Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Survey on Vulnerability of Federated Learning: A Learning Algorithm Perspective

Xianghua Xie, Chen Hu, Hanchi Ren, Jingjing Deng

TL;DR

This survey analyzes the vulnerability landscape of federated learning from a learning-algorithm perspective, classifying threats into data-to-model, model-to-model, model-to-data, and composite attacks. It surveys attack models, defenses, and evaluation metrics across classification, RL, and recommendation domains, highlighting how data manipulation, update tampering, and gradient leakage can undermine privacy and convergence. The authors map defense strategies to attack categories, discuss limitations, and identify gaps such as robust aggregation, automatic attack detection, and domain-specific protections. The work advances practical guidance for designing robust, privacy-preserving FL systems with versatile defenses applicable to real-world multi-party learning scenarios.

Abstract

This review paper takes a comprehensive look at malicious attacks against FL, categorizing them from new perspectives on attack origins and targets, and providing insights into their methodology and impact. In this survey, we focus on threat models targeting the learning process of FL systems. Based on the source and target of the attack, we categorize existing threat models into four types, Data to Model (D2M), Model to Data (M2D), Model to Model (M2M) and composite attacks. For each attack type, we discuss the defense strategies proposed, highlighting their effectiveness, assumptions and potential areas for improvement. Defense strategies have evolved from using a singular metric to excluding malicious clients, to employing a multifaceted approach examining client models at various phases. In this survey paper, our research indicates that the to-learn data, the learning gradients, and the learned model at different stages all can be manipulated to initiate malicious attacks that range from undermining model performance, reconstructing private local data, and to inserting backdoors. We have also seen these threat are becoming more insidious. While earlier studies typically amplified malicious gradients, recent endeavors subtly alter the least significant weights in local models to bypass defense measures. This literature review provides a holistic understanding of the current FL threat landscape and highlights the importance of developing robust, efficient, and privacy-preserving defenses to ensure the safe and trusted adoption of FL in real-world applications.

A Survey on Vulnerability of Federated Learning: A Learning Algorithm Perspective

TL;DR

This survey analyzes the vulnerability landscape of federated learning from a learning-algorithm perspective, classifying threats into data-to-model, model-to-model, model-to-data, and composite attacks. It surveys attack models, defenses, and evaluation metrics across classification, RL, and recommendation domains, highlighting how data manipulation, update tampering, and gradient leakage can undermine privacy and convergence. The authors map defense strategies to attack categories, discuss limitations, and identify gaps such as robust aggregation, automatic attack detection, and domain-specific protections. The work advances practical guidance for designing robust, privacy-preserving FL systems with versatile defenses applicable to real-world multi-party learning scenarios.

Abstract

This review paper takes a comprehensive look at malicious attacks against FL, categorizing them from new perspectives on attack origins and targets, and providing insights into their methodology and impact. In this survey, we focus on threat models targeting the learning process of FL systems. Based on the source and target of the attack, we categorize existing threat models into four types, Data to Model (D2M), Model to Data (M2D), Model to Model (M2M) and composite attacks. For each attack type, we discuss the defense strategies proposed, highlighting their effectiveness, assumptions and potential areas for improvement. Defense strategies have evolved from using a singular metric to excluding malicious clients, to employing a multifaceted approach examining client models at various phases. In this survey paper, our research indicates that the to-learn data, the learning gradients, and the learned model at different stages all can be manipulated to initiate malicious attacks that range from undermining model performance, reconstructing private local data, and to inserting backdoors. We have also seen these threat are becoming more insidious. While earlier studies typically amplified malicious gradients, recent endeavors subtly alter the least significant weights in local models to bypass defense measures. This literature review provides a holistic understanding of the current FL threat landscape and highlights the importance of developing robust, efficient, and privacy-preserving defenses to ensure the safe and trusted adoption of FL in real-world applications.
Paper Structure (38 sections, 1 equation, 11 figures, 9 tables, 3 algorithms)

This paper contains 38 sections, 1 equation, 11 figures, 9 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries of Federated Learning
  3. Data to Model Attacks
  4. D2M Attacks on Class Labels
  5. D2M Attacks on Samples
  6. Defense Against D2M Attacks
  7. Evaluation Metrics for Attacks and Defenses on Classification Tasks
  8. Model to Model Attacks
  9. General M2M Threat Models
  10. Priori M2M Attacks
  11. Posteriori M2M Attacks
  12. M2M Threat Models on Federated Recommendation Systems
  13. Defense Against M2M Attack
  14. Defense Against Free-Rider Attacks
  15. Model to Data Attacks
  16. ...and 23 more sections

Figures (11)

  • Figure 1: An Overview of Common Vulnerabilities in FL. Malicious attackers can: (a) manipulate model updates to prevent the global model from converging; (b) tamper data labels to induce erroneous predictions after training; (c) inject backdoors into the global model; (d) reconstruct data or inference data properties by eavesdropping model updates; (e) steal the global model while contribute nothing.
  • Figure 2: An illustration for D2M attack.
  • Figure 3: The timeline of research on FL attacks and defenses.
  • Figure 4: An illustration of M2M attack.
  • Figure 5: M2D Attack.
  • ...and 6 more figures