pith. sign in

arxiv: 2606.22782 · v1 · pith:62GO4CCPnew · submitted 2026-06-22 · 💻 cs.LG · cs.CR

Towards Robust Personalized Federated Learning: Vulnerability Assessment and Defense Co-Design

Pith reviewed 2026-06-26 09:19 UTC · model grok-4.3

classification 💻 cs.LG cs.CR
keywords personalized federated learningadversarial attackstransfer-based attacksrobustnessdefense frameworkdistributed machine learningIoT security
0
0 comments X

The pith

Personalized federated learning allows malicious clients to craft transfer attacks that compromise peer clients' personalized models more than in centralized training.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that common personalized federated learning methods carry greater vulnerability to transfer-based adversarial attacks than centralized learning does. Malicious clients use knowledge from their local models to generate adversarial examples that transfer across clients and degrade the accuracy of other clients' personalized models. Theoretical analysis and tests on benchmark datasets confirm notable accuracy drops for multiple PFL approaches. The authors introduce a defense that combines stochastic input noise, input-scaled trace regularization, and parameter sensitivity maximization to reduce this exposure in distributed systems.

Core claim

PFL methods exhibit heightened vulnerability to transfer-based adversarial attacks compared to centralized learning paradigms, wherein malicious clients can exploit local model knowledge to craft adversarial examples that can compromise peer clients' personalized models. This is established through both theoretical analysis and empirical evaluation across multiple benchmark datasets, demonstrating significant accuracy drops across various PFL methods. A defense framework is proposed that combines stochastic input noise, input-scaled trace regularization, and parameter sensitivity maximization.

What carries the argument

Transfer of adversarial examples across clients enabled by the personalization mechanism in federated learning.

If this is right

  • Accuracy on benchmark datasets falls substantially for multiple PFL methods when exposed to these attacks.
  • The three-part defense raises robustness against the identified transfer attacks.
  • Diagnostic tools from the analysis can identify similar threats in other PFL deployments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same transfer pathway may exist in other client-specific adaptation schemes beyond the tested PFL methods.
  • Early integration of the noise-plus-regularization defense could limit exposure in large-scale IoT networks.
  • Testing the defense against non-transfer attacks would clarify whether the protection is attack-specific.

Load-bearing premise

The observed vulnerability arises specifically from the personalization mechanism permitting adversarial examples to transfer between clients, rather than from general federated learning properties or the attack method itself.

What would settle it

An experiment in which transfer attacks crafted from one client's model produce no greater accuracy reduction on peer personalized models than they do on a centralized model.

Figures

Figures reproduced from arXiv: 2606.22782 by Cen Chen, Mingyuan Fan.

