. doi:10.1109/CSCWD61410.2024.10580415
[21] Lei Feng, Yiqi Zhao, Shaoyong Guo, Xuesong Qiu, Wenjing Li, and Peng Yu. 2022. BAFL: A Blockchain-Based Asynchronous Federated
Learning Framework. IEEE Trans. Comput. 71, 5 (May 2022), 1092ś1103. doi:10.1109/TC.2021.3072033 Conference Name: IEEE
Transactions on Computers.
[22] Mohamed Amine Ferrag, Burak Kantarci, Lucas C. Cordeiro, Merouane Debbah, and Kim-Kwang Raymond Choo. 2023. Poisoning
Attacks in Federated Edge Learning for Digital Twin 6G-enabled IoTs: An Anticipatory Study. doi:10.48550/arXiv.2303.11745
[23] Abderrahime Filali, Amine Abouaomar, Soumaya Cherkaoui, Abdellatif Kobbane, and Mohsen Guizani. 2020. Multi-Access Edge
Computing: A Survey. IEEE Access 8 (2020), 197017ś197046. doi:10.1109/ACCESS.2020.3034136
[24] Othmane Friha, Mohamed Amine Ferrag, Lei Shu, Leandros Maglaras, Kim-Kwang Raymond Choo, and Mehdi Nafaa. 2022. FELIDS:
Federated learning-based intrusion detection system for agricultural Internet of Things. J. Parallel and Distrib. Comput. 165 (July 2022),
17ś31. doi:10.1016/j.jpdc.2022.03.003
[25] Chandranshu Gupta and Asmita Mahajan. 2020. Evaluation of Proof-of-Work Consensus Algorithm for Blockchain Networks. In 2020
11th International Conference on Computing, Communication and Networking Technologies (ICCCNT). 1ś7. doi:10.1109/ICCCNT49239.
2020.9225676
[26] Woorim Han, Yungi Cho, and Yunheung Paek. 2023. A Survey on Threats to Federated Learning. (2023). https://koreascience.kr/article/
CFKO202319360811307.pdf
[27] Masahiro Hayashitani, Junki Mori, and Isamu Teranishi. 2024. Survey of Privacy Threats and Countermeasures in Federated Learning.
doi:10.48550/arXiv.2402.00342
[28] Péter Hegedűs. 2018. Towards analyzing the complexity landscape of solidity based ethereum smart contracts. In Proceedings of the 1st
International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB ’18). Association for Computing Machinery,
New York, NY, USA, 35ś39. doi:10.1145/3194113.3194119
[29] Wael Issa, Nour Moustafa, Benjamin Turnbull, Nasrin Sohrabi, and Zahir Tari. 2023. Blockchain-Based Federated Learning for Securing
Internet of Things: A Comprehensive Survey. Comput. Surveys 55, 9 (2023), 191:1ś191:43. doi:10.1145/3560816
[30] Yupeng Jiang, Yong Li, Yipeng Zhou, and Xi Zheng. 2021. Sybil Attacks and Defense on Diferential Privacy based Federated Learning.
In 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE, Shenyang,
China, 355ś362. doi:10.1109/TrustCom53373.2021.00062
[31] Yifeng Jiang, Weiwen Zhang, and Yanxi Chen. 2023. Data Quality Detection Mechanism Against Label Flipping Attacks in Federated
Learning. IEEE Transactions on Information Forensics and Security 18 (2023), 1625ś1637. doi:10.1109/TIFS.2023.3249568 Conference
Name: IEEE Transactions on Information Forensics and Security.
[32] Aditya Pribadi Kalapaaking, Ibrahim Khalil, Xun Yi, Kwok-Yan Lam, Guang-Bin Huang, and Ning Wang. 2024. Auditable and Veriiable
Federated Learning Based on Blockchain-Enabled Decentralization. IEEE Transactions on Neural Networks and Learning Systems (2024),
1ś14. doi:10.1109/TNNLS.2024.3407670 Conference Name: IEEE Transactions on Neural Networks and Learning Systems.
[33] Jiawen Kang, Zehui Xiong, Dusit Niyato, Yuze Zou, Yang Zhang, and Mohsen Guizani. 2020. Reliable Federated Learning for Mobile
Networks. IEEE Wireless Communications 27, 2 (April 2020), 72ś80. doi:10.1109/MWC.001.1900119 Conference Name: IEEE Wireless
Communications.
