Securing Distributed Network Digital Twin Systems Against Model Poisoning Attacks

In the realm of telecommunications, wireless networks are experiencing a paradigm shift, primarily driven by the advent of edge computing, spectrum sharing, and millimeter-wave communication technologies in the 5G era. These technological advancements are foundational to a multitude of novel applications and services, notably enhancing mobile broadband and facilitating the seamless integration of the Internet of Things (IoT) [1, 2], autonomous transportation [3], smart urban infrastructure [4], and remote healthcare delivery [5]. Further, the nascent stages of 6G research are indicative of potential revolutionary leaps in hybrid physical-virtual network technologies, paving the way for ubiquitous and intelligent connectivity worldwide. Parallel to these advancements, the concept of digital twin (DT) has surfaced as a significant technological breakthrough in the mixed reality era [6, 7, 8]. The DTs embody intricate virtual representations of physical entities or systems and gain traction in the context of the Fourth Industrial Revolution. This concept synergistically harnesses the capabilities of IoT, machine learning, and big data analytics, meticulously constructing a comprehensive digital model that mirrors the physical attributes, processes, interconnection, and dynamics of its real-world counterpart. Such models play a pivotal role in facilitating predictive simulations, what-if analysis, and system optimizations within a virtual environment, thereby offering tangible insights into operational challenges and maintenance requirements [9, 10, 11].

While DTs offer a wide range of benefits and applications, ensuring their security remains a critical concern that necessitates a comprehensive understanding and robust countermeasures. Common security threats to DTs include data breaches, unauthorized access, and cyber-attacks, which can disrupt the seamless interaction between the physical and virtual systems [12]. In the realm of wireless networks, these DTs face additional challenges such as Byzantine attacks, man-in-the-middle attacks, and signal interference, which can severely impact their availability and reliability. Furthermore, robust countermeasures, including encryption techniques and secure communication protocols, are needed to protect DTs from potential adversarial attacks in open wireless environments [13]. As DTs are increasingly integrated into the metaverse applications [14], addressing the security and privacy challenges becomes paramount to ensure a trustworthy user interface [15]. In particular, trust evaluation schemes such as in [16] have been proposed for using federated learning (FL) in DT systems, aiming to enhance data usage security by evaluating the trustworthiness of participating network entities. In the realm of wireless networks, FL leverages its decentralized nature to facilitate multiple network services. With the exponential growth in the number of connected devices and the ever-increasing demand for data-intensive applications like streaming and IoT services, constructing precise network digital twins (NDTs) accurately becomes vital for ensuring various downstream forecasting tasks, such as wireless traffic prediction (WTP) [17, 18, 19]. Despite distributed learning’s potential in accuracy, efficiency, and privacy preservation, its integration into NDT creation and operation is not devoid of challenges. Notably, Byzantine attacks, particularly model poisoning attacks, pose significant threats to the effectiveness and trustworthiness of NDT systems.

In a model poisoning attack, malicious network entities introduce adversarial modifications to the model parameters during the map** process of NDTs. This tampering results in a compromised server-level twin, i.e. global twin model, when aggregated at the central network controller, subsequently producing incorrect operations on the physical infrastructure. Such inaccuracies lead to the risk of network inefficiencies and even severe service disruptions, especially in real-time applications like autonomous driving systems. In more extreme scenarios, these attacks may serve as gateways to further malicious network intrusions, instigating broader security and privacy concerns as illustrated in [20, 21]. The grave implications of model poisoning attacks underscore the pressing need for robust security measures to ensure the integrity, reliability, and resilience of distributed NDT systems against Byzantine failures, thereby safeguarding the overarching network infrastructure and the services reliant on it. While most existing DT map** algorithms and their associated security strategies are typically assessed within the context of classification problems [22, 23], scant attention has been paid to the regression problems, as observed in examined WTP scenarios within NDTs, introducing distinct challenges related to data distribution, model complexity, and evaluation metrics. The distinction between data manipulation strategies in regression and classification problems, as well as their detection methodologies, underscores the nuanced challenges in safeguarding twin models against emerging adversarial attacks. For instance, in a regression-based DT-assisted WTP problem, attackers typically target the model’s continuous output by altering the distribution or magnitude of input time-series data, intending to steer predictions in a specific direction. This differs from classification tasks, where the manipulation revolves around modifying input features to induce misclassification without noticeably changing the input’s appearance to human observers.

