To address the failure of existing defenses against model poisoning attacks in federated learning under non-IID data distributions, this paper proposes GeminiGuard—a lightweight, unsupervised, dual-path collaborative defense framework. Methodologically, it jointly leverages orthogonal analytical pathways: (i) model-weight analysis via parameter-distance metrics and (ii) latent-space analysis via clustering and anomaly scoring of gradient/feature embeddings. Crucially, it introduces an adaptive threshold calibration mechanism to dynamically adjust detection sensitivity. The key contribution lies in the first integration of these complementary perspectives, overcoming the diminished discriminative power of single-view approaches in non-IID settings. Extensive experiments across diverse non-IID configurations and adaptive poisoning attacks demonstrate that GeminiGuard achieves an average 12.7% higher detection accuracy than state-of-the-art methods, reduces communication overhead by 40%, and supports plug-and-play deployment without requiring labeled data or model retraining.

Federated Learning is a popular paradigm that enables remote clients to jointly train a global model without sharing their raw data. However, FL has been shown to be vulnerable towards model poisoning attacks due to its distributed nature. Particularly, attackers acting as participants can upload arbitrary model updates that effectively compromise the global model of FL. While extensive research has been focusing on fighting against these attacks, we find that most of them assume data at remote clients are under iid while in practice they are inevitably non-iid. Our benchmark evaluations reveal that existing defenses generally fail to live up to their reputation when applied to various non-iid scenarios. In this paper, we propose a novel approach, GeminiGuard, that aims to address such a significant gap. We design GeminiGuard to be lightweight, versatile, and unsupervised so that it aligns well with the practical requirements of deploying such defenses. The key challenge from non-iids is that they make benign model updates look more similar to malicious ones. GeminiGuard is mainly built on two fundamental observations: (1) existing defenses based on either model-weight analysis or latent-space analysis face limitations in covering different MPAs and non-iid scenarios, and (2) model-weight and latent-space analysis are sufficiently different yet potentially complementary methods as MPA defenses. We hence incorporate a novel model-weight analysis component as well as a custom latent-space analysis component in GeminiGuard, aiming to further enhance its defense performance. We conduct extensive experiments to evaluate our defense across various settings, demonstrating its effectiveness in countering multiple types of untargeted and targeted MPAs, including adaptive ones. Our comprehensive evaluations show that GeminiGuard consistently outperforms SOTA defenses under various settings.