Papers
Topics
Authors
Recent
Search
2000 character limit reached

FedThief in Self-Centered Federated Learning

Updated 9 July 2026
  • FedThief is a federated learning attack framework that exploits self-centered objectives to weaken the global model while enhancing the attacker’s private model.
  • It employs a multi-model approach—maintaining private, malicious, and error models—with a divergence-aware ensemble for effective model distillation.
  • Empirical evaluations on datasets like MNIST, Fashion-MNIST, and CIFAR-10 demonstrate significant attacker advantages even under robust aggregation defenses.

FedThief is a federated learning attack framework proposed for Self-Centered Federated Learning (SCFL), a threat paradigm in which malicious participants do not merely sabotage the shared model but also seek a private competitive advantage by building a stronger model for themselves (Zhang et al., 30 Aug 2025). In this formulation, the attacker’s objective is explicitly dual: to degrade the performance of the global model used by other participants while enhancing its own model within the same federated process. FedThief realizes that objective by poisoning uploaded updates and, in parallel, training a separate private pathway supported by a divergence-aware ensemble mechanism. In adjacent work, “FedThief-style” is sometimes used more loosely for federated model theft or data extraction; however, the specific method named FedThief refers to this SCFL attack on federated image classification rather than to ownership watermarking, traitor tracking, or gradient inversion (Zhang et al., 30 Aug 2025).

1. Self-Centered Federated Learning and the FedThief threat model

FedThief is formulated in a standard centralized FL system for a CC-class image classification task with NN clients, a central server, client-local private datasets, and iterative communication rounds. Each client ckc_k owns a local dataset

Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},

where xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}, yki{0,1}Cy_k^i \in \{0,1\}^C, and Dk=Nk|D_k| = N_k. Each client trains a local model f(θk)f(\theta_k), with parameters θkRdθ\theta_k \in \mathbb{R}^{d_\theta}, mapping inputs to class predictions (Zhang et al., 30 Aug 2025).

The threat model assumes that a fraction α\alpha of clients are malicious, with the full client set denoted by NN0 and the malicious subset by NN1. The paper adopts the standard FL vulnerability that uploaded updates cannot be directly verified. This places FedThief within the model-poisoning or Byzantine-attack landscape, but its attacker utility differs from conventional sabotage-only formulations. Existing attack strategies, in the paper’s framing, typically upload tampered updates to degrade the global model and thereby also degrade the attacker’s own local model, yielding no private advantage. FedThief instead targets a rational, self-interested adversary whose goal is to outperform other participants, not merely to reduce system-wide accuracy (Zhang et al., 30 Aug 2025).

The attacker’s advantage is quantified through the difference between malicious ensemble accuracy and global-model accuracy,

NN2

A successful attack is therefore one that produces both a low NN3 and a high NN4. This metric is central because it makes explicit that FedThief is not satisfied with global degradation alone; it seeks asymmetry in favor of the attacker (Zhang et al., 30 Aug 2025).

2. Architectural decomposition of the malicious client

The distinctive mechanism in FedThief is a multi-model malicious client. Rather than using a single local model for both participation and attack, each malicious participant maintains four components: a private model NN5, a malicious model NN6, an error model NN7, and an ensemble model realized through a learned local ensemble head NN8 (Zhang et al., 30 Aug 2025).

The private model is optimized for the attacker’s own utility. The malicious model is the model that interacts with the federated protocol and generates poisoned uploads. The error model tracks degradation induced by poisoned updates. The ensemble component combines the outputs of the other models and serves as a teacher for knowledge distillation back into the private model. The malicious client also splits its local dataset into NN9 and ckc_k0, using roughly ckc_k1 of local data for validation and the remainder for training (Zhang et al., 30 Aug 2025).

The paper emphasizes two mechanisms. First, the attacker degrades the global model by uploading modified content during the upload stage. Second, it enhances its own model through divergence-aware ensemble techniques that integrate global updates and local knowledge. An important technical clarification is that the paper does not provide a separate explicit mathematical divergence metric formula such as a parameter distance or KL-based divergence specifically designated as “the” divergence measure. “Divergence-aware” is instead realized architecturally through the simultaneous maintenance of ckc_k2, ckc_k3, and ckc_k4, which encode different trajectories relative to the global process (Zhang et al., 30 Aug 2025).