To bridge this gap, we make the first attempt to introduce a novel attack centered on injecting disruptive traffic data from malicious NDTs into wireless networks. Existing model poisoning attacks have predominantly depended on additional access knowledge and direct intrusions on physical base stations (BSs) [24, 22, 25]. However, in a practical cellular network system, BSs have exhibited a commendable level of resilience against attacks, making the extraction of training data from them a challenging endeavor. In contrast, the cost of deploying fake NDTs that mimic their behaviors is comparatively lower than the resources required for compromising authentic BSs [26]. This assumption asserts that these compromised NDTs lack insight into the training data and only have access to the initial and current global twin models, aligning with the practical settings studied in [26]. Importantly, other information, such as data aggregation rules and model parameters from benign NDTs or BSs, remains inaccessible to these compromised NDTs. In this work, we consider a distributed DT-assisted network architecture as depicted in Fig. 1, where wireless traffic data collected from BSs is mapped into local NDTs to establish an initial and private NDT for each BS. Within each cluster, a cluster-level NDT (C-NDT) is constructed by aggregating these local twin models. Subsequently, at the backend, a global twin model (G-NDT) is established by merging the C-NDT model parameters during each iterative phase. This global twin model is then synchronized with each local NDT, serving as a foundation for predictive analysis and enabling specific applications for each BS and its associated NDTs. In this situation, our threat model envisions a minimum-knowledge scenario for an adversary. First, we propose Fake Traffic Injection (FTI), a methodology designed to create undetectable fake NDTs with minimal prior knowledge. Each fake NDT employs both its initial model and current global information to determine the optimizing trajectory of the twinning process, as shown in Fig. 4. These malicious participants aim to subtly align the global model towards an outcome that undermines the integrity and reliability of the NDT system. Numerous numerical experiments are conducted to validate that our FTI demonstrates efficacy across various state-of-the-art model aggregation rules, outperforming other poisoning attacks in terms of vulnerability impacts.

On the contrary, we propose an innovative defensive strategy known as Global-Local Inconsistency Detection (GLID), aimed at neutralizing the effects of model poisoning attacks on NDT systems. This defense scheme involves strategically removing abnormal model parameters that deviate beyond a specific percentile range estimated through statistical methods in each dimension. Such an adaptive approach allows us to trim varying numbers of malicious model parameters instead of a fixed quantity [27]. Next, a weighted mean mechanism is employed to update the global twin model parameter, subsequently disseminated back to each NDT. Our extensive evaluations, conducted on real-world datasets, demonstrate that the proposed defensive mechanism substantially mitigates the impact of model poisoning attacks on NDT systems, thereby showcasing a promising avenue for securing distributed NDT systems with trustworthiness. This paper is an extended version of our previous work in [28], where we expand upon it by adapting the proposed attack and defense strategies from traditional federated learning settings to the practical NDT system.

The contributions are briefly summarized into three folds:

1. 1.

   We present a novel model poisoning attack, employing fake NDTs for traffic injection into distributed NDT systems under a minimum-knowledge scenario.

2. 2.

   Conversely, we propose an effective defense strategy tailored to counteract various model poisoning attacks, which proactively trims an adaptive number of twin model parameters by leveraging the percentile estimation technique.

3. 3.

   Lastly, we evaluate both the proposed poisoning attack and the defensive mechanism using real-world traffic datasets from Milan City, where the results demonstrate that the FTI attack indeed compromises distributed NDT systems, and the proposed defensive strategy proves notably more effective than other baseline approaches in mitigating various attacks.

This section introduces a novel framework for creating and synchronizing NDTs specifically designed for wireless traffic prediction. The framework is structured around three main stages: dynamic connectivity segmentation (DCS), vertical twinning (V-twinning), and horizontal twinning (H-twinning). The overall framework is shown in Fig. 1. The primary objective of the NDTs is to minimize prediction errors across all BSs for a better understanding of the physical network. This can be formulated as an optimization problem:

where $F$ is the quadratic loss function, $M$ is the number of NDTs, $z$ is the number of data points, $r_{m}^{n}$ is the input traffic sequence, and $s_{m}^{n}$ is the corresponding output traffic prediction. The optimization problem is resolved through FL with distributed NDTs, following the synchronization, local updating, and model aggregation process. This single-level map** approach utilizes a classical FL strategy to aggregate multiple local twin models, serving as the baseline for comparing with our proposed joint vertical-horizontal map** scheme.