[34] Harsh Kasyap and Somanath Tripathy. 2024. Privacy-preserving and Byzantine-robust Federated Learning Framework using Permissioned
Blockchain. Expert Systems with Applications 238 (March 2024), 122210. doi:10.1016/j.eswa.2023.122210
[35] et al Nirvikar Katiyar. 2023. Decentralized Consensus Mechanisms in Blockchain: A Comparative Analysis. International Journal on
Recent and Innovation Trends in Computing and Communication 11, 11 (Dec. 2023), 706ś716. doi:10.17762/ijritcc.v11i11.10075
[36] Sivleen Kaur, Sheetal Chaturvedi, Aabha Sharma, and Jayaprakash Kar. 2021. A Research Survey on Applications of Consensus Protocols
in Blockchain. Security and Communication Networks 2021, 1 (2021), 6693731. doi:10.1155/2021/6693731
[37] Muhammad Milhan Afzal Khan, Haiz Muhammad Azeem Sarwar, and Muhammad Awais. 2022. Gas consumption analysis of Ethereum
blockchain transactions. Concurrency and Computation: Practice and Experience 34, 4 (2022), e6679. doi:10.1002/cpe.6679
[38] Rajeshree Khande, Shubhangee Ramaswami, Chaitanya Naidu, and Nidhi Patel. 2021. AN EFFECTIVE MECHANISM FOR SECURING
AND MANAGING PASSWORD USING AES-256 ENCRYPTION & PBKDF2. INTERNATIONAL JOURNAL OF ELECTRICAL ENGINEERING
AND TECHNOLOGY 12, 5 (May 2021). doi:10.34218/IJEET.12.5.2021.001
[39] Merit Kõlvart, Margus Poola, and Addi Rull. 2016. Smart Contracts. In The Future of Law and eTechnologies, Tanel Kerikmäe and Addi
Rull (Eds.). Springer International Publishing, Cham, 133ś147. doi:10.1007/978-3-319-26896-5_7
[40] Ananya B. L, Nikhitha V, S. Arjun, and Naveen Chandra Gowda. 2023. Survey of applications, advantages, and comparisons of AES
encryption algorithm with other standards. International Journal of Computational Learning & Intelligence 2, 2 (May 2023), 87ś98.
doi:10.5281/zenodo.7921019

ACM Trans. Internet Technol.

28 • L. M. García-Sáez et al.

[41] Riccardo Lazzarini, Huaglory Tianield, and Vassilis Charissis. 2023. Federated Learning for IoT Intrusion Detection. AI 4, 3 (Sept. 2023),
509ś530. doi:10.3390/ai4030028 Number: 3 Publisher: Multidisciplinary Digital Publishing Institute.
[42] Dongxing Li, Wei Peng, Wenping Deng, and Fangyu Gai. 2018. A Blockchain-Based Authentication and Security Mechanism for IoT. In
2018 27th International Conference on Computer Communication and Networks (ICCCN). IEEE, Hangzhou, 1ś6. doi:10.1109/ICCCN.2018.
8487449
[43] Guangshun Li, Xinrong Ren, Junhua Wu, Wanting Ji, Haili Yu, Jiabin Cao, and Ruili Wang. 2021. Blockchain-based mobile edge
computing system. Information Sciences 561 (June 2021), 70ś80. doi:10.1016/j.ins.2021.01.050
[44] Zengpeng Li, Vishal Sharma, and Saraju P. Mohanty. 2020. Preserving Data Privacy via Federated Learning: Challenges and Solutions.