Figure 1
Figure 1. Figure 1: Overview. In the training phase, ➀ the server broadcasts the global model to clients. ➁ each client trains the global model using their local dataset. ➂ clients train their personalized models, which are regularized to ensure similarity to the global model through either soft or hard constraints. ➃ the updated global models are then uploaded to the server for aggregation to form a new global model. Notice … view at source ↗
Figure 2
Figure 2. Figure 2: Correlation between target model accuracy (%) and AD (%) in three datasets. 30 40 50 60 70 80 Accuracy of Proxy Model 20 30 40 50 60 Accuracy Drop PFL Method FedAS FedBABU FedBN FedCAC FedProx FedRep GPFL SCAFFOLD (a) CIFAR-10 15 20 25 30 35 40 45 50 55 Accuracy of Proxy Model 10 15 20 25 30 35 Accuracy Drop PFL Method FedAS FedBABU FedBN FedCAC FedProx FedRep GPFL SCAFFOLD (b) CIFAR-100 80 85 90 95 100 Ac… view at source ↗
Figure 3
Figure 3. Figure 3: Correlation between proxy model accuracy (%) and AD (%) in three datasets [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Centralized learning comparison. Left: AD versus proxy model accuracy with fixed target model. Right: AD versus target model accuracy with fixed proxy model. 𝐷𝑖𝑟(𝛽) with 𝛽 = 0.5 by default, where each client 𝑖 receives 𝑞𝑐,𝑖 ∼ 𝐷𝑖𝑟(𝛽) proportion of class 𝑐 samples [41]. This in￾duces both label distribution skew and quantity imbalance across clients, reflecting realistic non-IID scenarios. Our FL system cons… view at source ↗
Figure 5
Figure 5. Figure 5: The average AD with different transfer-based attacks across varying training rounds. The black dotted lines indicate the model’s average accuracy (shared on the y-axis). 25 50 Accuracy Drop FedProx SCAFFOLD FedBN FedRep 0 20 40 Training Round 25 50 Accuracy Drop FedBABU 0 20 40 Training Round GPFL 0 20 40 Training Round FedAS 0 20 40 Training Round FedCAC 4 8 12 16 [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Impact of perturbation budget 𝜖 on average AD across training rounds using PGD. 25 50 Accuracy Drop FedProx SCAFFOLD FedBN FedRep 0 20 40 Training Round 25 50 Accuracy Drop FedBABU 0 20 40 Training Round GPFL 0 20 40 Training Round FedAS 0 20 40 Training Round FedCAC 5 10 15 20 [PITH_FULL_IMAGE:figures/full_fig_p006_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Impact of attack iterations on average AD across training rounds using PGD. and 𝐾 = 10 unless otherwise specified [24]. We will subse￾quently integrate state-of-the-art transferability-enhancing techniques, including MI [6], PCIFGSM [29], and MaskBlock [9], to study their impact on attack effectiveness. MI sta￾bilizes gradient updates via momentum term to escape lo￾cal optima, while PCIFGSM adapts gradient… view at source ↗
Figure 8
Figure 8. Figure 8: Centralized training attack dynamics over different attack methods, perturbation budgets, and attack iterations. X-axis converted via iteration-to-round mapping (iterations / local iterations per round). accuracy plotted against these models’ mean AD (computed by averaging AD𝑖→𝑗 over 𝑖) under client-initiated attacks. Each PFL method has 50 data points, corresponding to five independent experimental trials… view at source ↗
Figure 9
Figure 9. Figure 9: Left: The sum of the input gradient norms on the proxy and target models, along with the loss values of the generated adversarial examples on the target model. Right: The performance of transfer-based attacks under varying degrees of data heterogeneity [PITH_FULL_IMAGE:figures/full_fig_p009_9.png] view at source ↗
read the original abstract

The proliferation of IoT devices has fueled distributed edge systems to collect vast amounts of sensitive data, creating fertile ground for on-device machine learning applications. While federated learning (FL) mitigates privacy concerns by exchanging model parameters instead of raw data, we identify a critical blind spot in current research. We examine the most commonly used personalized federated learning (PFL) methods, which allow clients to maintain private, personalized models to address data heterogeneity across clients. Through systematic analysis, we reveal that PFL methods exhibit heightened vulnerability to transfer-based adversarial attacks compared to centralized learning paradigms. Wherein, malicious clients can exploit local model knowledge to craft adversarial examples that can compromise peer clients' personalized models. We establish this vulnerability through both theoretical analysis and empirical evaluation across multiple benchmark datasets, demonstrating significant accuracy drops across various PFL methods. To address this challenge, we propose a defense framework combining stochastic input noise, input-scaled trace regularization, and parameter sensitivity maximization to improve FL's robustness. Our findings establish the first systematic study of adversarial threats in PFL systems, providing both diagnostic tools and practical countermeasures.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript claims that personalized federated learning (PFL) methods exhibit heightened vulnerability to transfer-based adversarial attacks compared to centralized learning paradigms. Malicious clients exploit local model knowledge to craft adversarial examples that compromise peer clients' personalized models. This is established via theoretical analysis and empirical evaluation across multiple benchmark datasets showing significant accuracy drops in various PFL methods. A defense framework is proposed that combines stochastic input noise, input-scaled trace regularization, and parameter sensitivity maximization to improve robustness. The work positions itself as the first systematic study of adversarial threats in PFL systems.

