Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Threats to Federated Learning: A Survey

Lingjuan Lyu, Han Yu, Qiang Yang

TL;DR

This survey analyzes threats to federated learning by framing attacker models (insider/outsider, semi-honest/malicious, training/inference) and detailing two major attack classes: poisoning and inference. It explicates data- and model-poisoning methods and a spectrum of inference techniques, including GAN-based class representation attacks and gradient-based leakage attacks like Deep Leakage from Gradient. The authors discuss current defenses (e.g., differential privacy, secure aggregation) and their shortcomings, and outline future directions such as robust defenses for VFL, decentralized FL, heterogeneous architectures, and optimized deployment of security measures. The work underscores the practical privacy risks in FL and the need for interdisciplinary, scalable defenses that maintain model utility in real-world deployments.

Abstract

With the emergence of data silos and popular privacy awareness, the traditional centralized approach of training artificial intelligence (AI) models is facing strong challenges. Federated learning (FL) has recently emerged as a promising solution under this new reality. Existing FL protocol design has been shown to exhibit vulnerabilities which can be exploited by adversaries both within and without the system to compromise data privacy. It is thus of paramount importance to make FL system designers to be aware of the implications of future FL algorithm design on privacy-preservation. Currently, there is no survey on this topic. In this paper, we bridge this important gap in FL literature. By providing a concise introduction to the concept of FL, and a unique taxonomy covering threat models and two major attacks on FL: 1) poisoning attacks and 2) inference attacks, this paper provides an accessible review of this important topic. We highlight the intuitions, key techniques as well as fundamental assumptions adopted by various attacks, and discuss promising future research directions towards more robust privacy preservation in FL.

Threats to Federated Learning: A Survey

TL;DR

This survey analyzes threats to federated learning by framing attacker models (insider/outsider, semi-honest/malicious, training/inference) and detailing two major attack classes: poisoning and inference. It explicates data- and model-poisoning methods and a spectrum of inference techniques, including GAN-based class representation attacks and gradient-based leakage attacks like Deep Leakage from Gradient. The authors discuss current defenses (e.g., differential privacy, secure aggregation) and their shortcomings, and outline future directions such as robust defenses for VFL, decentralized FL, heterogeneous architectures, and optimized deployment of security measures. The work underscores the practical privacy risks in FL and the need for interdisciplinary, scalable defenses that maintain model utility in real-world deployments.

Abstract

With the emergence of data silos and popular privacy awareness, the traditional centralized approach of training artificial intelligence (AI) models is facing strong challenges. Federated learning (FL) has recently emerged as a promising solution under this new reality. Existing FL protocol design has been shown to exhibit vulnerabilities which can be exploited by adversaries both within and without the system to compromise data privacy. It is thus of paramount importance to make FL system designers to be aware of the implications of future FL algorithm design on privacy-preservation. Currently, there is no survey on this topic. In this paper, we bridge this important gap in FL literature. By providing a concise introduction to the concept of FL, and a unique taxonomy covering threat models and two major attacks on FL: 1) poisoning attacks and 2) inference attacks, this paper provides an accessible review of this important topic. We highlight the intuitions, key techniques as well as fundamental assumptions adopted by various attacks, and discuss promising future research directions towards more robust privacy preservation in FL.

Paper Structure

This paper contains 16 sections, 4 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Types of Federated Learning
  3. Privacy Leakage in FL
  4. Threat Models
  5. Insider v.s. Outsider
  6. Semi-honest v.s. Malicious
  7. Training Phase v.s. Inference Phase
  8. Poisoning Attacks
  9. Data Poisoning
  10. Model Poisoning
  11. Inference Attacks
  12. Inferring Class Representatives
  13. Inferring Membership
  14. Inferring Properties
  15. Inferring Training Inputs and Labels
  16. ...and 1 more sections

Figures (4)

  • Figure 1: A typical FL training process, in which both the (potentially malicious) FL server/aggregator and malicious participants may compromise the FL system.
  • Figure 2: Data v.s. model poisoning attacks in FL.
  • Figure 3: Attacker infers information unrelated to the learning task.
  • Figure 4: Attacker infers gradients from a batch of training data.