IEEE Consumer Electronics Magazine 9, 3 (May 2020), 8ś16. doi:10.1109/MCE.2019.2959108
[45] Junchuan Lianga, Rong Wang, Chaosheng Feng, and Chin-Chen Chang. 2023. A Survey on Federated Learning Poisoning Attacks and
Defenses. doi:10.48550/arXiv.2306.03397
[46] Jiahuan Luo, Xueyang Wu, Yun Luo, Anbu Huang, Yunfeng Huang, Yang Liu, and Qiang Yang. 2021. Real-World Image Datasets for
Federated Learning. doi:10.48550/arXiv.1910.11089
[47] Mobasshir Mahbub, Md. Shamrat Apu Gazi, Sayed Al Arabi Provat, and Md. Saiful Islam. 2020. Multi-Access Edge Computing-Aware
Internet of Things: MEC-IoT. In 2020 Emerging Technology in Computing, Communication and Electronics (ETCCE). IEEE, Bangladesh,
1ś6. doi:10.1109/ETCCE51779.2020.9350909
[48] H. Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Agüera y Arcas. 2023. Communication-Eicient Learning
of Deep Networks from Decentralized Data. doi:10.48550/arXiv.1602.05629
[49] Aswathi A. Menon, T. Saranya, Sheetal Sureshbabu, and A. S. Mahesh. 2022. A Comparatıve Analysis on Three Consensus Algorithms.
In Computer Networks and Inventive Communication Technologies, S. Smys, Robert Bestak, Ram Palanisamy, and Ivan Kotuliak (Eds.).
Springer Nature, Singapore, 369ś383. doi:10.1007/978-981-16-3728-5_28
[50] Debajani Mohanty. 2018. Frameworks: Trule and Embark. In Ethereum for Architects and Developers: With Case Studies and Code
Samples in Solidity, Debajani Mohanty (Ed.). Apress, Berkeley, CA, 181ś195. doi:10.1007/978-1-4842-4075-5_7
[51] N. Kishor Narang. 2024. Mentor’s Musings on Federated Learning Standardization Imperatives in Leveraging It for Industrial IoT.
IEEE Internet of Things Magazine 7, 5 (Sept. 2024), 4ś10. doi:10.1109/MIOT.2024.10644021 Conference Name: IEEE Internet of Things
Magazine.
[52] Dinh C. Nguyen, Ming Ding, Pubudu N. Pathirana, Aruna Seneviratne, Jun Li, and H. Vincent Poor. 2021. Federated Learning for Internet
of Things: A Comprehensive Survey. IEEE Communications Surveys & Tutorials 23, 3 (2021), 1622ś1658. doi:10.1109/COMST.2021.3075439
[53] Arvind Panwar and Vishal Bhatnagar. 2020. Distributed Ledger Technology (DLT): The Beginning of a Technological Revolution
for Blockchain. In 2nd International Conference on Data, Engineering and Applications (IDEA). IEEE, Bhopal, India, 1ś5. doi:10.1109/
IDEA49133.2020.9170699
[54] Younghyun Park, Dong-Jun Han, Do-Yeon Kim, Jun Seo, and Jaekyun Moon. 2021. Few-Round Learning for Federated Learning. In
Advances in Neural Information Processing Systems. Curran Associates, Inc., Virtual. https://proceedings.neurips.cc/paper/2021/hash/
f065d878ccfb4cc4f4265a4f8bafa9a-Abstract.html
[55] Jiawei Peng, Yijun Wu, and Kunfeng Yuan. 2023. A research on the consensus mechanisms. Applied and Computational Engineering 16
(Oct. 2023), 127ś137. doi:10.54254/2755-2721/16/20230853
[56] Davy Preuveneers, Vera Rimmer, Ilias Tsingenopoulos, Jan Spooren, Wouter Joosen, and Elisabeth Ilie-Zudor. 2018. Chained Anomaly
Detection Models for Federated Learning: An Intrusion Detection Case Study. Applied Sciences 8, 12 (Dec. 2018), 2663. doi:10.3390/
app8122663
[57] R. A. Fisher. 1936. Iris. doi:10.24432/C56C76
[58] Pasika Ranaweera, Anca Delia Jurcut, and Madhusanka Liyanage. 2021. Survey on Multi-Access Edge Computing Security and Privacy.
IEEE Communications Surveys & Tutorials 23, 2 (2021), 1078ś1124. doi:10.1109/COMST.2021.3062546
[59] Nuria Rodríguez-Barroso, Javier Del Ser, M. Victoria Luzón, and Francisco Herrera. 2024. Defense Strategy against Byzantine Attacks in
Federated Machine Learning: Developments towards Explainability. In 2024 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE).
1ś8. doi:10.1109/FUZZ-IEEE60900.2024.10611769 ISSN: 1558-4739.
