Federated & Split Learning Attacks
- Federated and split learning attacks are adversarial methods that exploit distributed ML protocols to compromise data confidentiality and model performance.
- They target vulnerabilities at client, server, and cross-party levels through manipulations of activations, gradients, and model updates.
- Robust defenses, including noise-based obfuscation, regularization, and anomaly detection, help mitigate these threats with minimal impacts on utility.
Federated and split learning attacks refer to adversarial efforts that undermine confidentiality, integrity, or availability in distributed collaborative ML protocols, specifically federated learning (FL), split learning (SL), and their hybrids such as split federated learning (SFL) or SplitFed. These attacks exploit protocol-level mechanics, model update exchanges, or intermediate representations to inflict privacy leakage, performance degradation, model misalignment, intellectual property theft, or unauthorized inference of private inputs and labels. This entry synthesizes results from recent research on arXiv, with special attention to empirical methodologies, rigorous threat models, and theoretically substantiated defense mechanisms.
1. Distributed Learning Protocols and Attack Surfaces
Federated learning (FL) distributes model training across clients that hold local data, exchanging weight updates via aggregation servers. Split learning (SL) or vertical federated learning (VFL) partitions the model at one or more cut layers, with each party forwarding intermediate activations ("smashed data") but never raw inputs to a coordinator, which completes the forward and backward pass. Split federated learning (SFL) and SplitFed ("hybrid SFL") combine split-model training with federated aggregation of client-side weights. These frameworks expand the adversarial attack surface:
- Client-side attacks: Malicious clients manipulate local training data, activations, or weight updates to poison model convergence or induce backdoors.
- Server-side attacks: Curious or malicious servers reconstruct inputs from intermediate activations, intervene in the training protocol to impose extractable latent spaces, or manipulate gradients and activations for inference.
- Cross-party attribute/label inference: Parties with partial knowledge of features, embeddings, or gradients exploit protocol observables to re-identify raw attributes or labels.
Distinct separation between model poison attacks (availability and integrity) and inference/model extraction attacks (privacy and IP) is essential due to differing system-level impact and defense strategies (Wan et al., 2023, Ismail et al., 2023, Zhu et al., 2023).
2. Poisoning Attacks in Federated, Split, and SplitFed Learning
Data and model poisoning attacks aim to degrade accuracy, install backdoors, or misalign the learning process of distributed models. Key classes include:
- Model Poisoning in FL and SplitFed: Malicious clients optimize updates to steer aggregation away from the benign trajectory. In SplitFed, the client-side stub model is much smaller, massively reducing the effective perturbation space and improving robustness to model poisoning compared to FL, which suffers from the curse of dimensionality; up to a 5x reduction in attack efficacy is observed in SplitFed under strong optimization-based attacks (Khan et al., 2022).
- Label/Data/Smashed Data/Weight Poisoning in SFL: HealSplit categorizes attacks into label poisoning (label flips or shifts), data poisoning (input perturbation), smashed data perturbation (altered cut-layer activations), and model weight tampering (Xie et al., 14 Nov 2025). An additional "multi-vector" attack composes any subset of these modalities. Attackers controlling even 20% of clients can induce substantial global accuracy collapse or targeted misclassification (Ismail et al., 2023).
- Backdoor Attacks in VFL/SL/SFL: Clean-label backdoors in VFL/SL operate under the restriction that adversaries cannot see or change labels directly; instead, the attacker infers likely labels from auxiliary data, places triggers at salient feature regions, and manipulates embeddings to force the server-side model to misclassify trigger-embedded samples at inference (Naseri et al., 2023). Server-side backdoor injection in split learning is shown to be largely ineffective if the split is "deep," i.e., if substantial layers remain client-resident; increasing the cut-layer depth "buries" the trigger such that gradients cannot propagate effective backdoor signals (Tajalli et al., 2023).