Specifically, Eq. (1) can be resolved in a distributed fashion in traditional FL settings with the following three steps in each global training round $t$, as shown in Fig. 2.

• •

  Step I (Local twin update). Each NDT $i\in[n]$ utilizes its private time-series training data along with the current global model to refine its own local model, then transmits the updated local model $\bm{\theta}_{i}^{t}$ back to a central server.

• •

  Step II (Local twin manipulation/model poisoning attack). Each malicious NDT utilizes its knowledge to modify or create local twin models, and then send these malicious twin models to the server.

• •

  Step III (Aggregation of local twin models). The central server leverages the aggregation rule (AR) to merge the $n$ received local models and subsequently updates the global model as follows:

  $\displaystyle\bm{\theta}^{t+1}=\text{AR}\{\bm{\theta}_{1}^{t},\bm{\theta}_{2}^{t},\ldots,\bm{\theta}_{n}^{t}\}.$

  (2)

  The commonly used aggregation rule is the FedAvg [39], where the server simply averages the received $n$ local models from distributed NDTs, i.e., $\text{AR}\{\bm{\theta}_{1}^{t},\bm{\theta}_{2}^{t},\ldots,\bm{\theta}_{n}^{t}\}=\frac{1}{n}\sum\limits_{i=1}^{n}\bm{\theta}_{i}^{t}$.

• •

  Step IV (Synchronization). The central server sends the current global model $\bm{\theta}^{t}$ to all NDTs.

Specifically, our multi-level map** framework encompasses a central DT, named global network digital twin (G-NDT), coordinating with a network of $M$ NDTs, and multiple cluster network digital twin (C-NDT). Each NDT, denoted as $m$ in the set $[M]$, independently holds a proprietary dataset $d_{m}=\{d^{1}_{m},d^{2}_{m},\ldots,d^{L}_{m}\}$. In this dataset, $L$ indicates the total number of time intervals, and $d^{l}_{m}$ represents the traffic load at NDT $m$ during the $l$-th interval, where $l$ ranges over $[L]$. The NDT involves constructing input-output predictive traffic sequences locally, denoted as $\{r_{m}^{n},s_{m}^{n}\}_{n=1}^{z}$, for each NDT to generate future traffic predictions. Here, $r_{m}^{n}$ is a suNDTet of historical traffic data corresponding to the output $s_{m}^{n}=\{d_{m}^{l-1},\dots,d_{m}^{l-a},d_{m}^{l-\rho 1},\dots,d_{m}^{l-\rho b}\}$. The parameters $a$ and $b$ represent sliding windows that capture immediate and cyclical temporal dependencies, respectively, while $\rho$ reflects inherent periodicities in the network, which might be influenced by user activity patterns or application service demands.

The first stage, DCS, is employed periodically to ensure effective clustering of NDTs with similar communication characteristics and networking configurations. This clustering step is integral to the efficient creation and updates of multiple distributed NDTs, i.e. C-NDTs, which demonstrate distinct behaviors and perform parallel synchronization with the G-NDT. The DCS algorithm clusters the NDTs based on attributes such as geological distances, capacity of backhaul links, coverage area overlaps, and similarity of frequency of occurrence distribution. The relationship between two NDTs, $n_{1}$ and $n_{2}$, is quantified by a metric $\Phi_{n_{1},n_{2}}$:

In the V-Twinning stage, initial NDTs are created with historical data on caching requests and their frequency. It employs an FL strategy, where model parameters are shared among NDTs instead of raw data, enabling collaborative training of a global model. This approach efficiently distributes twinning tasks across NDTs while ensuring content data privacy. Specifically, the V-Twinning stage initializes a concrete G-NDT and synchronizes C-NDTs with the G-NDT after the twinning aggregation process. The aggregation of C-NDTs to form the G-NDT is given by:

where $\bm{\alpha}_{c}^{t}$ represents the model parameters of the C-NDT for cluster $c$ at time $t$, and $C$ is the number of clusters. This stage is crucial for initializing the network DTs with historical traffic data, which serves as a foundation for future traffic prediction.

