Towards Robust Personalized Federated Learning: Vulnerability Assessment and Defense Co-Design
Pith reviewed 2026-06-26 09:19 UTC · model grok-4.3
The pith
Personalized federated learning allows malicious clients to craft transfer attacks that compromise peer clients' personalized models more than in centralized training.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
PFL methods exhibit heightened vulnerability to transfer-based adversarial attacks compared to centralized learning paradigms, wherein malicious clients can exploit local model knowledge to craft adversarial examples that can compromise peer clients' personalized models. This is established through both theoretical analysis and empirical evaluation across multiple benchmark datasets, demonstrating significant accuracy drops across various PFL methods. A defense framework is proposed that combines stochastic input noise, input-scaled trace regularization, and parameter sensitivity maximization.
What carries the argument
Transfer of adversarial examples across clients enabled by the personalization mechanism in federated learning.
If this is right
- Accuracy on benchmark datasets falls substantially for multiple PFL methods when exposed to these attacks.
- The three-part defense raises robustness against the identified transfer attacks.
- Diagnostic tools from the analysis can identify similar threats in other PFL deployments.
Where Pith is reading between the lines
- The same transfer pathway may exist in other client-specific adaptation schemes beyond the tested PFL methods.
- Early integration of the noise-plus-regularization defense could limit exposure in large-scale IoT networks.
- Testing the defense against non-transfer attacks would clarify whether the protection is attack-specific.
Load-bearing premise
The observed vulnerability arises specifically from the personalization mechanism permitting adversarial examples to transfer between clients, rather than from general federated learning properties or the attack method itself.
What would settle it
An experiment in which transfer attacks crafted from one client's model produce no greater accuracy reduction on peer personalized models than they do on a centralized model.
Figures
read the original abstract
The proliferation of IoT devices has fueled distributed edge systems to collect vast amounts of sensitive data, creating fertile ground for on-device machine learning applications. While federated learning (FL) mitigates privacy concerns by exchanging model parameters instead of raw data, we identify a critical blind spot in current research. We examine the most commonly used personalized federated learning (PFL) methods, which allow clients to maintain private, personalized models to address data heterogeneity across clients. Through systematic analysis, we reveal that PFL methods exhibit heightened vulnerability to transfer-based adversarial attacks compared to centralized learning paradigms. Wherein, malicious clients can exploit local model knowledge to craft adversarial examples that can compromise peer clients' personalized models. We establish this vulnerability through both theoretical analysis and empirical evaluation across multiple benchmark datasets, demonstrating significant accuracy drops across various PFL methods. To address this challenge, we propose a defense framework combining stochastic input noise, input-scaled trace regularization, and parameter sensitivity maximization to improve FL's robustness. Our findings establish the first systematic study of adversarial threats in PFL systems, providing both diagnostic tools and practical countermeasures.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript claims that personalized federated learning (PFL) methods exhibit heightened vulnerability to transfer-based adversarial attacks compared to centralized learning paradigms. Malicious clients exploit local model knowledge to craft adversarial examples that compromise peer clients' personalized models. This is established via theoretical analysis and empirical evaluation across multiple benchmark datasets showing significant accuracy drops in various PFL methods. A defense framework is proposed that combines stochastic input noise, input-scaled trace regularization, and parameter sensitivity maximization to improve robustness. The work positions itself as the first systematic study of adversarial threats in PFL systems.
Significance. If the central claims hold after appropriate controls, the work would be significant as the first systematic examination of adversarial vulnerabilities specific to PFL in distributed edge systems. It would provide diagnostic tools for assessing transfer attacks and practical co-designed countermeasures, potentially influencing secure design of IoT and on-device ML applications where data heterogeneity is addressed via personalization.
major comments (2)
- [Abstract] Abstract: The claim of 'heightened vulnerability' specific to the personalization mechanism (enabling cross-client adversarial transfer via local knowledge) is load-bearing for the motivation of PFL-specific defenses, yet the comparison is drawn only versus centralized paradigms. No evidence is provided of controls using non-personalized FL baselines with matched heterogeneity and attack parameters to isolate the effect from general FL properties or attack transferability.