- MISA (Misalignment Attack) in SFL: The MISA attack (misalignment poisoning) targets both the client-side and server-side models in SFL by injecting adversarial updates that drive the global model into a misaligned state, resulting in a catastrophic collapse of accuracy and model performance—directly challenging claims of robust aggregation in SFL/hybrid approaches (Wan et al., 2023).
Table: Poisoning Attack Archetypes and Impact
| Protocol | Attack Vector | Observed Impact |
|---|---|---|
| FL | Model updates | 29–49% accuracy drop under attack |
| SplitFed(SF) | Local stub model | 0–9% accuracy drop (v1 split) |
| SFL | Label/smashed data | ΔAcc: 2–16% (untargeted @ 20–40%) |
| VFL | Embedding backdoor | Attack success 70–89% (modest MTA drop) |
Attack success and impact vary with cut-layer selection, number and proportion of malicious clients, and aggregation strategies (FedAvg, trimmed mean, median) (Khan et al., 2022, Ismail et al., 2023, Tajalli et al., 2023).
3. Inference, Reconstruction, and Model Extraction Attacks
The privacy of intermediate activations and gradients is not guaranteed by model partitioning. Research demonstrates:
- Feature and Input Inversion (MI): Honest-but-curious servers can train decoders on auxiliary data to reconstruct client inputs from smashed activations with mean squared error as low as 0.005 in SFL without defense; ResSFL (resistance transfer) increases this to 0.050 with <1% accuracy cost by pretraining resistant feature extractors (Li et al., 2022). U-shaped SFL/SL architectures are similarly vulnerable unless input privacy is cryptographically enforced (Zaland et al., 19 Feb 2026).
- Passive Inference with Adversarial Regularization: The SDAR framework leverages an adversarially regularized simulator and decoder to passively invert smashed data and infer labels in both vanilla SL and U-shaped SL, achieving sub-0.025 MSE input recovery and >98% label inference accuracy at deep splits, matching or exceeding active attack performance (Zhu et al., 2023).
- Model Extraction Attacks: Malicious SFL clients reconstruct the full server-side model by querying gradients for crafted activations and matching surrogate loss or gradient patterns. Five variants—data-free (Craft-ME, GAN-ME), gradient-matching, supervised (Train-ME), and hybrid gradient-supervised (SoftTrain-ME)—achieve up to 99% fidelity with <2% utility loss when the server-side is sufficiently shallow. As the server holds more layers, extraction becomes harder, but privacy of intermediate activations becomes weaker (Li et al., 2023).
- Gradient-based Label Inference: Attacks recover both discrete and continuous labels by exploiting gradients passed across the split. For regression, attackers can invert the true label with average L1 error of 2.3 on Boston Housing—3× better than surrogate baselines—by optimizing dummy labels and surrogate models to fit the observed gradient on the fly (Xie et al., 2023). In vertical FL, similar reconstruction and attribute inference is possible even with small auxiliary knowledge (Zhang et al., 2021, Weng et al., 2020).
4. Defense Mechanisms Against Attacks
Defensive techniques focus on limiting information leakage or correcting poisoning at protocol and model levels:
- Noise-based Defenses: Additive Laplacian or Gaussian noise to either smashed activations (Titcombe et al., 2021), raw inputs (Zaland et al., 19 Feb 2026), or gradients (Zhu et al., 2023) increases MSE and perception error for inversion attackers within a controlled utility margin (1–2% accuracy drop at typical privacy settings).
- Structural Regularization: Minimizing distance correlation (NoPeekNN) between inputs and activations (Titcombe et al., 2021), or adversarial feature extractor pretraining (ResSFL) (Li et al., 2022), achieves privacy-utility tradeoffs by reducing invertibility of representations.
- Secure Dimension Transformation and Label Hiding: Label extension and secure dimension transformation (SecDT) inflate the label or embedding space and decouple true targets from observable gradients. Gradient norm normalization and softmax-normalized noise erase class-dependent signal and obfuscate the dimensionality of the true label space, reducing attack AUC by >0.45 under various metrics with sub-2% utility loss (Jiang et al., 2024, Qiu et al., 2023).