[60] Margaret Rouse. 2023. Merkle Tree (Blockchain Hash Tree). https://www.techopedia.com/deinition/32919/merkle-tree Last access:
06/05/2025.
[61] Sergio Ruiz-Villafranca, Javier Carrillo-Mondéjar, Juan Manuel Castelo Gómez, and José Roldán-Gómez. 2023. MECInOT: a multi-access
edge computing and industrial internet of things emulator for the modelling and study of cybersecurity threats. The Journal of
Supercomputing 79, 11 (July 2023), 11895ś11933. doi:10.1007/s11227-023-05098-2
[62] Subhash Sagar, Chang-Sun Li, Seng W. Loke, and Jinho Choi. 2023. Poisoning Attacks and Defenses in Federated Learning: A Survey.
doi:10.48550/arXiv.2301.05795
[63] Benedikt Severin, Marc Hesenius, Florian Blum, Michael Hettmer, and Volker Gruhn. 2022. Smart Money Wasting: Analyzing Gas Cost
Drivers of Ethereum Smart Contracts. In 2022 IEEE International Conference on Software Maintenance and Evolution (ICSME). 293ś304.
doi:10.1109/ICSME55016.2022.00034 ISSN: 2576-3148.

ACM Trans. Internet Technol.

 Poisoning-Resilient Federated Learning for MEC-IoT Environments Using Blockchain • 29

[64] Virat Shejwalkar, Amir Houmansadr, Peter Kairouz, and Daniel Ramage. 2022. Back to the Drawing Board: A Critical Evaluation of
Poisoning Attacks on Production Federated Learning. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA,
USA, 1354ś1371. doi:10.1109/SP46214.2022.9833647
[65] Junyu Shi, Wei Wan, Shengshan Hu, Jianrong Lu, and Leo Yu Zhang. 2022. Challenges and Approaches for Mitigating Byzantine Attacks
in Federated Learning. In 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom).
139ś146. doi:10.1109/TrustCom56396.2022.00030 ISSN: 2324-9013.
[66] Ashish Singh, Suresh Chandra Satapathy, Arnab Roy, and Adnan Gutub. 2022. AI-Based Mobile Edge Computing for IoT: Applications,
Challenges, and Future Scope. Arabian Journal for Science and Engineering 47, 8 (Aug. 2022), 9801ś9831. doi:10.1007/s13369-021-06348-2
[67] Fatma Zehra Solak, Beste Üstübioğlu, Eda Sena Erdöl, Güzin Ulutaş, Yazılım Mühendisligi, and Bilgisayar Mühendisliği. 2024. Federated
Learning Resistant to Byzantine Attacks with Quantil-Based Statistical Propagation. In 2024 32nd Signal Processing and Communications
Applications Conference (SIU). 1ś4. doi:10.1109/SIU61531.2024.10600786 ISSN: 2165-0608.
[68] Zu-Sheng Tan, Eric W. K. See-To, Kwan-Yeung Lee, Hong-Ning Dai, and Man-Leung Wong. 2024. Privacy-preserving federated learning
for proactive maintenance of IoT-empowered multi-location smart city facilities. Journal of Network and Computer Applications 231
(Nov. 2024), 103996. doi:10.1016/j.jnca.2024.103996
[69] Vale Tolpegin, Stacey Truex, Mehmet Emre Gursoy, and Ling Liu. 2020. Data Poisoning Attacks Against Federated Learning Systems. In
Computer Security ś ESORICS 2020, Liqun Chen, Ninghui Li, Kaitai Liang, and Steve Schneider (Eds.). Springer International Publishing,
Cham, 480ś501. doi:10.1007/978-3-030-58951-6_24
[70] Lechosław Tomaszewski, Sławomir Kukliński, and Robert Kołakowski. 2020. A New Approach to 5G and MEC Integration. In Artiicial
Intelligence Applications and Innovations. AIAI 2020 IFIP WG 12.5 International Workshops, Ilias Maglogiannis, Lazaros Iliadis, and Elias
Pimenidis (Eds.). Springer International Publishing, Cham, 15ś24. doi:10.1007/978-3-030-49190-1_2
[71] Dr Gavin Wood. 2024. ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER. (Nov. 2024). https:
//ethereum.github.io/yellowpaper/paper.pdf Last access: 06/05/2025.