- [Abstract] Abstract: The vulnerability is stated to be established through 'theoretical analysis,' but no equations, assumptions, derivations, or key results from this analysis are shown, preventing assessment of whether the theory supports the empirical claims or isolates personalization as the causal factor.
minor comments (2)
- [Abstract] Abstract: Specific PFL methods examined, benchmark dataset names, attack parameters, and quantitative metrics (e.g., accuracy drops or attack success rates) are omitted, which limits evaluation of the empirical results even if full details appear later in the manuscript.
- [Abstract] Abstract: The defense components (stochastic input noise, input-scaled trace regularization, parameter sensitivity maximization) are named but not described with any formulation or integration details, making it difficult to assess novelty or implementation.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback. We address each major comment point-by-point below, indicating planned revisions where appropriate to strengthen the manuscript.
read point-by-point responses
-
Referee: [Abstract] Abstract: The claim of 'heightened vulnerability' specific to the personalization mechanism (enabling cross-client adversarial transfer via local knowledge) is load-bearing for the motivation of PFL-specific defenses, yet the comparison is drawn only versus centralized paradigms. No evidence is provided of controls using non-personalized FL baselines with matched heterogeneity and attack parameters to isolate the effect from general FL properties or attack transferability.
Authors: We acknowledge the value of additional controls. While comparisons to centralized learning isolate the distributed and heterogeneous aspects of the setting, non-personalized FL baselines (e.g., FedAvg) with matched heterogeneity would further isolate personalization as the causal factor. We will add such experiments in the revised manuscript, reporting accuracy drops under identical attack parameters to demonstrate the PFL-specific vulnerability. revision: yes
-
Referee: [Abstract] Abstract: The vulnerability is stated to be established through 'theoretical analysis,' but no equations, assumptions, derivations, or key results from this analysis are shown, preventing assessment of whether the theory supports the empirical claims or isolates personalization as the causal factor.
Authors: The abstract is a high-level summary. The full theoretical analysis—including assumptions, derivations, equations, and key results isolating personalization—is presented in Section 3 of the manuscript. This section provides the necessary details for assessing support of the empirical claims. We do not plan to alter the abstract length but can reference the section more explicitly if needed. revision: no
Circularity Check
No circularity detected; claims rest on independent theoretical analysis and empirical benchmarks
full rationale
The paper establishes its central claims via systematic theoretical analysis of transfer-based attacks in PFL and empirical evaluation across multiple benchmark datasets, comparing against centralized paradigms. No equations, fitted parameters, or self-referential definitions appear that would reduce any prediction or result to the inputs by construction. The vulnerability is positioned as arising from local model knowledge in personalized setups, supported by external benchmarks rather than self-citation chains or ansatzes. The proposed defense (stochastic noise, trace regularization, sensitivity maximization) is introduced as a practical countermeasure derived from the observed issues, without tautological reduction. This is a standard empirical security analysis paper whose derivation chain remains self-contained against external data and does not exhibit any of the enumerated circularity patterns.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
