This is a list of papers reviewed in A Survey on Vulnerability of Federated Learning: A Learning Algorithm Perspective.
@article{XIE2024127225,
title = {A survey on vulnerability of federated learning: A learning algorithm perspective},
author = {Xianghua Xie and Chen Hu and Hanchi Ren and Jingjing Deng},
journal = {Neurocomputing},
volume = {573},
pages = {127225},
year = {2024},
issn = {0925-2312},
doi = {https://doi.org/10.1016/j.neucom.2023.127225},
url = {https://www.sciencedirect.com/science/article/pii/S0925231223013486},
}
In this paper, we propose a taxonomy of FL attacks centered around attack origins and attack targets, shown in the table below. Our taxonomy of FL attacks emphasizes exploited vulnerabilities and their direct victims.
| Type of Attack | Definition | Example |
|---|---|---|
| Data to Model (D2M) | Tampering the data alone to degrade model performance | Label-flipping |
| Model to Model (M2M) | Tampering updates to prevent learning convergence | Byzantine attack |
| Model to Data (M2D) | Intercepting model updates to inference private data information | Gradient leakage |
| Composite (D2M+M2M) | Tampering both data and updates to manipulate model behavior | Backdoor injection |
We describe Data to Model (D2M) attacks in FL as threat models that are launched by manipulating the local data while the models in training are being targeted as victims. D2M attacks are also considered as black-box attacks because the attackers do not need to access inside information such as client model weights or updates, tampering the data alone is often suffice to launch a D2M attack. However, the attackers can also draw information from local dataset or client models to enhance the effectiveness of D2M attacks.
Poisoning Attacks against Support Vector Machines ACM ICML
Mitigating Sybils in Federated Learning Poisoning arXiv
Data Poisoning Attacks Against Federated Learning Systems SPRINGER ESORICS
Semi-Targeted Model Poisoning Attack on Federated Learning via Backward Error Analysis arXiv
Attack of the Tails: Yes, You Really Can Backdoor Federated Learning NeurIPS
PoisonGAN: Generative Poisoning Attacks Against Federated Learning in Edge Computing Systems IEEE ITJ
Turning Federated Learning Systems Into Covert Channels IEEE Access
Challenges and Approaches for Mitigating Byzantine Attacks in Federated Learning arXiv
Turning Privacy-preserving Mechanisms against Federated Learning arXiv
Local Environment Poisoning Attacks on Federated Reinforcement Learning arXiv
Data Poisoning Attacks on Federated Machine Learning arXiv
Understanding Distributed Poisoning Attack in Federated Learning IEEE ICPADS
Mitigating Sybils in Federated Learning Poisoning arXiv
Data Poisoning Attacks Against Federated Learning Systems SPRINGER ESORICS
Understanding Distributed Poisoning Attack in Federated Learning IEEE ICPADS
Local Environment Poisoning Attacks on Federated Reinforcement Learning arXiv
We define Model to Model (M2M) attacks in FL as threat models that manipulate local model updates or weights to affect the global model. The primary objective of an M2M attack is to disrupt the convergence of FL algorithms. The presence of M2M attacks is also described as the Byzantine problem. In a distributed system affected by the Byzantine problem, benign and malicious participants coexist in the system. Malicious participants deliberately disseminate confusing or contradicting information to undermine the system’s normal operations. Therefore the challenge for the system administrator lies in achieving consensus among benign participants despite the presence of malicious ones.
Free-rider Attacks on Model Aggregation in Federated Learning PMLR
Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent NeurIPS
Generalized Byzantine-tolerant SGD arXiv
RSA: Byzantine-robust stochastic aggregation methods for distributed learning from heterogeneous datasets AAAI
A Little Is Enough: Circumventing Defenses For Distributed Learning NeurIPS
The Hidden Vulnerability of Distributed Learning in Byzantium PMLR
Local model poisoning attacks to byzantine-robust federated learning ACM SEC
PipAttack: Poisoning Federated Recommender Systems for Manipulating Item Promotion ACM WSDM
FedRecAttack: Model Poisoning Attack to Federated Recommendation IEEE ICDE
Poisoning Deep Learning Based Recommender Model in Federated Learning Scenarios IJCAI
Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent NeuIPS
Generalized Byzantine-tolerant SGD arXiv
Byzantine-Robust Distributed Learning: Towards Optimal Statistical Rates ICML
Distributed Statistical Machine Learning in Adversarial Settings: Byzantine Gradient Descent ACM
Robust Aggregation for Federated Learning IEEE
ELITE: Defending Federated Learning against Byzantine Attacks based on Information Entropy IEEE
We summarize the Model to Data (M2D) attacks in FL to be non-gradient-based leakage and gradient-based data leakage.
We define non-gradient-based data leakage as the disclosure of private information that occurs independently of the gradient generated during the training stage. For instance, the leakage can involve identifying specific attributes or membership details within the training data, or recovering original training images from obscured or masked versions. Typically, such leakage exploits the capabilities of a well-trained model to execute these attacks.
