BadFU: Backdoor Attack on Federated Unlearning
- BadFU is a backdoor attack that exploits federated unlearning by hiding malicious triggers through strategically designed camouflage samples.
- It employs a dual-phase attack where benign training conceals the backdoor until unlearning removes counteracting camouflage, resulting in high attack success.
- Experimental results across multiple models and datasets demonstrate that BadFU effectively preserves benign accuracy pre-unlearning while sharply increasing ASR after unlearning.
Searching arXiv for the specified paper and closely related federated unlearning work to ground the article in current literature. BadFU is a backdoor attack on federated learning systems that support client-driven unlearning. It exploits the fact that machine unlearning in federated learning is intended to remove the influence of specific data from a trained global model, yet the unlearning process itself can be used to compromise model integrity. In BadFU, a malicious client inserts both backdoor samples and camouflage samples during standard federated training, keeps the backdoor dormant while training proceeds, and then activates it by submitting a legitimate unlearning request for the camouflage set after training. The result sought by the attacker is a model with high benign accuracy before and after unlearning, low backdoor attack success before unlearning, and high attack success after unlearning (Lu et al., 21 Aug 2025).
1. Definition and threat model
BadFU is defined as the first backdoor attack specifically targeting federated learning systems that support client-driven unlearning (Lu et al., 21 Aug 2025). The setting is cross-silo federated learning with clients, non-IID data, and a central server running FedAvg, FedSGD, or FedProx. The attacker is one malicious client that knows only its own data and a small auxiliary set , and has no access to other clients’ data or to server internals beyond the standard protocol.
The attacker participates honestly in federated training in the sense that it submits local updates each round. Its additional capability is to construct two disjoint subsets: , consisting of backdoor samples, and , consisting of camouflage samples. Both are injected into the malicious client’s local training data. After training completes, the client requests unlearning of .
The attack goal has two phases. Before unlearning, the global model should have high benign accuracy (ACC) and low backdoor Attack Success Rate (ASR). After unlearning, the global model should still have high ACC but now exhibit high ASR on triggered inputs. This threat model is significant because the adversary can fully comply with federated learning and GDPR-style unlearning protocols while still compromising the final model (Lu et al., 21 Aug 2025).
2. Attack construction and activation mechanism
BadFU proceeds in three phases: data preparation, federated training, and federated unlearning. During data preparation, the malicious client samples a small set from its local data, covering all classes, and randomly splits it into two disjoint sets. The first, of size , is converted into poisoned backdoor samples by applying a trigger pattern 0 and relabeling each sample to the target label 1. The second, 2 of size 3, is converted into camouflage samples by applying the same trigger pattern 4 while keeping the original label unchanged (Lu et al., 21 Aug 2025).
During federated training, each client receives the global model 5, performs local SGD on its local data, and sends an update to the server. The malicious client trains on the union 6 with a local loss
7
where
8
9
and
0
The server aggregates updates in the usual federated manner. In FedSGD form, the global aggregation is
1
Throughout training, the gradient from 2 counteracts 3, so the backdoor remains dormant and pre-activation ASR stays low (Lu et al., 21 Aug 2025).
Activation occurs during federated unlearning. After training, the malicious client submits an unlearning request for 4. The server then invokes its unlearning mechanism, either exact retraining or approximate unlearning, to remove the influence of 5 from the global model. Since the counter-gradient contributed by 6 is removed while the influence of 7 remains, the hidden backdoor becomes active and ASR rises sharply. The attack therefore uses the unlearning stage not merely as a post-processing step but as the trigger for backdoor activation (Lu et al., 21 Aug 2025).
3. Formal objective and evaluation criteria
The global federated learning objective is
8
The malicious client’s contribution alters this objective by embedding both backdoor and camouflage terms into its local loss, and the corresponding global update contribution is written as
9
This formulation captures the central mechanism of the attack: the backdoor signal and the camouflage signal coexist during training, but only the camouflage signal is later targeted for removal (Lu et al., 21 Aug 2025).
The unlearning stage is formalized using a pre-unlearning model 0 trained on 1 and a forget set 2. In exact unlearning, the server retrains from scratch on 3 to obtain 4. In approximate unlearning, the goal is to find 5 such that
6
BadFU is effective against both exact and approximate unlearning strategies because the attack relies on removing the masking effect of camouflage samples rather than on any one particular update rule (Lu et al., 21 Aug 2025).
The evaluation uses two standard metrics. Attack Success Rate is
7
and benign accuracy is
8
These metrics are essential because the attack is explicitly designed to keep ACC high while shifting ASR from low before unlearning to high after unlearning (Lu et al., 21 Aug 2025).
4. Experimental validation across frameworks and unlearning strategies
The reported experiments use MNIST with SimpleNN and LeNet-5, and CIFAR-10 and CIFAR-100 with ResNet-18 and VGG-16. The federated setup has 9 clients with non-IID partitioning under either a dominant-class split, where 70% of each client’s data comes from 2 classes, or a Dirichlet split with 0 for MNIST and 1 for CIFAR. The federated learning frameworks are FedAvg, FedSGD, and FedProx. Local optimization uses SGD with learning rate 2, batch size 3, and 4 epochs for FedAvg and FedProx or 5 epoch for FedSGD, over approximately 6 global rounds. The backdoor ratio is less than 2% of global data, such as 1,000 samples in MNIST and 850 in CIFAR, and the camouflage ratio varies from 7 to 8 the backdoor size (Lu et al., 21 Aug 2025).