This separation is the core novelty. A conventional poisoning attacker uses one model and therefore damages both the federation and its own training path. FedThief decouples “what is uploaded” from “what is retained,” allowing the malicious client to preserve and refine a stronger private model while still participating in global degradation.

3. Optimization objectives and round-level mechanics

At round ckc_k5, the malicious model is trained on local training data to produce

ckc_k6

The uploaded malicious gradient is then constructed as

ckc_k7

where ckc_k8 is a Byzantine attack function, ckc_k9 is an adversarial direction, and Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},0 controls perturbation magnitude (Zhang et al., 30 Aug 2025). The paper does not define a bespoke layer-wise poisoning rule as part of FedThief itself; instead, FedThief is a framework that wraps existing attack backends. In experiments, Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},1 is instantiated with LIE, Min-Sum, and FedGhost, chosen because they do not require knowledge of benign updates or the exact server aggregation rule (Zhang et al., 30 Aug 2025).

The server aggregates malicious and benign updates as

Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},2

The malicious model is then synchronized with the global direction: Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},3 This preserves alignment with the federated trajectory and supports stealth. Separately, the private model computes

Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},4

and malicious clients collaboratively update their private models using shared private gradients: Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},5 The error model follows the poisoned path directly: Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},6 These three models thus encode, respectively, a self-serving local trajectory, a globally synchronized poisoned trajectory, and an attack-induced degradation trajectory (Zhang et al., 30 Aug 2025).

The ensemble stage operates in logit space rather than parameter space. For validation inputs, the attacker obtains logits Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},7, Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},8, and Dk={(xki,yki)}i=1Nk,D_k = \{(x_k^i, y_k^i)\}_{i=1}^{N_k},9 from the private, malicious, and error models and trains a multinomial logistic regression head xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}0 with regularized multiclass cross-entropy. The paper states that this logistic regression includes xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}1 regularization and is optimized with L-BFGS until convergence. Local ensemble heads are then averaged across malicious clients: xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}2 The resulting global malicious ensemble serves as a teacher for the private model (Zhang et al., 30 Aug 2025).

Distillation is performed using the standard cross-entropy and KL components: xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}3

xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}4

and the combined objective

xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}5

The private model is finally updated by SGD using xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}6. The operational significance of this design is that the attacker’s private model benefits from both its own supervision and the richer ensemble teacher while remaining insulated from the full damage imposed on the shared global model (Zhang et al., 30 Aug 2025).

4. Experimental setting and empirical behavior

FedThief is evaluated on MNIST, Fashion-MNIST, and CIFAR-10. The models for MNIST and Fashion-MNIST are lightweight CNNs with three convolution layers, ReLU, xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}7 max-pooling, and three fully connected layers. For CIFAR-10, the paper uses an AlexNet variant with five convolution layers, batch normalization, ReLU, max-pooling, and dense layers. The FL setting uses 50 clients, IID equal-sized balanced partitions, and 40 communication rounds. Local optimization uses Adam with learning rate xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}8 and batch size xkiRdinx_k^i \in \mathbb{R}^{d_{\text{in}}}9; local epochs are yki{0,1}Cy_k^i \in \{0,1\}^C0 for MNIST and Fashion-MNIST and yki{0,1}Cy_k^i \in \{0,1\}^C1 for CIFAR-10. Distillation uses temperature yki{0,1}Cy_k^i \in \{0,1\}^C2 and loss coefficient yki{0,1}Cy_k^i \in \{0,1\}^C3. The malicious fraction is evaluated at yki{0,1}Cy_k^i \in \{0,1\}^C4 and yki{0,1}Cy_k^i \in \{0,1\}^C5. Server-side aggregation rules include FedAvg, FedProx, Median, Trimmed-Mean, Multi-Krum, and Bulyan (Zhang et al., 30 Aug 2025).