[72] Geming Xia, Jian Chen, Chaodong Yu, and Jun Ma. 2023. Poisoning Attacks in Federated Learning: A Survey. IEEE Access 11 (2023),
10708ś10722. doi:10.1109/ACCESS.2023.3238823 Conference Name: IEEE Access.
[73] Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning
Algorithms. doi:10.48550/arXiv.1708.07747
[74] Xiaolong Xu, Haoyuan Li, Weijie Xu, Zhongjian Liu, Liang Yao, and Fei Dai. 2022. Artiicial intelligence for edge service optimization in
Internet of Vehicles: A survey. Tsinghua Science and Technology 27, 2 (April 2022), 270ś287. doi:10.26599/TST.2020.9010025 Conference
Name: Tsinghua Science and Technology.
[75] Yajing Xu, Zhihui Lu, Keke Gai, Qiang Duan, Junxiong Lin, Jie Wu, and Kim-Kwang Raymond Choo. 2023. BESIFL: Blockchain-
Empowered Secure and Incentive Federated Learning Paradigm in IoT. IEEE Internet of Things Journal 10, 8 (April 2023), 6561ś6573.
doi:10.1109/JIOT.2021.3138693
[76] Jie Yang, Jun Zheng, Thar Baker, Shuai Tang, Yu-an Tan, and Quanxin Zhang. 2023. Clean-label poisoning attacks on federated learning
for IoT. Expert Systems 40, 5 (2023), e13161. doi:10.1111/exsy.13161
[77] Binhang Yuan, Song Ge, and Wenhui Xing. 2020. A Federated Learning Framework for Healthcare IoT devices. (2020). doi:10.48550/
ARXIV.2005.05083
[78] Siyuan Zeng, Bo Mi, and Darong Huang. 2023. Emergency Vehicle Identiication for Internet of Vehicles Based on Federated Learning
and Homomorphic Encryption. In 2023 IEEE 12th Data Driven Control and Learning Systems Conference (DDCLS). IEEE, Xiangtan, China,
208ś213. doi:10.1109/DDCLS58216.2023.10166254
[79] Chen Zhang, Yu Xie, Hang Bai, Bin Yu, Weihong Li, and Yuan Gao. 2021. A survey on federated learning. Knowledge-Based Systems 216
(March 2021), 106775. doi:10.1016/j.knosys.2021.106775
[80] Haoran Zhang, Shan Jiang, and Shichang Xuan. 2024. Decentralized federated learning based on blockchain: concepts, framework, and
challenges. Computer Communications 216 (Feb. 2024), 140ś150. doi:10.1016/j.comcom.2023.12.042
[81] Tuo Zhang, Lei Gao, Chaoyang He, Mi Zhang, Bhaskar Krishnamachari, and A. Salman Avestimehr. 2022. Federated Learning for
the Internet of Things: Applications, Challenges, and Opportunities. IEEE Internet of Things Magazine 5, 1 (March 2022), 24ś29.
doi:10.1109/IOTM.004.2100182 Conference Name: IEEE Internet of Things Magazine.
[82] Zhao Zhang, Yong Zhang, Da Guo, Lei Yao, and Zhao Li. 2022. SecFedNIDS: Robust defense for poisoning attack against federated learning-
based network intrusion detection system. Future Generation Computer Systems 134 (Sept. 2022), 154ś169. doi:10.1016/j.future.2022.04.010
[83] Ping Zhao, Haojun Huang, Xiaohui Zhao, and Daiyu Huang. 2020. P3: Privacy-Preserving Scheme Against Poisoning Attacks in
Mobile-Edge Computing. IEEE Transactions on Computational Social Systems 7, 3 (June 2020), 818ś826. doi:10.1109/TCSS.2019.2960824
[84] Yanxu Zhu, Hong Wen, Jinsong Wu, Runhui Zhao, Yanxu Zhu, Hong Wen, Jinsong Wu, and Runhui Zhao. 2023. Online data poisoning
attack against edge AI paradigm for IoT-enabled smart city. Mathematical Biosciences and Engineering 20, 10 (2023), 17726ś17746.
doi:10.3934/mbe.2023788

Received 13 January 2025; revised 28 July 2025; accepted 8 September 2025

ACM Trans. Internet Technol.