Federated Transfer Learning Overview
- Federated Transfer Learning is a collaborative paradigm that combines federated learning with cross-domain transfer to address limited overlap in data samples and features.
- It employs methods like representation alignment, knowledge distillation, and parameter partitioning to adapt pre-trained models for heterogeneous client environments.
- FTL enhances model performance and privacy by ensuring data remains local while reducing communication overhead through efficient transfer strategies.
Federated Transfer Learning (FTL) is a collaborative learning paradigm that combines the decentralized optimization of federated learning with the cross-domain adaptation mechanisms of transfer learning. In the strict survey taxonomy, FTL addresses settings in which participating parties have limited overlap in both feature space and sample space; in broader contemporary usage, it also denotes federated systems that use pre-trained models, representation alignment, distillation, or personalization to cope with domain, task, modality, or model heterogeneity while keeping raw data local (Saha et al., 2020, Hallaji et al., 2022, Guo et al., 2024).
1. Conceptual scope and taxonomy
The classical federated taxonomy distinguishes horizontal federated learning, vertical federated learning, and federated transfer learning by the overlap structure of feature and sample spaces. Let party have sample space and feature space , and party have and . Horizontal FL assumes large feature overlap and small sample overlap; vertical FL assumes large sample overlap and small feature overlap; FTL corresponds to the regime in which both and are small, so knowledge must be transferred across heterogeneous domains rather than aggregated under a common schema (Saha et al., 2020).
This strict definition coexists with a broader applied usage. Many recent systems described as FTL operate in horizontally federated settings but rely on transfer learning to initialize a shared backbone, freeze general layers, personalize task heads, or distill knowledge across clients. The literature therefore uses the same term for two partially overlapping ideas: a low-overlap cross-domain federation in the classical sense, and a broader family of federated adaptation schemes for heterogeneous clients. This suggests that “FTL” is best understood as a transfer-enabled layer on top of FL rather than as a single protocol class.
The same expansion appears in work on foundation models. A general FTL-FM framework formalizes three settings: FM-to-DM transfer, in which a server-side foundation model is adapted to client domain models; DM-to-FM transfer, in which client domain knowledge updates a server model; and co-optimization, in which server and client models are jointly optimized under privacy constraints (Kang et al., 2023). In that formulation, FTL is not restricted to one architectural pattern; it is a federated substrate for grounding, distillation, prompt tuning, split learning, and parameter-efficient adaptation.
2. Core methodological patterns
At the optimization level, most FTL methods begin from the federated empirical risk minimization template
with a standard FedAvg update
What makes an FL system an FTL system is the addition of transfer structure: a pre-trained initialization, a representation-alignment loss, a distillation term, or an explicit separation between global and local parameters (Hallaji et al., 2022).
One major family uses representation alignment. Here, each client learns or receives an encoder whose latent outputs are forced toward a shared geometry. Typical losses include Maximum Mean Discrepancy,
0
CORAL,
1
and adversarial domain alignment, which trains a discriminator to make source and target latent codes indistinguishable (Saha et al., 2020). These mechanisms are prominent when feature distributions differ but some latent commonality is assumed.
A second family uses knowledge distillation. Instead of exchanging parameters, clients or servers exchange logits, soft targets, or posterior statistics. A standard distillation loss is
2
where 3 is a teacher, 4 a student, 5 the temperature, and 6 the hard/soft balance (Hallaji et al., 2022). In FTL-FM systems, the teacher may be a server-side foundation model and the student a client-side domain model, or the direction may be reversed (Kang et al., 2023).
A third family uses parameter partitioning and personalization. Shared lower layers are treated as transferable, while upper layers remain task-specific or client-specific. A common personalized objective is
7
which stabilizes transfer by tying local models 8 to a global anchor 9 while permitting client adaptation (Hallaji et al., 2022). This logic underlies architectures with pre-trained, common, task-specific, and personal layers (Keçeci et al., 2022).
A fourth family is feature-based FTL. Rather than uploading gradients, clients compute a fixed extractor 0, upload features 1 and labels 2 once, and let the server train a task head 3 centrally. This collapses the communication loop from iterative parameter exchange to one-shot feature transfer, at the cost of exposing intermediate representations rather than weights (Wang et al., 2022, Wang et al., 2024).
3. Privacy, security, and adversarial surface
The minimal privacy claim in most FTL systems is locality: raw data never leave the client, and only model parameters, gradients, logits, or features are exchanged. That claim is weaker than a formal privacy guarantee. Several domain-specific application papers explicitly protect patient or industrial data by keeping them on premises, yet do not implement differential privacy, secure aggregation, or cryptographic protection of intermediate signals (Jan et al., 9 Sep 2025, Ju et al., 2020, RahimiZadeh et al., 6 Jan 2025, Rajesh et al., 2023, Eslaminia et al., 2024).