Significance. If the central claims hold after appropriate controls, the work would be significant as the first systematic examination of adversarial vulnerabilities specific to PFL in distributed edge systems. It would provide diagnostic tools for assessing transfer attacks and practical co-designed countermeasures, potentially influencing secure design of IoT and on-device ML applications where data heterogeneity is addressed via personalization.

major comments (2)
  1. [Abstract] Abstract: The claim of 'heightened vulnerability' specific to the personalization mechanism (enabling cross-client adversarial transfer via local knowledge) is load-bearing for the motivation of PFL-specific defenses, yet the comparison is drawn only versus centralized paradigms. No evidence is provided of controls using non-personalized FL baselines with matched heterogeneity and attack parameters to isolate the effect from general FL properties or attack transferability.
  2. [Abstract] Abstract: The vulnerability is stated to be established through 'theoretical analysis,' but no equations, assumptions, derivations, or key results from this analysis are shown, preventing assessment of whether the theory supports the empirical claims or isolates personalization as the causal factor.
minor comments (2)
  1. [Abstract] Abstract: Specific PFL methods examined, benchmark dataset names, attack parameters, and quantitative metrics (e.g., accuracy drops or attack success rates) are omitted, which limits evaluation of the empirical results even if full details appear later in the manuscript.
  2. [Abstract] Abstract: The defense components (stochastic input noise, input-scaled trace regularization, parameter sensitivity maximization) are named but not described with any formulation or integration details, making it difficult to assess novelty or implementation.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We address each major comment point-by-point below, indicating planned revisions where appropriate to strengthen the manuscript.

read point-by-point responses
  1. Referee: [Abstract] Abstract: The claim of 'heightened vulnerability' specific to the personalization mechanism (enabling cross-client adversarial transfer via local knowledge) is load-bearing for the motivation of PFL-specific defenses, yet the comparison is drawn only versus centralized paradigms. No evidence is provided of controls using non-personalized FL baselines with matched heterogeneity and attack parameters to isolate the effect from general FL properties or attack transferability.

    Authors: We acknowledge the value of additional controls. While comparisons to centralized learning isolate the distributed and heterogeneous aspects of the setting, non-personalized FL baselines (e.g., FedAvg) with matched heterogeneity would further isolate personalization as the causal factor. We will add such experiments in the revised manuscript, reporting accuracy drops under identical attack parameters to demonstrate the PFL-specific vulnerability. revision: yes

  2. Referee: [Abstract] Abstract: The vulnerability is stated to be established through 'theoretical analysis,' but no equations, assumptions, derivations, or key results from this analysis are shown, preventing assessment of whether the theory supports the empirical claims or isolates personalization as the causal factor.

    Authors: The abstract is a high-level summary. The full theoretical analysis—including assumptions, derivations, equations, and key results isolating personalization—is presented in Section 3 of the manuscript. This section provides the necessary details for assessing support of the empirical claims. We do not plan to alter the abstract length but can reference the section more explicitly if needed. revision: no

Circularity Check

0 steps flagged

No circularity detected; claims rest on independent theoretical analysis and empirical benchmarks

full rationale

The paper establishes its central claims via systematic theoretical analysis of transfer-based attacks in PFL and empirical evaluation across multiple benchmark datasets, comparing against centralized paradigms. No equations, fitted parameters, or self-referential definitions appear that would reduce any prediction or result to the inputs by construction. The vulnerability is positioned as arising from local model knowledge in personalized setups, supported by external benchmarks rather than self-citation chains or ansatzes. The proposed defense (stochastic noise, trace regularization, sensitivity maximization) is introduced as a practical countermeasure derived from the observed issues, without tautological reduction. This is a standard empirical security analysis paper whose derivation chain remains self-contained against external data and does not exhibit any of the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract provides no explicit free parameters, axioms, or invented entities; the vulnerability claim rests on unstated assumptions about attack transferability in PFL that are not detailed here.

pith-pipeline@v0.9.1-grok · 5717 in / 1142 out tokens · 21961 ms · 2026-06-26T09:19:42.651199+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

49 extracted references · 4 canonical work pages · 1 internal anchor

  1. [1]

    Tao Bai, Jinqi Luo, Jun Zhao, Bihan Wen, and Qian Wang. 2021. Recent advances in adversarial training for adversarial robustness.arXiv preprint arXiv:2102.01356(2021)

  2. [2]

    Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. 2017. Machine learning with adversaries: Byzantine tolerant gradient descent.Advances in neural information processing systems 30 (2017)