- Anomaly Detection and Generative Recovery: HealSplit introduces topology-aware anomaly detection on the graph of smashed activations to identify poisoned points, then regenerates semantically consistent replacements using a generative adversarial network and multi-teacher adversarial distillation. This modular approach consistently maintains >92% accuracy against poisoning composites, outperforming ten established baselines (Xie et al., 14 Nov 2025).
Table: Defensive Approaches and Quantitative Privacy Gains
| Defense | Core Mechanism | Efficacy (MSE/Accuracy) |
|---|---|---|
| Additive noise | Laplacian/Gaussian | 0.005→0.050 (MSE), <1% accuracy loss |
| Resistance transfer | Attacker-aware pretrain | MSE ~0.050 on CIFAR-100 |
| SecDT | Label inflation+norm | Attack AUC drop: 0.45, <2% utility loss |
| HealSplit | Topo-GAN+Distill | >92% accuracy, all attack scenarios |
Efficiency, tuning, and adaptation to system/data heterogeneity are critical considerations for scalable deployment (Wang et al., 18 Sep 2025).
5. Advanced and Composite Attacks: Adaptivity and Future Trends
- Adaptive Attacks: Adversaries can minimize topological anomaly detection discrepancies or exploit mask distribution learning in probabilistic mask-based defenses (Xie et al., 14 Nov 2025, Wang et al., 18 Sep 2025).
- Compositional Poisoning: Multi-vector attacks combine label, data, and model poisoning, requiring defenses robust to low-visibility, high-complexity attack blends.
- Model Extraction Under Query Restrictions: When prediction APIs are blocked, gradient-based extraction still enables high-fidelity model theft, though increased client-side regularization or gradient obfuscation can significantly raise the attack difficulty (Li et al., 2023).
- Active Server-side Hijacking: Servers can manipulate training by forging reversed gradients that maximize alignment with an attacker-held latent space, enabling full input recovery even if clients attempt to minimize invertibility (Pasquini et al., 2020).
- Cross-Protocol Threats: Techniques generalized from federated learning (GAN-based inversion, model extraction) readily transfer to split/splitfed settings, closing the apparent security gap between architectures (Pasquini et al., 2020, Li et al., 2023).
Research continues to focus on the synthesis of cryptographic protections, certified privacy guarantees, and adaptive system-level anomaly detection as essential for sustainable defense.
6. Open Problems, Limitations, and Practical Recommendations
- Tradeoff Calibration: Most defenses introduce an explicit privacy-utility tradeoff, with many achieving strong privacy at minimal utility cost (usually <2%) when parameters are properly tuned (Jiang et al., 2024, Li et al., 2022, Xie et al., 14 Nov 2025).
- Scalability and System Heterogeneity: Probabilistic mask-based protocols with knowledge compensation enable participation of resource-limited clients without requiring all to run identical models (Wang et al., 18 Sep 2025).
- Cryptographic and Secure Aggregation Approaches: While cryptographic protocols (MPC, DP, homomorphic encryption) provide information-theoretic protection, their integration with SFL remains challenging in high-throughput, system-heterogeneous environments (Weng et al., 2020).
- Theoretical Limits: There is an ongoing need to formalize information-theoretic bounds on reconstruction risk and attack detectability in high-dimensional, non-convex, and asynchronous settings.
- Adaptive and Unknown Attack Models: Most existing approaches assume honest-but-curious or static adversaries; robustness against collusion, adaptive contamination, or protocol-aware evasion is not fully established.
In summary, federated and split learning attacks constitute a broad, rapidly evolving threat domain. While compositional defenses with theoretically substantiated guarantees are closing the gap, sustainable deployment in adversarial settings requires careful protocol design, robust model and data regularization, and ongoing adjustment to system-specific threat models (Xie et al., 14 Nov 2025, Wan et al., 2023, Zaland et al., 19 Feb 2026, Wang et al., 18 Sep 2025).