Gradient-based data leakage refers to techniques that exploit gradients from the target model to expose privacy-sensitive information. Deep learning models are trained on datasets, and parameter updates occur through alignment with the feature space. This establishes an inherent relationship between the weights or gradients and the dataset. Consequently, numerous studies aim to reveal private information by leveraging these gradients. The effectiveness and success rates of gradient-based approaches have consistently surpassed those of non-gradient-based methods. Unlike non-gradient-based leakage, gradient-based data leakage can occur even in models that have not yet converged.
Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers arXiv
Membership inference attacks against machine learning models IEEE SP
Defeating image obfuscation with deep learning arXiv
The secret revealer: Generative model-inversion attacks against deep neural networks IEEE CVPR
Deep Models under the GAN: Information Leakage from Collaborative Deep Learning ACM CCCS
Exploiting Unintended Feature Leakage in Collaborative Learning IEEE SP
Auditing Privacy Defenses in Federated Learning via Generative Gradient Leakage IEEE CVPR
Deep Leakage from Gradients NeurIPS
Idlg: Improved Deep Leakage from Gradients arXiv
Inverting Gradients-How Easy Is It to Break Privacy in Federated Learning? NeurIPS
GRNN: Generative Regression Neural Network: A Data Leakage Attack for Federated Learning ACM TIST
Gradient Inversion with Generative Image Prior NeurIPS
See through Gradients: {{Image}} Batch Recovery via Gradinversion IEEE CVPR
Beyond Inferring Class Representatives: {{User-level}} Privacy Leakage from Federated Learning IEEE ICCC
An Accuracy-Lossless Perturbation Method for Defending Privacy Attacks in Federated Learning ACM WC
LDP-FL: Practical private aggregation in federated learning with local differential privacy arXiv
Soteria: Provable Defense against Privacy Leakage in Federated Learning from Representation Perspective IEEE CVPR
An effective value swapping method for privacy preserving data publishing SCN
Efficient data perturbation for privacy preserving and accurate data stream mining ELSEVIER PMC
Efficient privacy preservation of big data for accurate data mining ELSEVIER IS
Digestive neural networks: A novel defense strategy against inference attacks in federated learning ELSEVIER CS
Privacy preserving distributed machine learning with federated learning ELSEVIER CC
Deep learning with gaussian differential privacy HDSR
FedBoosting: Federated Learning with Gradient Protected Boosting for Text Recognition ELSEVIER NEUROCOMPUTING
Privacy-preserving federated learning framework based on chained secure multiparty computing IEEE ITJ
Differential privacy approach to solve gradient leakage attack in a federated machine learning environment SPRINGER ICCDSN
Gradient-leakage resilient federated learning IEEE ICDCS
Gradient Leakage Defense with Key-Lock Module for Federated Learning arXiv
PRECODE-A Generic Model Extension to Prevent Deep Gradient Leakage IEEE CVPR
We define composite attacks as threat models that corrupt multiple aspects of FL. The attacker can combine D2M and M2M attacks to launch backdoor attacks. The attacker surreptitiously adds trigger patterns to local training data, then poisons model updates such that the global model learns how to react to triggers. Backdoored models behave normally when fed with clean data. In the presence of trigger data, these models are trained to give predictions designated by the attacker. Compared to D2M or M2M attacks, now that the attacker also has control over client model updates, composite attacks tend to be stealthier and more destructive.
Analyzing Federated Learning through an Adversarial Lens ICML
How To Backdoor Federated Learning ICAIS
Can You Really Backdoor Federated Federated Learning? NeurIPS Workshop
Attack of the Tails: Yes, You Really Can Backdoor Federated Learning NeurIPS
A Little Is Enough: Circumventing Defenses For Distributed Learning NeurIPS
DBA: Distributed Backdoor Attacks against Federated Learning ICLR
Coordinated Backdoor Attacks against Federated Learning with Model-Dependent Triggers IEEE Networks
Neurotoxin: Durable Backdoors in Federated Learning ICML
Learning to backdoor federated learning ICLR Workshop
On the Vulnerability of Backdoor Defenses for Federated Learning NeurIPS Workshop
Backdoor Attacks in Federated Learning by Rare Embeddings and Gradient Ensembling EMNLP
Thinking two moves ahead: Anticipating other users improves backdoor attacks in federated learning arXiv
Accumulative Poisoning Attacks on Real-time Data NeurIPS
Defending against Backdoors in Federated Learning with Robust Learning Rate AAAI
Learning Differentially Private Recurrent Language Models ICLR
Mitigating Backdoor Attacks in Federated Learning arXiv
FedRAD: Federated Robust Adaptive Distillation NeuIPS Workshop
CRFL: Certifiably Robust Federated Learning against Backdoor Attacks ICML
FLCert: Provably Secure Federated Learning Against Poisoning Attacks IEEE
BaFFLe: Backdoor Detection via Feedback-based Federated Learning IEEE
DeepSight: Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection NDSS
FLAME: Taming Backdoors in Federated Learning USENIX