The principal empirical result is that the malicious ensemble almost always outperforms the global model, especially on more difficult datasets and at higher malicious fractions. On CIFAR-10 with Bulyan, LIE, and yki{0,1}Cy_k^i \in \{0,1\}^C6, the no-attack baseline global accuracy is yki{0,1}Cy_k^i \in \{0,1\}^C7, the attacked global model falls to yki{0,1}Cy_k^i \in \{0,1\}^C8, and the malicious ensemble reaches yki{0,1}Cy_k^i \in \{0,1\}^C9, yielding Dk=Nk|D_k| = N_k0. On CIFAR-10 with FedAvg, MinSum, and Dk=Nk|D_k| = N_k1, the global model reaches Dk=Nk|D_k| = N_k2 while the malicious ensemble reaches Dk=Nk|D_k| = N_k3, giving Dk=Nk|D_k| = N_k4. Under FedProx with the same backend and adversarial fraction, the global model reaches Dk=Nk|D_k| = N_k5 and the malicious ensemble Dk=Nk|D_k| = N_k6, giving Dk=Nk|D_k| = N_k7 (Zhang et al., 30 Aug 2025).

The gains are smaller on easier datasets. On MNIST with FedAvg, LIE, and Dk=Nk|D_k| = N_k8, the global model achieves Dk=Nk|D_k| = N_k9 and the malicious ensemble f(θk)f(\theta_k)0, for an advantage of f(θk)f(\theta_k)1. On Fashion-MNIST, the gains are intermediate: with Multi-Krum, LIE, and f(θk)f(\theta_k)2, the global model reaches f(θk)f(\theta_k)3 and the malicious ensemble f(θk)f(\theta_k)4, for f(θk)f(\theta_k)5. This suggests that task complexity affects the extent to which the multi-model ensemble can extract a self-centered advantage (Zhang et al., 30 Aug 2025).

The paper also reports that the malicious ensemble becomes better early in training and maintains that advantage through the learning process across all six aggregation rules. It further evaluates generalization to data poisoning, specifically Symmetry Flipping and Pair Flipping, under Bulyan with f(θk)f(\theta_k)6. For MNIST with Pair Flipping, the global model reaches f(θk)f(\theta_k)7 and the malicious ensemble f(θk)f(\theta_k)8, for f(θk)f(\theta_k)9. For Fashion-MNIST, the corresponding values are θkRdθ\theta_k \in \mathbb{R}^{d_\theta}0 and θkRdθ\theta_k \in \mathbb{R}^{d_\theta}1, for θkRdθ\theta_k \in \mathbb{R}^{d_\theta}2. For CIFAR-10, they are θkRdθ\theta_k \in \mathbb{R}^{d_\theta}3 and θkRdθ\theta_k \in \mathbb{R}^{d_\theta}4, for θkRdθ\theta_k \in \mathbb{R}^{d_\theta}5 (Zhang et al., 30 Aug 2025).

The ablations reinforce the design choices. For the distillation trade-off, θkRdθ\theta_k \in \mathbb{R}^{d_\theta}6 weakens generalization, too small a θkRdθ\theta_k \in \mathbb{R}^{d_\theta}7 causes the private model to drift toward the global teacher, and the best reported setting is θkRdθ\theta_k \in \mathbb{R}^{d_\theta}8. For the validation split ratio θkRdθ\theta_k \in \mathbb{R}^{d_\theta}9, a moderate split works best; on CIFAR-10 with LIE and α\alpha0, Bulyan yields α\alpha1 at α\alpha2, α\alpha3 at α\alpha4, and α\alpha5 at α\alpha6, while Multi-Krum yields α\alpha7, α\alpha8, and α\alpha9 respectively. Component ablation shows that using only NN00 gives NN01, NN02 gives NN03, NN04 gives NN05, and the full NN06 system gives NN07 on CIFAR-10 at NN08. Distillation temperature is also tuned, with NN09 giving NN10, slightly above NN11 at NN12 and NN13 at NN14 (Zhang et al., 30 Aug 2025).

