Table 4.1

Various threat models for different adversarial actors

Data/ Access PointActorModel
ClientsSomeone who has root access to the client device, either by design or by compromising the deviceMalicious clients can inspect all messages received from the server (including the model iterates) in the rounds they participate in and can tamper with the training process. An honest-but-curious client can inspect all messages received from the server but cannot tamper with the training process. In some cases, technologies such as secure enclaves/TEEs may be able to limit the influence and visibility of such an attacker, representing a meaningfully weaker threat model.
ServerSomeone who has root access to the server, either by design or by compromising the deviceA malicious server can inspect all messages sent to the server (including the gradient updates) in all rounds and can tamper with the training process. An honest-but-curious server can inspect all messages sent to the server but cannot tamper with the training process. In some cases, technologies such as secure enclaves/TEEs may be able to limit the influence and visibility of such an attacker, representing a meaningfully weaker threat model.
Output ModelsEngineers and analystsA malicious analyst or model engineer may have access to multiple outputs from the system, e.g., sequences of model iterates from multiple training runs with different hyperparameters. Exactly what information is released to this actor is an important system design question.
Deployed ModelsThe rest of the worldIn cross-device FL, the final model may be deployed to hundreds of millions of devices. A partially compromised device can have black-box access to the learned model, and a fully compromised device can have a white-box access to the learned model.

or Create an Account

Close Modal
Close Modal