- [1]
-
[2]
Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. 2017. Machine learning with adversaries: Byzantine tolerant gradient descent.Advances in neural information processing systems 30 (2017)
2017
-
[3]
Boyd and L
S. Boyd and L. Vandenberghe. 2004.Convex Optimization. Convex Optimization
2004
-
[4]
Suo Chen, Yang Xu, Hongli Xu, Zhida Jiang, and Chunming Qiao. 2022. Decentralized federated learning with intermediate results in mobile edge computing.IEEE Transactions on Mobile Computing23, 1 (2022), 341–358
2022
-
[5]
Liam Collins, Hamed Hassani, Aryan Mokhtari, and Sanjay Shakkottai
-
[6]
InInternational conference on machine learning
Exploiting shared representations for personalized federated learning. InInternational conference on machine learning. PMLR, 2089– 2099
2089
-
[7]
Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xi- aolin Hu, and Jianguo Li. 2018. Boosting Adversarial Attacks with Momentum.2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition(2018), 9185–9193
2018
-
[8]
Yinpeng Dong, Tianyu Pang, Hang Su, and Jun Zhu. 2019. Evading De- fenses to Transferable Adversarial Examples by Translation-Invariant Attacks.2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)(2019), 4307–4316
2019
-
[9]
Lauter, Michael Naehrig, and John Robert Wernsing
Nathan Dowlin, Ran Gilad-Bachrach, Kim Laine, Kristin E. Lauter, Michael Naehrig, and John Robert Wernsing. 2016. CryptoNets: ap- plying neural networks to encrypted data with high throughput and accuracy. InInternational Conference on Machine Learning
2016
-
[10]
Mingyuan Fan, Cen Chen, Ximeng Liu, and Wenzhong Guo. 2025. Maskblock: Transferable adversarial examples with bayes approach. AsiaCCS
2025
-
[11]
Mingyuan Fan, Wenzhong Guo, Zuobin Ying, and Ximeng Liu. 2023. Enhance transferability of adversarial examples with model architec- ture. InICASSP 2023-2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 1–5
2023
-
[12]
Mingyuan Fan, Yang Liu, Cen Chen, Shengxing Yu, Wenzhong Guo, Li Wang, and Ximeng Liu. 2021. Toward Evaluating the Reliability of Deep-Neural-Network-Based IoT Devices.IEEE Internet of Things Journal9, 18 (2021), 17002–17013
2021
-
[13]
Explaining and Harnessing Adversarial Examples
Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Ex- plaining and Harnessing Adversarial Examples. In3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings, Yoshua Bengio and Yann LeCun (Eds.).http://arxiv.org/abs/1412.6572
work page internal anchor Pith review Pith/arXiv arXiv 2015
-
[14]
Jinyuan Jia, Xiaoyu Cao, Binghui Wang, and Neil Zhenqiang Gong
-
[15]
(2020).https: //api.semanticscholar.org/CorpusID:59842968
Certified Robustness for Top-k Predictions against Adver- sarial Perturbations via Randomized Smoothing. (2020).https: //api.semanticscholar.org/CorpusID:59842968
2020
-
[16]
Sai Praneeth Karimireddy, Satyen Kale, Mehryar Mohri, Sashank Reddi, Sebastian Stich, and Ananda Theertha Suresh. 2020. Scaffold: Sto- chastic controlled averaging for federated learning. InInternational conference on machine learning. PMLR, 5132–5143
2020
-
[17]
Latif U Khan, Walid Saad, Zhu Han, Ekram Hossain, and Choong Seon Hong. 2021. Federated learning for internet of things: Recent advances, taxonomy, and open challenges.IEEE Communications Surveys & Tutorials23, 3 (2021), 1759–1799
2021
-
[18]
Kurakin, I
A. Kurakin, I. Goodfellow, and S. Bengio. 2016. Adversarial examples in the physical world. (2016)
2016
-
[19]