5. Relation to adjacent uses of “FedThief” in federated-security literature

The term FedThief can be misleading because adjacent papers use “FedThief-style” to refer more broadly to federated extraction or theft, but these works target different assets and channels. FedSpy-LLM is a federated-learning gradient inversion attack aimed at reconstructing private text used to fine-tune LLMs, including PEFT settings such as SLoRA and FedAdapter, from pre-aggregation client gradients or updates observed by an honest-but-curious server or a passive eavesdropper (Meerza et al., 7 Apr 2026). Its two main phases are Token Recovery and Sequence Order Calibration, and its core mechanism is a gradient decomposition strategy based on low-rank subspaces and PEFT null-space regularization. Relative to that line of work, FedThief is not a data reconstruction attack and does not attempt to recover client training examples.

A different neighboring line concerns insider model leakage and post hoc attribution. FedTracker provides ownership verification through a global watermark and source attribution through client-specific fingerprints, with black-box verification for ownership and white-box access required for tracing (Shao et al., 2022). FedCIP similarly addresses a malicious client that repeatedly leaks global models over time, using client-side watermarking, cycle-based watermark replacement, and participant-set intersection for traitor tracking while claiming compatibility with secure aggregation (Liang et al., 2023). These systems are defenses or forensic mechanisms rather than attack frameworks. They do not implement SCFL and do not seek malicious private-model improvement.

A third neighboring thread is centralized black-box model stealing. The study of foundation-model susceptibility to model theft examines hard-label API extraction for image classification, showing, for example, that a ViT-L/16 victim on CIFAR-10 can reach 94.28% agreement, compared with 73.20% for a ResNet-18 victim, when the thief is also ViT-L/16 (Raj et al., 25 Feb 2025). That work is relevant as architectural motivation—shared pretrained representations can increase extractability—but it does not study federated protocols, aggregation, malicious clients, or SCFL.

This distinction is substantive. FedThief, in the narrow sense, is a utility-driven federated poisoning framework. FedSpy-LLM targets training-data extraction from updates. FedTracker and FedCIP target ownership verification and leaker attribution. The FM-stealing study targets centralized hard-label API extraction. Treating all of these as interchangeable “FedThief” variants obscures different assets, observability assumptions, and defender objectives.

6. Limitations, common misconceptions, and significance

Several limitations are explicit in the FedThief formulation. The attack incurs high computational overhead because each malicious client maintains multiple models and trains an ensemble head. It also incurs extra communication overhead because malicious clients share private gradients and ensemble heads among themselves. The private benefit is partly contingent on private data quality; highly imbalanced, sparse, or unrepresentative local data may reduce gains. The paper also notes potential sensitivity under non-IID conditions, while the reported experiments themselves are primarily IID, chosen to isolate attack behavior rather than to study heterogeneity comprehensively (Zhang et al., 30 Aug 2025).

A common misconception is to interpret the “divergence-aware” label as evidence of an explicit divergence penalty or closed-form divergence metric. The paper does not provide such a standalone formula. The divergence concept is encoded through the use of three model trajectories—private, malicious, and error—and the ensemble that learns how to combine them. Another misconception is to view FedThief as merely another Byzantine attack wrapper. That is incomplete: the framework’s defining contribution is not only poisoned upload construction but the preservation of attacker utility through model-role separation and ensemble distillation (Zhang et al., 30 Aug 2025).

The paper’s broader implication is that defenses which evaluate only global robustness may overlook a stronger adversary class. FedThief remains effective under robust aggregation rules such as Median, Trimmed-Mean, Multi-Krum, and Bulyan, and the reported positive NN15 under those defenses indicates that a system can appear resistant in terms of aggregate convergence while still granting malicious participants a substantial competitive edge (Zhang et al., 30 Aug 2025). A plausible implication is that federated defenses should not measure success solely by final global accuracy or convergence stability; they may also need to monitor whether adversaries can privately outperform honest participants while manipulating shared training.

In that sense, FedThief marks a shift in how federated attacks are conceptualized. Rather than modeling the attacker as purely destructive, it models the attacker as economically or strategically rational: a participant who exploits the collaborative channel to damage competitors and simultaneously improve its own model. That reframing is its central contribution to the federated learning literature (Zhang et al., 30 Aug 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to FedThief.