π€ AI Summary
This work addresses a critical security vulnerability in personalized federated learning under transfer-based adversarial attacks, where malicious clients exploit knowledge of their local models to craft adversarial examples that degrade the performance of other usersβ personalized models. The study systematically uncovers this previously overlooked threat and introduces a unified defense framework integrating randomized input noise, input scaling with trace regularization, and parameter sensitivity maximization. Complementing this framework are a diagnostic tool and a co-design mechanism to enhance robustness. Extensive experiments across multiple benchmark datasets demonstrate that the proposed approach significantly mitigates accuracy degradation caused by such attacks and substantially improves model robustness, thereby filling a crucial gap in the security research landscape of personalized federated learning.
π Abstract
The proliferation of IoT devices has fueled distributed edge systems to collect vast amounts of sensitive data, creating fertile ground for on-device machine learning applications. While federated learning (FL) mitigates privacy concerns by exchanging model parameters instead of raw data, we identify a critical blind spot in current research. We examine the most commonly used personalized federated learning (PFL) methods, which allow clients to maintain private, personalized models to address data heterogeneity across clients. Through systematic analysis, we reveal that PFL methods exhibit heightened vulnerability to transfer-based adversarial attacks compared to centralized learning paradigms. Wherein, malicious clients can exploit local model knowledge to craft adversarial examples that can compromise peer clients' personalized models. We establish this vulnerability through both theoretical analysis and empirical evaluation across multiple benchmark datasets, demonstrating significant accuracy drops across various PFL methods. To address this challenge, we propose a defense framework combining stochastic input noise, input-scaled trace regularization, and parameter sensitivity maximization to improve FL's robustness. Our findings establish the first systematic study of adversarial threats in PFL systems, providing both diagnostic tools and practical countermeasures.