Papers
Topics
Authors
Recent
Search
2000 character limit reached

BadFU: Backdoor Attack on Federated Unlearning

Updated 9 July 2026
  • BadFU is a backdoor attack that exploits federated unlearning by hiding malicious triggers through strategically designed camouflage samples.
  • It employs a dual-phase attack where benign training conceals the backdoor until unlearning removes counteracting camouflage, resulting in high attack success.
  • Experimental results across multiple models and datasets demonstrate that BadFU effectively preserves benign accuracy pre-unlearning while sharply increasing ASR after unlearning.

Searching arXiv for the specified paper and closely related federated unlearning work to ground the article in current literature. BadFU is a backdoor attack on federated learning systems that support client-driven unlearning. It exploits the fact that machine unlearning in federated learning is intended to remove the influence of specific data from a trained global model, yet the unlearning process itself can be used to compromise model integrity. In BadFU, a malicious client inserts both backdoor samples and camouflage samples during standard federated training, keeps the backdoor dormant while training proceeds, and then activates it by submitting a legitimate unlearning request for the camouflage set after training. The result sought by the attacker is a model with high benign accuracy before and after unlearning, low backdoor attack success before unlearning, and high attack success after unlearning (Lu et al., 21 Aug 2025).

1. Definition and threat model

BadFU is defined as the first backdoor attack specifically targeting federated learning systems that support client-driven unlearning (Lu et al., 21 Aug 2025). The setting is cross-silo federated learning with KK clients, non-IID data, and a central server running FedAvg, FedSGD, or FedProx. The attacker is one malicious client CmC_m that knows only its own data DmD_m and a small auxiliary set DattackD_{attack}, and has no access to other clients’ data or to server internals beyond the standard protocol.

The attacker participates honestly in federated training in the sense that it submits local updates each round. Its additional capability is to construct two disjoint subsets: DbdD_{bd}, consisting of backdoor samples, and DcD_c, consisting of camouflage samples. Both are injected into the malicious client’s local training data. After training completes, the client requests unlearning of DcD_c.

The attack goal has two phases. Before unlearning, the global model should have high benign accuracy (ACC) and low backdoor Attack Success Rate (ASR). After unlearning, the global model should still have high ACC but now exhibit high ASR on triggered inputs. This threat model is significant because the adversary can fully comply with federated learning and GDPR-style unlearning protocols while still compromising the final model (Lu et al., 21 Aug 2025).

2. Attack construction and activation mechanism

BadFU proceeds in three phases: data preparation, federated training, and federated unlearning. During data preparation, the malicious client samples a small set DattackD_{attack} from its local data, covering all classes, and randomly splits it into two disjoint sets. The first, DbdD_{bd} of size nbdn_{bd}, is converted into poisoned backdoor samples by applying a trigger pattern CmC_m0 and relabeling each sample to the target label CmC_m1. The second, CmC_m2 of size CmC_m3, is converted into camouflage samples by applying the same trigger pattern CmC_m4 while keeping the original label unchanged (Lu et al., 21 Aug 2025).

During federated training, each client receives the global model CmC_m5, performs local SGD on its local data, and sends an update to the server. The malicious client trains on the union CmC_m6 with a local loss

CmC_m7

where

CmC_m8

CmC_m9

and

DmD_m0

The server aggregates updates in the usual federated manner. In FedSGD form, the global aggregation is

DmD_m1

Throughout training, the gradient from DmD_m2 counteracts DmD_m3, so the backdoor remains dormant and pre-activation ASR stays low (Lu et al., 21 Aug 2025).

Activation occurs during federated unlearning. After training, the malicious client submits an unlearning request for DmD_m4. The server then invokes its unlearning mechanism, either exact retraining or approximate unlearning, to remove the influence of DmD_m5 from the global model. Since the counter-gradient contributed by DmD_m6 is removed while the influence of DmD_m7 remains, the hidden backdoor becomes active and ASR rises sharply. The attack therefore uses the unlearning stage not merely as a post-processing step but as the trigger for backdoor activation (Lu et al., 21 Aug 2025).