The unlearning methods evaluated include exact retraining and the approximate methods FedEraser, FedU, and SIFU. Under FedAvg with the dominant-class split, representative results show that on MNIST with SimpleNN, the pre-activation model has ACC approximately 9 and ASR approximately 0. After retraining, ACC is approximately 1 and ASR approximately 2. After FedEraser, ACC is approximately 3 and ASR approximately 4. On LeNet-5, pre-ASR is approximately 5, and post-ASR reaches up to 6 with retraining and 7 with FedEraser. On CIFAR-10 with ResNet-18, pre-ASR is approximately 8, while post-ASR exceeds 9 under retraining and 0 under FedEraser (Lu et al., 21 Aug 2025).
Several ablation-style observations clarify the attack’s operating regime. As the number of camouflage samples increases, pre-activation ASR decreases, indicating stronger masking, while post-activation ASR remains above 1 regardless. Byzantine-robust aggregation methods such as Median and Trimean suppress pre-ASR below 2, but post-ASR remains above 3. Neural Cleanse fails to flag the BadFU-backdoored model. The same qualitative pattern appears under Dirichlet splits and with FedProx and FedSGD. On CIFAR-100, more camouflage is required—specifically 4 the backdoor size—to suppress pre-ASR below 5, yet post-ASR still remains above 6–7. Comparable attack performance is also observed against FedU and SIFU approximate unlearning (Lu et al., 21 Aug 2025).
These results indicate that BadFU is not limited to one model family, one dataset, one federated optimizer, or one unlearning mechanism. The empirical pattern is instead tied to the attack’s core logic: a backdoor can remain masked during training and become effective only when a legitimate unlearning request removes the masking samples.
5. Position within the federated unlearning threat landscape
BadFU occupies the integrity dimension of federated unlearning risk. Federated unlearning is intended to extend the “right to be forgotten” into federated learning, where a global model is trained by aggregating updates from multiple clients without ever seeing their raw data. Yet realistic federated unlearning already faces fairness and data heterogeneity problems: exact methods can impose full retraining costs on uninvolved clients, while approximate methods can degrade performance for clients that share parameters with the forgotten class. Under realistic cross-domain heterogeneity, coarse edits can severely increase fairness disparity and collapse unrelated knowledge (Huang et al., 8 Oct 2025).
Within that landscape, BadFU shows a different failure mode. The issue is not only that unlearning can be inefficient or unfair, but that adversaries may exploit the unlearning process itself to compromise the global model. This is consistent with the broader observation that existing federated unlearning methods often focus on efficiency and utility rather than integrity under adversarial unlearning requests (Lu et al., 21 Aug 2025).
A second adjacent risk is privacy leakage. DRAUN shows that a malicious server can reconstruct data requested for removal from optimization-based federated unlearning updates, despite the decentralized, client-driven structure of federated unlearning. In that threat model, the server is honest-but-curious, has white-box access to the global model, receives the client’s unlearning update, and aims to reconstruct the actual unlearned inputs (Lamri et al., 2 Jun 2025). Taken together, these lines of work show that federated unlearning can fail along multiple axes: fairness under realistic heterogeneity, privacy of the forgotten data, and integrity of the post-unlearning model.
A common misconception is that privacy or compliance mechanisms automatically strengthen system security. The available evidence points in the opposite direction for federated unlearning: unlearning introduces new attack surfaces that are not covered by conventional federated-learning defenses and are not exhausted by benign utility analyses.
6. Security implications and defensive directions
The principal implication of BadFU is that unlearning opens a new stealthy backdoor-activation vector that traditional federated-learning defenses do not cover (Lu et al., 21 Aug 2025). A malicious client can comply with standard training behavior and later submit an apparently legitimate unlearning request whose effect is to activate a previously hidden backdoor. This explains why robust aggregation and anomaly detection during training are insufficient on their own: the decisive change occurs when the camouflage gradients are removed.
Several defensive directions are identified. Unlearning-request inspection would analyze which samples a client wants to unlearn, flagging requests whose samples bear the global trigger pattern or appear to have been heavily used to counteract unusual gradients. Differentially private unlearning would inject DP noise during the unlearning update step to mask the removal of camouflage gradients, although this comes at some utility cost. Dual-model monitoring would compare model behavior before and after unlearning on a held-out canary set with and without the trigger, so that a sudden ASR spike can raise an alarm. Certified unlearning with integrity guarantees would aim to provide formal bounds on how much each sample’s removal can shift decision boundaries. Joint training and unlearning auditing would log influence or sensitivity throughout training so that requests targeting samples with abnormally high or extremely negative influence can be treated cautiously (Lu et al., 21 Aug 2025).
These defenses remain proposals rather than resolved solutions. A plausible implication is that secure federated unlearning requires explicit treatment of post-unlearning behavior, not only training-time robustness. The broader federated unlearning literature reinforces the same conclusion from other angles: fairness-aware methods seek to confine edits to neurons dominant for the forgotten data while preserving retained utility across heterogeneous clients (Huang et al., 8 Oct 2025), and privacy work shows that update-level leakage may require additional protections such as differential privacy or certified mechanisms (Lamri et al., 2 Jun 2025). In this sense, BadFU marks federated unlearning as a security-sensitive protocol stage in its own right, rather than a purely administrative extension of model training.