The H-Twinning stage is designed to periodically synchronize the physical network and NDTs with real-time data. It adopts an asynchronous FL approach to update with dynamics from the physical network, providing a scalable and flexible solution for wireless networks composed of multiple clusters. This stage updates the twins regularly, ensuring that all NDTs remain relevant and accurately simulate and predict wireless traffic patterns. The update rule for the G-NDT based on the deviation $\epsilon$ between a C-NDT and the current G-NDT is as follows:

where $\psi$ is a predefined threshold, and $\epsilon=(\bm{\alpha}_{c}^{t}-\bm{\alpha}^{t})^{2}$ measures the deviation between the C-NDT and the G-NDT. This stage is critical for incorporating real-time traffic data into the NDTs, enabling them to adapt to changing network conditions and improve traffic prediction accuracy.

Built upon the constructed distributed NDT system, this section discusses the threat model and explores a novel attack that poses a security breach to system functionality and network operations.

The defense against model poisoning attacks is founded on an aggregation protocol designed to identify malicious NDTs, termed the Global-Local Inconsistency Detection (GLID) method, as elaborated in Algorithm 2. In each global round $t$, GLID primarily examines anomalies present in each dimension of the model parameters $\bm{\theta}_{i}^{t}$, aiding in the identification of potentially malicious entities, where $i\in[1,n+m]$ and $n+m$ denotes the total number of NDTs in the system. This robust and versatile approach enables the system to adapt to various operational contexts without necessitating intricate similarity assessments. Then, choosing the parameter for the percentile range when trimming outliers for secure aggregation becomes crucial, as it directly influences the model’s balance between robustness and accuracy. Typically, a narrow percentile range might exclude legitimate variations in data, reducing the model’s accuracy and potentially leading to biased or incomplete representations. Conversely, a broad percentile range may fail to eliminate malicious or anomalous data contributions, compromising the model’s security by allowing adversarial inputs to skew the aggregation process. Therefore, selecting an appropriate percentile range ensures that most benign data points are retained while effectively filtering out outliers or adversarial inputs. This balance is essential for maintaining both the performance and security of digital twin models, protecting against data poisoning attacks without sacrificing the overall quality and representativeness of the aggregated twinning data.

Specifically, the GLID approach enhances the detection of potential malicious activities within the network by employing percentile-based trimming on each dimension of the model parameters. To establish an effective percentile pair for identifying abnormalities, four statistical methods can be adopted: Standard Deviation (SD), Interquartile Range (IQR), z-scores, or One-class Support Vector Machine (One-class SVM).

Suppose the total count of dimensions of the model parameter is $D$. For the default SD method, the percentile pair for each dimension $d$ can be calculated as follows:

where $\bar{\bm{\theta}}_{d}^{t}$ is the mean of the $d$-th dimension across all models in the $t$-th global training round, $\sigma_{d}^{t}$ is the standard deviation of the $d$-th dimension, and $k$ is a predefined constant dictating the sensitivity of outlier detection. $g(\cdot)$ is the interpolation function based on the standard deviation bound to estimate percentile pairs, defined as:

where $P(x)$ is the position of $x$ in the sorted dataset. We use $k=3$ for general purposes. Given that different tasks may require varied percentile bounds, a precise estimation method is crucial for generalizing our defense strategy. The detailed percentile estimation methods are discussed later in this section. In the FL-based WTP system, model parameters in the $d$-th dimension exceeding these percentile limits are flagged as malicious, and their weights $\alpha^{t}_{i}$ are assigned as 0. The other benign values in this dimension are aggregated using a weighted average rule, where the weights $\alpha^{t}_{d,i}$ are inversely proportional to the absolute deviation of each value $\bm{\theta}^{t}_{d,i}$ from the mean $\bar{\bm{\theta}}_{d}^{t}$, and normalized by the standard deviation $\sigma_{d}^{t}$. It can be represented as follows:

These weights of the $d$-th dimension are then normalized and applied to aggregate each BS’s local model $\bm{\theta}_{i}^{t}$ into a global model $\bm{\theta}^{t+1}$, which can be represented as follows in the view of each dimension:

Subsequently, the server broadcasts this aggregated global model parameter $\bm{\theta}^{t+1}$ back to all NDTs for synchronization.

There are three additional percentile estimation strategies listed below. Based on the upper and lower bound computed below, we can get a final percentile estimation decision to detect abnormal values in each dimension.