Asif Ali Laghari, Kaishan Wu, Rashid Ali Laghari, Mureed Ali, and Abdullah Ayub Khan. 2021. A review and state of art of Internet of Things (IoT).Archives of Computational Methods in Engineering(2021), 1–19
2021
-
[20]
Tian Li, Shengyuan Hu, Ahmad Beirami, and Virginia Smith. 2021. Ditto: Fair and robust federated learning through personalization. In International conference on machine learning. PMLR, 6357–6368
2021
-
[21]
Tian Li, Anit Kumar Sahu, Manzil Zaheer, Maziar Sanjabi, Ameet Talwalkar, and Virginia Smith. 2020. Federated optimization in het- erogeneous networks.Proceedings of Machine learning and systems2 (2020), 429–450
2020
-
[22]
Xiaoxiao Li, Meirui Jiang, Xiaofei Zhang, Michael Kamp, and Qi Dou
-
[23]
In9th International Conference on Learning Representa- tions, ICLR 2021, Virtual Event, Austria, May 3-7, 2021
FedBN: Federated Learning on Non-IID Features via Local Batch Normalization. In9th International Conference on Learning Representa- tions, ICLR 2021, Virtual Event, Austria, May 3-7, 2021. OpenReview.net. https://openreview.net/forum?id=6YEQUn0QICG
2021
-
[24]
Yingwei Li, Song Bai, Yuyin Zhou, Cihang Xie, Zhishuai Zhang, and Alan Yuille. 2020. Learning transferable adversarial examples via ghost networks. InProceedings of the AAAI conference on artificial intelligence, Vol. 34. 11458–11465
2020
-
[25]
Yunming Liao, Yang Xu, Hongli Xu, Zhiwei Yao, Liusheng Huang, and Chunming Qiao. 2024. Parallelsfl: A novel split federated learning framework tackling heterogeneity issues. InProceedings of the 30th Annual International Conference on Mobile Computing and Networking. 845–860
2024
-
[26]
Hopcroft
Jiadong Lin, Chuanbiao Song, Kun He, Liwei Wang, and John E. Hopcroft. 2020. Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks.arXiv: Learning(2020)
2020
-
[27]
Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Re- sistant to Adversarial Attacks. InInternational Conference on Learning Representations
2018
-
[28]
Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Agüera y Arcas. 2017. Communication-Efficient Learning of Deep Networks from Decentralized Data. InProceedings of the 20th International Conference on Artificial Intelligence and Statistics, AISTATS 2017, 20-22 April 2017, Fort Lauderdale, FL, USA (Proceedings of Machine Learning Resear...
2017
-
[29]
Chaoyue Niu, Fan Wu, Shaojie Tang, Lifeng Hua, Rongfei Jia, Chengfei Lv, Zhihua Wu, and Guihai Chen. 2020. Billion-scale federated learning on mobile clients: A submodel design with tunable privacy. InProceed- ings of the 26th Annual International Conference on Mobile Computing and Networking. 1–14
2020
-
[30]
Jaehoon Oh, SangMook Kim, and Se-Young Yun. 2022. FedBABU: Toward Enhanced Representation for Federated Image Classification. InInternational Conference on Learning Representations
2022
-
[31]
Cong Shi, Tianfang Zhang, Zhuohang Li, Huy Phan, Tianming Zhao, Yan Wang, Jian Liu, Bo Yuan, and Yingying Chen. 2022. Audio-domain position-independent backdoor attack via unnoticeable triggers. In Proceedings of the 28th Annual International Conference on Mobile Com- puting And Networking. 583–595
2022
- [32]
-
[33]
Hongyi Wang, Kartik Sreenivasan, Shashank Rajput, Harit Vish- wakarma, Saurabh Agarwal, Jy-yong Sohn, Kangwook Lee, and Dim- itris Papailiopoulos. 2020. Attack of the tails: Yes, you really can back- door federated learning.Advances in Neural Information Processing Systems33 (2020), 16070–16084
2020
-
[34]
Lun Wang, Yang Xu, Hongli Xu, Min Chen, and Liusheng Huang
-
[35]
Accelerating decentralized federated learning in heterogeneous edge computing.IEEE Transactions on Mobile Computing22, 9 (2022), 5001–5016
2022
-
[36]
