Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FedPoisonTTP: A Threat Model and Poisoning Attack for Federated Test-Time Personalization

Md Akil Raihan Iftee, Syed Md. Ahnaf Hasan, Amin Ahsan Ali, AKM Mahbubur Rahman, Sajib Mistry, Aneesh Krishna

TL;DR

FedPoisonTTP exposes a realistic security gap in federated test-time personalization by modeling a grey-box adversary with limited visibility and partial participation. The authors introduce a practical attack framework that combines a history-based surrogate aggregator, a feature-regularized in-distribution poisoning scheme, and TTA-aware objectives to degrade post-aggregation performance across honest clients. Through extensive experiments on CIFAR-10-C and CIFAR-100-C with multiple FTTA methods and aggregations, they show significant degradation, especially on CIFAR-100-C, and demonstrate the transferability of grey-box attacks. The work highlights the need for robust defenses in FTTA and provides a concrete foundation for future research on secure and resilient federated personalization.

Abstract

Test-time personalization in federated learning enables models at clients to adjust online to local domain shifts, enhancing robustness and personalization in deployment. Yet, existing federated learning work largely overlooks the security risks that arise when local adaptation occurs at test time. Heterogeneous domain arrivals, diverse adaptation algorithms, and limited cross-client visibility create vulnerabilities where compromised participants can craft poisoned inputs and submit adversarial updates that undermine both global and per-client performance. To address this threat, we introduce FedPoisonTTP, a realistic grey-box attack framework that explores test-time data poisoning in the federated adaptation setting. FedPoisonTTP distills a surrogate model from adversarial queries, synthesizes in-distribution poisons using feature-consistency, and optimizes attack objectives to generate high-entropy or class-confident poisons that evade common adaptation filters. These poisons are injected during local adaptation and spread through collaborative updates, leading to broad degradation. Extensive experiments on corrupted vision benchmarks show that compromised participants can substantially diminish overall test-time performance.

FedPoisonTTP: A Threat Model and Poisoning Attack for Federated Test-Time Personalization

TL;DR

FedPoisonTTP exposes a realistic security gap in federated test-time personalization by modeling a grey-box adversary with limited visibility and partial participation. The authors introduce a practical attack framework that combines a history-based surrogate aggregator, a feature-regularized in-distribution poisoning scheme, and TTA-aware objectives to degrade post-aggregation performance across honest clients. Through extensive experiments on CIFAR-10-C and CIFAR-100-C with multiple FTTA methods and aggregations, they show significant degradation, especially on CIFAR-100-C, and demonstrate the transferability of grey-box attacks. The work highlights the need for robust defenses in FTTA and provides a concrete foundation for future research on secure and resilient federated personalization.

Abstract

Test-time personalization in federated learning enables models at clients to adjust online to local domain shifts, enhancing robustness and personalization in deployment. Yet, existing federated learning work largely overlooks the security risks that arise when local adaptation occurs at test time. Heterogeneous domain arrivals, diverse adaptation algorithms, and limited cross-client visibility create vulnerabilities where compromised participants can craft poisoned inputs and submit adversarial updates that undermine both global and per-client performance. To address this threat, we introduce FedPoisonTTP, a realistic grey-box attack framework that explores test-time data poisoning in the federated adaptation setting. FedPoisonTTP distills a surrogate model from adversarial queries, synthesizes in-distribution poisons using feature-consistency, and optimizes attack objectives to generate high-entropy or class-confident poisons that evade common adaptation filters. These poisons are injected during local adaptation and spread through collaborative updates, leading to broad degradation. Extensive experiments on corrupted vision benchmarks show that compromised participants can substantially diminish overall test-time performance.

Paper Structure

This paper contains 46 sections, 20 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Federated learning and personalization
  4. Test-time adaptation
  5. Adversarial attacks on test-time adaptation
  6. Problem Setup and Threat Model
  7. Federated Test-Time Adaptation
  8. Adversarial Federated Client
  9. Attack Objective
  10. Realistic Federated Test-Time Poisoning
  11. Methods
  12. Overview
  13. Surrogate Aggregator
  14. History-based aggregation estimate.
  15. Candidate post-aggregation surrogate.
  16. ...and 31 more sections

Figures (3)

  • Figure 1: Overview of the FedPoisonTTP threat model. A subset of clients is compromised and injects poisoned inputs during local test-time adaptation. The attacker uses a surrogate model to craft in-distribution poisons via PGD-based optimization, which are then fed into the live TTA model, causing corrupted updates that propagate through the federated aggregation process and degrade the performance of honest clients.
  • Figure 2: Impact on overall accuracy for FedAvg-TENT setup due to varying the number of adversarial clients, ratio of malicious samples ($\alpha$), and the batch size for the participating clients. Overall accuracy reflects the average performance across the test sets of benign clients as well as the benign portion of the adversarial clients’ test data.
  • Figure 3: Overall Accuracy (%) vs. Number of Federated Rounds. Performance on the benign clients and the benign partition of the adversarial clients (overall accuracy) on CIFAR-10-C (dashed lines) and CIFAR-100-C (solid lines) under White-Box (black) and Grey-Box (orange) attacks.