• •

  Interquartile Range (IQR): The IQR method calculates the range between the first and third quartiles (25th and 75th percentiles) of the data, identifying outliers based on this range. For each dimension $d$, the outlier bounds are:

  	$\displaystyle\text{lower bound}^{t}_{d,\text{IQR}}$	$\displaystyle=Q1^{t}_{d}-k_{\text{IQR}}\cdot\text{IQR}^{t}_{d},$		(11)
  	$\displaystyle\text{upper bound}^{t}_{d,\text{IQR}}$	$\displaystyle=Q3^{t}_{d}+k_{\text{IQR}}\cdot\text{IQR}^{t}_{d},$		(12)

  where $Q1^{t}_{d}$ and $Q3^{t}_{d}$ are the first and third quartiles, and $k_{\text{IQR}}$ adjusts sensitivity.

• •

  Z-scores: The Z-score method measures how many standard deviations a point is from the mean. For each dimension $d$, the normal range bounds are:

  	$\displaystyle\text{lower bound}^{t}_{d,\text{Z-score}}$	$\displaystyle=g\left(\bar{\bm{\theta}}_{d}^{t}-k_{\text{Z}}\cdot\sigma_{d}^{t}\right),$		(13)
  	$\displaystyle\text{upper bound}^{t}_{d,\text{Z-score}}$	$\displaystyle=g\left(\bar{\bm{\theta}}_{d}^{t}+k_{\text{Z}}\cdot\sigma_{d}^{t}\right),$		(14)

  where $k_{\text{Z}}$ is the number of standard deviations for the normal range.

• •

  One-Class SVM: One-class SVM constructs a decision boundary for anomaly detection. The decision function for each dimension $d$ is:

  	$\displaystyle f^{t}_{d}(\bm{\theta})$	$\displaystyle=\text{sign}\left(\sum_{i=1}^{n_{\text{SV}}}\gamma_{i}\cdot K(\bm{\theta}^{t}_{\text{SV}_{i},d},\bm{\theta})-\rho\right),$		(15)
  	where	$\displaystyle\bm{\theta}^{t}_{\text{SV}_{i},d}\,\text{are the support vectors,}$
  		$\displaystyle\gamma_{i}\,\text{are the Lagrange multipliers,}$
  		$\displaystyle K(\cdot,\cdot)\,\text{is the kernel function, and}$
  		$\displaystyle\rho\,\text{is the offset.}$

  A point $\bm{\theta}$ is an outlier if $f^{t}_{d}(\bm{\theta})<0$.

In essence, this defense mechanism is a strategic amalgamation of direct statistical trimming and aggregation, targeting the preservation of the global model’s integrity against poisoning attacks. By accurately isolating and excluding malicious NDTs prior to aggregation, it significantly diminishes the likelihood of adversarial disruption in the FL framework. Additionally, its capacity to accommodate various dimensions and adapt to different inconsistency metrics and aggregation protocols considerably extends its applicability across a broad spectrum of distributed wireless network scenarios.

In this section, we present an extensive evaluation of our proposed FTI poisoning attack and the GLID defense mechanism. We provide extensive results across various performance metrics to demonstrate their effectiveness in multiple dimensions.

In this study, we introduced a novel approach to perform model poisoning attacks on network digital twins through fake traffic injection. Operating under the assumption that real-world BSs are challenging to attack, we inject fake traffic distribution within NDTs with minimum knowledge that disseminates malicious model parameters into distributed network systems. Furthermore, we presented an innovative global-local inconsistency detection mechanism, designed to safeguard the NDT systems. It employs an adaptive trimming strategy, relying on percentile estimations that preserve accurate model parameters while effectively removing outliers. Extensive evaluations demonstrate the effectiveness of our attack and defense, outperforming existing baselines.

With the advent of the digitalization era, the development of an effective security framework for NDT systems presents numerous opportunities for future research and development. Future work could focus on enhancing the capabilities of secure NDT to incorporate real-time data streams and predictive analytics, enabling proactive security management and optimization. Additionally, exploring the integration of explainable artificial intelligence to elucidate model aggregation decisions, detect biases, and ensure the reliability and trustworthiness of the models is a crucial area of research. Further, investigating the application of secure DTs in emerging technologies such as the IoT and 6G cellular systems offers promising avenues for integrated intelligence and autonomy.

This research was supported by the National Science Foundation through Award CNS–2312138 and CNS–2312139.