  3. [3]

    Boyd and L

    S. Boyd and L. Vandenberghe. 2004.Convex Optimization. Convex Optimization

  4. [4]

    Suo Chen, Yang Xu, Hongli Xu, Zhida Jiang, and Chunming Qiao. 2022. Decentralized federated learning with intermediate results in mobile edge computing.IEEE Transactions on Mobile Computing23, 1 (2022), 341–358

  5. [5]

    Liam Collins, Hamed Hassani, Aryan Mokhtari, and Sanjay Shakkottai

  6. [6]

    InInternational conference on machine learning

    Exploiting shared representations for personalized federated learning. InInternational conference on machine learning. PMLR, 2089– 2099

  7. [7]

    Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xi- aolin Hu, and Jianguo Li. 2018. Boosting Adversarial Attacks with Momentum.2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition(2018), 9185–9193

  8. [8]

    Yinpeng Dong, Tianyu Pang, Hang Su, and Jun Zhu. 2019. Evading De- fenses to Transferable Adversarial Examples by Translation-Invariant Attacks.2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)(2019), 4307–4316

  9. [9]

    Lauter, Michael Naehrig, and John Robert Wernsing

    Nathan Dowlin, Ran Gilad-Bachrach, Kim Laine, Kristin E. Lauter, Michael Naehrig, and John Robert Wernsing. 2016. CryptoNets: ap- plying neural networks to encrypted data with high throughput and accuracy. InInternational Conference on Machine Learning

  10. [10]

    Mingyuan Fan, Cen Chen, Ximeng Liu, and Wenzhong Guo. 2025. Maskblock: Transferable adversarial examples with bayes approach. AsiaCCS

  11. [11]

    Mingyuan Fan, Wenzhong Guo, Zuobin Ying, and Ximeng Liu. 2023. Enhance transferability of adversarial examples with model architec- ture. InICASSP 2023-2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 1–5

  12. [12]

    Mingyuan Fan, Yang Liu, Cen Chen, Shengxing Yu, Wenzhong Guo, Li Wang, and Ximeng Liu. 2021. Toward Evaluating the Reliability of Deep-Neural-Network-Based IoT Devices.IEEE Internet of Things Journal9, 18 (2021), 17002–17013

  13. [13]

    Explaining and Harnessing Adversarial Examples

    Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Ex- plaining and Harnessing Adversarial Examples. In3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings, Yoshua Bengio and Yann LeCun (Eds.).http://arxiv.org/abs/1412.6572

  14. [14]

    Jinyuan Jia, Xiaoyu Cao, Binghui Wang, and Neil Zhenqiang Gong

  15. [15]

    (2020).https: //api.semanticscholar.org/CorpusID:59842968

    Certified Robustness for Top-k Predictions against Adver- sarial Perturbations via Randomized Smoothing. (2020).https: //api.semanticscholar.org/CorpusID:59842968

  16. [16]

    Sai Praneeth Karimireddy, Satyen Kale, Mehryar Mohri, Sashank Reddi, Sebastian Stich, and Ananda Theertha Suresh. 2020. Scaffold: Sto- chastic controlled averaging for federated learning. InInternational conference on machine learning. PMLR, 5132–5143

  17. [17]

    Latif U Khan, Walid Saad, Zhu Han, Ekram Hossain, and Choong Seon Hong. 2021. Federated learning for internet of things: Recent advances, taxonomy, and open challenges.IEEE Communications Surveys & Tutorials23, 3 (2021), 1759–1799

  18. [18]

    Kurakin, I

    A. Kurakin, I. Goodfellow, and S. Bengio. 2016. Adversarial examples in the physical world. (2016)

  19. [19]

    Asif Ali Laghari, Kaishan Wu, Rashid Ali Laghari, Mureed Ali, and Abdullah Ayub Khan. 2021. A review and state of art of Internet of Things (IoT).Archives of Computational Methods in Engineering(2021), 1–19

  20. [20]

    Tian Li, Shengyuan Hu, Ahmad Beirami, and Virginia Smith. 2021. Ditto: Fair and robust federated learning through personalization. In International conference on machine learning. PMLR, 6357–6368