The security literature treats this gap as central. In FTL, attack surfaces include membership inference, property inference, model inversion, gradient leakage, linkage attacks during entity alignment, data poisoning, model poisoning, and transfer-specific backdoors inherited from pre-trained teachers (Hallaji et al., 2022). A recurring misconception is that “no raw data sharing” is equivalent to strong privacy; the survey literature rejects that view, because logits, gradients, and aligned intermediate features can remain highly informative.
Cryptographic FTL protocols attempt to close this gap. Secure two-party FTL frameworks use homomorphic encryption or secret sharing to compute joint loss and gradient terms over overlapping users without exposing features or labels. In the WeBank/FATE line, the two parties learn local representations 4 and 5, then securely optimize a loss that combines supervised transfer, representation alignment, and regularization (Liu et al., 2018). Later work replaces the heavy homomorphic-encryption pipeline with secret sharing and SPDZ, extending security from the semi-honest setting to malicious adversaries with dishonest majority (Sharma et al., 2019).
Differential privacy provides a different guarantee class. In the survey literature, local or distributed DP is applied by perturbing gradients or logits with Gaussian noise calibrated as
6
where 7 is sensitivity (Hallaji et al., 2022). A more formal recent development is federated differential privacy, which provides per-site privacy without assuming a trusted server and yields minimax rates for mean estimation and linear regression that are intermediate between the central and local DP models (Li et al., 2024).
Security concerns are not limited to inference leakage. Backdoor behavior can be altered by the transfer structure itself. In FTL pipelines with frozen feature extractors and trainable classifier heads, conventional trigger-learning attacks may fail because the feature extractor no longer adapts, but a focused attack can still exploit the extractor’s saliency map and distilled target-class information; one such attack reports an average 8 attack success rate and remains effective against several standard FL defenses (Arazzi et al., 2024).
4. Systems, communication, and computational trade-offs
A defining practical tension in FTL is that stronger privacy protection often increases communication and runtime. A detailed systems study of a real FTL implementation in FATE on Google Cloud found that end-to-end task completion time for logistic regression was about 9 slower than a distributed baseline in the homogeneous case and about 0 slower in the heterogeneous case. The paper identifies inter-process communication as the dominant bottleneck, notes that IPC and memory copies can occupy up to 1 of total completion time, reports that encryption makes training more than 2 slower than an unencrypted baseline, and shows that worldwide deployment can push communication to roughly one third of total runtime (Jing et al., 2019).
This cost profile has motivated alternative communication structures. Feature-based FTL replaces iterative gradient uploads with one-shot feature uploads. In a VGG-16 to CIFAR-10 experiment, reported total uplink payloads were 3 Tb for FL, 4 Tb for full-model FTL, 5 Tb for head-only FTL, and 6 Gb for feature-based FTL, while head-only FTL and feature-based FTL both achieved 7 accuracy (Wang et al., 2022). A subsequent extension adds packet-loss, quantization, and privacy analyses, and reports comparable task performance in both image classification and NLP while maintaining multi-order-of-magnitude communication reductions (Wang et al., 2024).
Other systems reduce cost by restricting the trainable parameter subset. In wideband spectrum sensing, general-feature layers 8 are frozen, only domain-specific layers 9 are aggregated, and 0 of the heavy FC1 layer is pruned by magnitude, reducing both computation and communication (Jia et al., 2024). In lithology microscopy, only the classifier head is transmitted after the first round, while a frozen Inception-ResNet v2 backbone remains local (RahimiZadeh et al., 6 Jan 2025). In FTL-FM, the same logic reappears as adapters, LoRA modules, soft prompts, split learning, and offsite tuning, all of which aim to move only a small transferable subspace rather than a full foundation model (Kang et al., 2023).
These results make clear that “transfer” in FTL is not only statistical. It is also a systems strategy for reducing round complexity, shrinking payloads, and constraining what part of a model must be exposed across organizational or device boundaries.