3. Formal objective and evaluation criteria

The global federated learning objective is

DmD_m8

The malicious client’s contribution alters this objective by embedding both backdoor and camouflage terms into its local loss, and the corresponding global update contribution is written as

DmD_m9

This formulation captures the central mechanism of the attack: the backdoor signal and the camouflage signal coexist during training, but only the camouflage signal is later targeted for removal (Lu et al., 21 Aug 2025).

The unlearning stage is formalized using a pre-unlearning model DattackD_{attack}0 trained on DattackD_{attack}1 and a forget set DattackD_{attack}2. In exact unlearning, the server retrains from scratch on DattackD_{attack}3 to obtain DattackD_{attack}4. In approximate unlearning, the goal is to find DattackD_{attack}5 such that

DattackD_{attack}6

BadFU is effective against both exact and approximate unlearning strategies because the attack relies on removing the masking effect of camouflage samples rather than on any one particular update rule (Lu et al., 21 Aug 2025).

The evaluation uses two standard metrics. Attack Success Rate is

DattackD_{attack}7

and benign accuracy is

DattackD_{attack}8

These metrics are essential because the attack is explicitly designed to keep ACC high while shifting ASR from low before unlearning to high after unlearning (Lu et al., 21 Aug 2025).

4. Experimental validation across frameworks and unlearning strategies

The reported experiments use MNIST with SimpleNN and LeNet-5, and CIFAR-10 and CIFAR-100 with ResNet-18 and VGG-16. The federated setup has DattackD_{attack}9 clients with non-IID partitioning under either a dominant-class split, where 70% of each client’s data comes from 2 classes, or a Dirichlet split with DbdD_{bd}0 for MNIST and DbdD_{bd}1 for CIFAR. The federated learning frameworks are FedAvg, FedSGD, and FedProx. Local optimization uses SGD with learning rate DbdD_{bd}2, batch size DbdD_{bd}3, and DbdD_{bd}4 epochs for FedAvg and FedProx or DbdD_{bd}5 epoch for FedSGD, over approximately DbdD_{bd}6 global rounds. The backdoor ratio is less than 2% of global data, such as 1,000 samples in MNIST and 850 in CIFAR, and the camouflage ratio varies from DbdD_{bd}7 to DbdD_{bd}8 the backdoor size (Lu et al., 21 Aug 2025).

The unlearning methods evaluated include exact retraining and the approximate methods FedEraser, FedU, and SIFU. Under FedAvg with the dominant-class split, representative results show that on MNIST with SimpleNN, the pre-activation model has ACC approximately DbdD_{bd}9 and ASR approximately DcD_c0. After retraining, ACC is approximately DcD_c1 and ASR approximately DcD_c2. After FedEraser, ACC is approximately DcD_c3 and ASR approximately DcD_c4. On LeNet-5, pre-ASR is approximately DcD_c5, and post-ASR reaches up to DcD_c6 with retraining and DcD_c7 with FedEraser. On CIFAR-10 with ResNet-18, pre-ASR is approximately DcD_c8, while post-ASR exceeds DcD_c9 under retraining and DcD_c0 under FedEraser (Lu et al., 21 Aug 2025).

Several ablation-style observations clarify the attack’s operating regime. As the number of camouflage samples increases, pre-activation ASR decreases, indicating stronger masking, while post-activation ASR remains above DcD_c1 regardless. Byzantine-robust aggregation methods such as Median and Trimean suppress pre-ASR below DcD_c2, but post-ASR remains above DcD_c3. Neural Cleanse fails to flag the BadFU-backdoored model. The same qualitative pattern appears under Dirichlet splits and with FedProx and FedSGD. On CIFAR-100, more camouflage is required—specifically DcD_c4 the backdoor size—to suppress pre-ASR below DcD_c5, yet post-ASR still remains above DcD_c6–DcD_c7. Comparable attack performance is also observed against FedU and SIFU approximate unlearning (Lu et al., 21 Aug 2025).

