Table 5.1

Characteristics of an adversary’s capabilities in federated settings

CharacteristicDescription/Types
Attack vectorHow the adversary introduces the attack.
  • Data poisoning: the adversary alters the client datasets used to train the model.

  • Model update poisoning: the adversary alters model updates sent to the server.

  • Evasion attack: the adversary alters the data used at inference-time.

Model inspectionWhether the adversary can observe the model parameters.
  • Black box: the adversary has no ability to inspect the parameters of the model before or during the attack. This is generally not the case in federated learning.

  • Stale whitebox: the adversary can only inspect a stale version of the model. This naturally arises in the federated setting when the adversary has access to a client participating in an intermediate training round.

    White box: the adversary has the ability to directly inspect the parameters of the model. This can occur in cross-silo settings and in cross-device settings when an adversary has access to a large pool of devices likely to be chosen as participants.

Participant collusionWhether multiple adversaries can coordinate an attack.
  • Non-colluding: there is no capability for participants to coordinate an attack.

  • Cross-update collusion: past client participants can coordinate with future participants on attacks to future updates to the global model.

  • Within-update collusion: current client participants can coordinate on an attack to the current model update.

Participation rateHow often an adversary can inject an attack throughout training.
  • In cross-device federated settings, a malicious client may only be able to participate in a single model training round.

  • In cross-silo federated settings, an adversary may have continuous participation in the learning process.

AdaptabilityWhether an adversary can alter the attack parameters as the attack progresses.
  • Static: the adversary must fix the attack parameters at the start of the attack and cannot change them.

  • Dynamic: the adversary can adapt the attack as training progresses.

or Create an Account

Close Modal
Close Modal