  21. [21]

    Tian Li, Anit Kumar Sahu, Manzil Zaheer, Maziar Sanjabi, Ameet Talwalkar, and Virginia Smith. 2020. Federated optimization in het- erogeneous networks.Proceedings of Machine learning and systems2 (2020), 429–450

  22. [22]

    Xiaoxiao Li, Meirui Jiang, Xiaofei Zhang, Michael Kamp, and Qi Dou

  23. [23]

    In9th International Conference on Learning Representa- tions, ICLR 2021, Virtual Event, Austria, May 3-7, 2021

    FedBN: Federated Learning on Non-IID Features via Local Batch Normalization. In9th International Conference on Learning Representa- tions, ICLR 2021, Virtual Event, Austria, May 3-7, 2021. OpenReview.net. https://openreview.net/forum?id=6YEQUn0QICG

  24. [24]

    Yingwei Li, Song Bai, Yuyin Zhou, Cihang Xie, Zhishuai Zhang, and Alan Yuille. 2020. Learning transferable adversarial examples via ghost networks. InProceedings of the AAAI conference on artificial intelligence, Vol. 34. 11458–11465

  25. [25]

    Yunming Liao, Yang Xu, Hongli Xu, Zhiwei Yao, Liusheng Huang, and Chunming Qiao. 2024. Parallelsfl: A novel split federated learning framework tackling heterogeneity issues. InProceedings of the 30th Annual International Conference on Mobile Computing and Networking. 845–860

  26. [26]

    Hopcroft

    Jiadong Lin, Chuanbiao Song, Kun He, Liwei Wang, and John E. Hopcroft. 2020. Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks.arXiv: Learning(2020)

  27. [27]

    Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Re- sistant to Adversarial Attacks. InInternational Conference on Learning Representations

  28. [28]

    Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Agüera y Arcas. 2017. Communication-Efficient Learning of Deep Networks from Decentralized Data. InProceedings of the 20th International Conference on Artificial Intelligence and Statistics, AISTATS 2017, 20-22 April 2017, Fort Lauderdale, FL, USA (Proceedings of Machine Learning Resear...

  29. [29]

    Chaoyue Niu, Fan Wu, Shaojie Tang, Lifeng Hua, Rongfei Jia, Chengfei Lv, Zhihua Wu, and Guihai Chen. 2020. Billion-scale federated learning on mobile clients: A submodel design with tunable privacy. InProceed- ings of the 26th Annual International Conference on Mobile Computing and Networking. 1–14

  30. [30]

    Jaehoon Oh, SangMook Kim, and Se-Young Yun. 2022. FedBABU: Toward Enhanced Representation for Federated Image Classification. InInternational Conference on Learning Representations

  31. [31]

    Cong Shi, Tianfang Zhang, Zhuohang Li, Huy Phan, Tianming Zhao, Yan Wang, Jian Liu, Bo Yuan, and Yingying Chen. 2022. Audio-domain position-independent backdoor attack via unnoticeable triggers. In Proceedings of the 28th Annual International Conference on Mobile Com- puting And Networking. 583–595

  32. [32]

    Chen Wan and Fangjun Huang. 2023. Adversarial attack based on prediction-correction.arXiv preprint arXiv:2306.01809(2023)

  33. [33]

    Hongyi Wang, Kartik Sreenivasan, Shashank Rajput, Harit Vish- wakarma, Saurabh Agarwal, Jy-yong Sohn, Kangwook Lee, and Dim- itris Papailiopoulos. 2020. Attack of the tails: Yes, you really can back- door federated learning.Advances in Neural Information Processing Systems33 (2020), 16070–16084

  34. [34]

    Lun Wang, Yang Xu, Hongli Xu, Min Chen, and Liusheng Huang

  35. [35]

    Accelerating decentralized federated learning in heterogeneous edge computing.IEEE Transactions on Mobile Computing22, 9 (2022), 5001–5016

  36. [36]

    Xiaosen Wang and Kun He. 2021. Enhancing the Transferability of Ad- versarial Attacks through Variance Tuning.2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)(2021), 1924–1933. Towards Robust Personalized Federated Learning: Vulnerability Assessment and Defense Co-Design Conference acronym ’XX, June 03–05, 2018, Woodstock, NY