These results indicate that BadFU is not limited to one model family, one dataset, one federated optimizer, or one unlearning mechanism. The empirical pattern is instead tied to the attack’s core logic: a backdoor can remain masked during training and become effective only when a legitimate unlearning request removes the masking samples.

5. Position within the federated unlearning threat landscape

BadFU occupies the integrity dimension of federated unlearning risk. Federated unlearning is intended to extend the “right to be forgotten” into federated learning, where a global model is trained by aggregating updates from multiple clients without ever seeing their raw data. Yet realistic federated unlearning already faces fairness and data heterogeneity problems: exact methods can impose full retraining costs on uninvolved clients, while approximate methods can degrade performance for clients that share parameters with the forgotten class. Under realistic cross-domain heterogeneity, coarse edits can severely increase fairness disparity and collapse unrelated knowledge (Huang et al., 8 Oct 2025).

Within that landscape, BadFU shows a different failure mode. The issue is not only that unlearning can be inefficient or unfair, but that adversaries may exploit the unlearning process itself to compromise the global model. This is consistent with the broader observation that existing federated unlearning methods often focus on efficiency and utility rather than integrity under adversarial unlearning requests (Lu et al., 21 Aug 2025).

A second adjacent risk is privacy leakage. DRAUN shows that a malicious server can reconstruct data requested for removal from optimization-based federated unlearning updates, despite the decentralized, client-driven structure of federated unlearning. In that threat model, the server is honest-but-curious, has white-box access to the global model, receives the client’s unlearning update, and aims to reconstruct the actual unlearned inputs (Lamri et al., 2 Jun 2025). Taken together, these lines of work show that federated unlearning can fail along multiple axes: fairness under realistic heterogeneity, privacy of the forgotten data, and integrity of the post-unlearning model.

A common misconception is that privacy or compliance mechanisms automatically strengthen system security. The available evidence points in the opposite direction for federated unlearning: unlearning introduces new attack surfaces that are not covered by conventional federated-learning defenses and are not exhausted by benign utility analyses.

6. Security implications and defensive directions

The principal implication of BadFU is that unlearning opens a new stealthy backdoor-activation vector that traditional federated-learning defenses do not cover (Lu et al., 21 Aug 2025). A malicious client can comply with standard training behavior and later submit an apparently legitimate unlearning request whose effect is to activate a previously hidden backdoor. This explains why robust aggregation and anomaly detection during training are insufficient on their own: the decisive change occurs when the camouflage gradients are removed.

Several defensive directions are identified. Unlearning-request inspection would analyze which samples a client wants to unlearn, flagging requests whose samples bear the global trigger pattern or appear to have been heavily used to counteract unusual gradients. Differentially private unlearning would inject DP noise during the unlearning update step to mask the removal of camouflage gradients, although this comes at some utility cost. Dual-model monitoring would compare model behavior before and after unlearning on a held-out canary set with and without the trigger, so that a sudden ASR spike can raise an alarm. Certified unlearning with integrity guarantees would aim to provide formal bounds on how much each sample’s removal can shift decision boundaries. Joint training and unlearning auditing would log influence or sensitivity throughout training so that requests targeting samples with abnormally high or extremely negative influence can be treated cautiously (Lu et al., 21 Aug 2025).

These defenses remain proposals rather than resolved solutions. A plausible implication is that secure federated unlearning requires explicit treatment of post-unlearning behavior, not only training-time robustness. The broader federated unlearning literature reinforces the same conclusion from other angles: fairness-aware methods seek to confine edits to neurons dominant for the forgotten data while preserving retained utility across heterogeneous clients (Huang et al., 8 Oct 2025), and privacy work shows that update-level leakage may require additional protections such as differential privacy or certified mechanisms (Lamri et al., 2 Jun 2025). In this sense, BadFU marks federated unlearning as a security-sensitive protocol stage in its own right, rather than a purely administrative extension of model training.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to BadFU.