Xiaosen Wang and Kun He. 2021. Enhancing the Transferability of Ad- versarial Attacks through Variance Tuning.2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)(2021), 1924–1933. Towards Robust Personalized Federated Learning: Vulnerability Assessment and Defense Co-Design Conference acronym ’XX, June 03–05, 2018, Woodstock, NY
2021
-
[37]
Dongxian Wu, Yisen Wang, Shutao Xia, James Bailey, and Xingjun Ma
- [38]
-
[39]
Xinghao Wu, Xuefeng Liu, Jianwei Niu, Guogang Zhu, and Shaojie Tang. 2023. Bold but cautious: Unlocking the potential of personalized federated learning through cautiously aggressive collaboration. In Proceedings of the IEEE/CVF international conference on computer vision. 19375–19384
2023
-
[40]
Chulin Xie, Keli Huang, Pin-Yu Chen, and Bo Li. 2020. DBA: Dis- tributed Backdoor Attacks against Federated Learning. In8th Interna- tional Conference on Learning Representations, ICLR 2020, Addis Ababa, Ethiopia, April 26-30, 2020. OpenReview.net.https://openreview.net/ forum?id=rkgyS0VFvr
2020
-
[41]
Cihang Xie, Zhishuai Zhang, Jianyu Wang, Yuyin Zhou, Zhou Ren, and Alan Loddon Yuille. 2019. Improving Transferability of Adversarial Examples With Input Diversity.2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)(2019), 2725–2734
2019
-
[42]
Jian Xu, Xinyi Tong, and Shao-Lun Huang. 2023. Personalized Fed- erated Learning with Feature Alignment and Classifier Collabora- tion. InThe Eleventh International Conference on Learning Represen- tations, ICLR 2023, Kigali, Rwanda, May 1-5, 2023. OpenReview.net. https://openreview.net/forum?id=SXZr8aDKia
2023
-
[43]
Yang Xu, Yunming Liao, Hongli Xu, Zhenguo Ma, Lun Wang, and Jianchun Liu. 2022. Adaptive control of local updating and model compression for efficient federated learning.IEEE Transactions on Mobile Computing22, 10 (2022), 5675–5689
2022
-
[44]
Xiyuan Yang, Wenke Huang, and Mang Ye. 2024. Fedas: Bridging inconsistency in personalized federated learning. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 11986–11995
2024
-
[45]
Chengliang Zhang, Suyi Li, Junzhe Xia, Wei Wang, Feng Yan, and Yang Liu. 2020. BatchCrypt: Efficient Homomorphic Encryption for Cross- Silo Federated Learning. InUSENIX Annual Technical Conference
2020
-
[46]
Jianqing Zhang, Yang Hua, Hao Wang, Tao Song, Zhengui Xue, Ruhui Ma, Jian Cao, and Haibing Guan. 2023. Gpfl: Simultaneously learning global and personalized feature information for personalized federated learning. InProceedings of the IEEE/CVF International Conference on Computer Vision. 5041–5051
2023
-
[47]
Wuyang Zhang, Zhezhi He, Luyang Liu, Zhenhua Jia, Yunxin Liu, Marco Gruteser, Dipankar Raychaudhuri, and Yanyong Zhang. 2021. Elf: accelerate high-resolution mobile deep vision with content-aware parallel offloading. InProceedings of the 27th Annual International Conference on Mobile Computing and Networking. 201–214
2021
-
[48]
Ligeng Zhu, Zhijian Liu, and Song Han. 2019. Deep leakage from gradients.Advances in neural information processing systems32 (2019). Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Trovato et al. A Proof of Theorem 4.1 Proof. Step 1: Gradient Difference Analysis.Let Δ= 𝜃𝑖 −𝜃 𝑗. For gradient alignment, consider the following input gradient differen...
2019
-
[49]
(10) Table 9.Ablation study on the impact of key components on adversarial robustness, measured by AD
≤ −𝜆 min||Δ|| 2 2. (10) Table 9.Ablation study on the impact of key components on adversarial robustness, measured by AD. Lower AD indicates better robustness. AD is averaged over eight PFL methods. Component AD w.o. Stochastic input noise augmentation 44.04 w.o. Input-scaled trace regularization 41.65 w.o. Parameter sensitivity maximization 39.92 All 38....
2007
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.