5. Representative application domains
The empirical literature is highly application-specific. Most reported systems instantiate FTL by selecting a transferable backbone, defining which layers are shared or frozen, and adding domain-adaptation or personalization terms suited to the signal modality.
| Domain | FTL mechanism | Reported outcome |
|---|---|---|
| Digital-twin CT analysis | DenseNet-121 pre-trained on CheXpert, local fine-tuning at hospital digital twins, weighted FedAvg | Overall accuracy 1, versus 2 for FL and 3 for CFL (Jan et al., 9 Sep 2025) |
| EEG motor imagery | SPD covariance input, subject-specific manifold reduction, MMD-based alignment, FedAvg | Subject-adaptive accuracy 4; subject-specific FTL 5, about 6 above other DL baselines (Ju et al., 2020) |
| Ultrasonic metal welding | Shared base layer, task-personalized upper layers, FedProx and L2R regularization | 7–8 improvement over state-of-the-art FL baselines on unseen target domains (Eslaminia et al., 2024) |
| Lithology microscopy | Frozen Inception-ResNet v2 base, head-only federation, fine-tuned aggregation via Golden Section Search | FTA-FTL within 9 pp of centralized accuracy under IID and 0 pp under non-IID data (RahimiZadeh et al., 6 Jan 2025) |
| Label-free equipment fault diagnosis | Vertical unsupervised FTL with conditional adversarial alignment and joint output-space alignment | Diagnosis accuracy improved by up to 1 times over baselines in harsh heterogeneous settings (Shen et al., 2023) |
| Multimodal audio-image IoT | Group-by-modality federated training, supervised unimodal learning, self-supervised multimodal contrastive learning, cross-group parameter transfer | Image accuracy up to 2; audio accuracy up to 3, improving on unimodal FL baselines (Sun, 2022) |
Other domains extend the same pattern. Wideband spectrum sensing uses frozen convolutional feature extractors, head-only aggregation, and model pruning to support zero-shot or low-shot scenario adaptation under sub-Nyquist sampling (Jia et al., 2024). IIoT intrusion detection uses a server-pretrained Combo-NN, then client-side fine-tuning and weighted aggregation; in the reported two-client experiment, the server achieved 4 accuracy at the first iteration (Rajesh et al., 2023). Foundation-model grounding generalizes these application designs into prompt transfer, adapter aggregation, split FM training, and distillation between server and client models (Kang et al., 2023).
A common pattern across these applications is that transfer is rarely abstract. It is embodied in a particular architectural decision: frozen convolutional blocks, a shared SPD manifold, a common base MLP, a distilled feature extractor, or a task-specific head. This suggests that FTL is best viewed as an architectural and protocol design space rather than as a single algorithm.
6. Limitations, misconceptions, and emerging directions
The first limitation is terminological. Some papers use FTL for the strict low-feature-overlap, low-sample-overlap regime, while others use it for horizontal FL with pre-training and local fine-tuning. The term therefore carries both a narrow taxonomic meaning and a broader engineering meaning. Treating these as interchangeable can obscure whether a method solves cross-feature transfer, domain adaptation, or simply initialization and personalization.
The second limitation is empirical under-specification. Many application papers omit core details such as client count, hyperparameters, communication rounds, latency modeling, or hardware environment. The digital-twin CT paper does not partition data among hospitals in the experiment and does not simulate network latency (Jan et al., 9 Sep 2025). The IIoT intrusion-detection study reports only two clients and two iterations (Rajesh et al., 2023). The EEG study uses a two-client transfer setup in which 5 good subjects are aggregated against one bad subject (Ju et al., 2020). These designs are useful proofs of concept, but they are not comprehensive stress tests of large-scale federation.
The third limitation is the privacy–utility–robustness triangle. Cryptographic FTL improves confidentiality but can be expensive; lightweight application pipelines often rely only on data locality; and formal DP improves privacy but degrades accuracy, especially with small client populations or heavy heterogeneity (Hallaji et al., 2022). Theoretical work on federated differential privacy now quantifies these costs for classical statistical problems and shows that the federated model sits between central and local DP, but analogous theory for deep FTL remains limited (Li et al., 2024).
The fourth limitation is adversarial robustness. Surveys identify poisoning, alignment leakage, and transfer-specific backdoors as persistent threats (Guo et al., 2024). The focused-backdoor result for frozen-extractor FTL is especially instructive because it undermines the intuition that transfer freezing automatically hardens the system (Arazzi et al., 2024).
The main open directions are correspondingly broad. Security surveys highlight decentralized FTL, scalable secure alignment, certified robustness under poisoning and backdoors, and adaptive defenses tailored to heterogeneous federations as unresolved problems (Hallaji et al., 2022). The FTL-FM agenda adds ownership-preserving grounding of foundation models, efficient PEFT under federation, and joint optimization of privacy, utility, efficiency, robustness, and fairness (Kang et al., 2023). The most general statement in the literature remains that simultaneous convergence, generalization, efficiency, privacy, attack resilience, and fault tolerance are jointly unsolved objectives in FTL (Hallaji et al., 2022).
FTL has therefore evolved from a narrow response to low-overlap data federation into a broad design framework for privacy-constrained transfer across clients, institutions, modalities, and model families. Its unifying idea is stable: use transfer mechanisms to make federation work under heterogeneity. Its unresolved question is equally stable: how to do so with formal privacy, adversarial robustness, and system efficiency at once.