  37. [37]

    Dongxian Wu, Yisen Wang, Shutao Xia, James Bailey, and Xingjun Ma

  38. [38]

    Skip Connections Matter: On the Transferability of Adversarial Examples Generated with ResNets.ArXivabs/2002.05990 (2020)

  39. [39]

    Xinghao Wu, Xuefeng Liu, Jianwei Niu, Guogang Zhu, and Shaojie Tang. 2023. Bold but cautious: Unlocking the potential of personalized federated learning through cautiously aggressive collaboration. In Proceedings of the IEEE/CVF international conference on computer vision. 19375–19384

  40. [40]

    Chulin Xie, Keli Huang, Pin-Yu Chen, and Bo Li. 2020. DBA: Dis- tributed Backdoor Attacks against Federated Learning. In8th Interna- tional Conference on Learning Representations, ICLR 2020, Addis Ababa, Ethiopia, April 26-30, 2020. OpenReview.net.https://openreview.net/ forum?id=rkgyS0VFvr

  41. [41]

    Cihang Xie, Zhishuai Zhang, Jianyu Wang, Yuyin Zhou, Zhou Ren, and Alan Loddon Yuille. 2019. Improving Transferability of Adversarial Examples With Input Diversity.2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)(2019), 2725–2734

  42. [42]

    Jian Xu, Xinyi Tong, and Shao-Lun Huang. 2023. Personalized Fed- erated Learning with Feature Alignment and Classifier Collabora- tion. InThe Eleventh International Conference on Learning Represen- tations, ICLR 2023, Kigali, Rwanda, May 1-5, 2023. OpenReview.net. https://openreview.net/forum?id=SXZr8aDKia

  43. [43]

    Yang Xu, Yunming Liao, Hongli Xu, Zhenguo Ma, Lun Wang, and Jianchun Liu. 2022. Adaptive control of local updating and model compression for efficient federated learning.IEEE Transactions on Mobile Computing22, 10 (2022), 5675–5689

  44. [44]

    Xiyuan Yang, Wenke Huang, and Mang Ye. 2024. Fedas: Bridging inconsistency in personalized federated learning. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 11986–11995

  45. [45]

    Chengliang Zhang, Suyi Li, Junzhe Xia, Wei Wang, Feng Yan, and Yang Liu. 2020. BatchCrypt: Efficient Homomorphic Encryption for Cross- Silo Federated Learning. InUSENIX Annual Technical Conference

  46. [46]

    Jianqing Zhang, Yang Hua, Hao Wang, Tao Song, Zhengui Xue, Ruhui Ma, Jian Cao, and Haibing Guan. 2023. Gpfl: Simultaneously learning global and personalized feature information for personalized federated learning. InProceedings of the IEEE/CVF International Conference on Computer Vision. 5041–5051

  47. [47]

    Wuyang Zhang, Zhezhi He, Luyang Liu, Zhenhua Jia, Yunxin Liu, Marco Gruteser, Dipankar Raychaudhuri, and Yanyong Zhang. 2021. Elf: accelerate high-resolution mobile deep vision with content-aware parallel offloading. InProceedings of the 27th Annual International Conference on Mobile Computing and Networking. 201–214

  48. [48]

    Ligeng Zhu, Zhijian Liu, and Song Han. 2019. Deep leakage from gradients.Advances in neural information processing systems32 (2019). Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Trovato et al. A Proof of Theorem 4.1 Proof. Step 1: Gradient Difference Analysis.Let Δ= 𝜃𝑖 −𝜃 𝑗. For gradient alignment, consider the following input gradient differen...

  49. [49]

    (10) Table 9.Ablation study on the impact of key components on adversarial robustness, measured by AD

    ≤ −𝜆 min||Δ|| 2 2. (10) Table 9.Ablation study on the impact of key components on adversarial robustness, measured by AD. Lower AD indicates better robustness. AD is averaged over eight PFL methods. Component AD w.o. Stochastic input noise augmentation 44.04 w.o. Input-scaled trace regularization 41.65 w.o. Parameter sensitivity maximization 39.92 All 38....