ML Security PapersOn the Security and Privacy of Federated Learning: A Survey with Attacks, Defenses, Frameworks, Applications, and Future Directions
Daniel M. Jimenez-Gutierrez , Yelizaveta Falkouskaya , Jose L. Hernandez-Ramos , Aris Anagnostopoulos , Ioannis Chatzigiannakis , Andrea Vitaletti
Published on arXiv
2508.13730
Data Poisoning Attack
OWASP ML Top 10 — ML02
Model Poisoning
OWASP ML Top 10 — ML10
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Identifies non-IID data distribution and the privacy-security-utility trade-off as the most critical open challenges limiting practical deployment of secure FL systems.
Federated Learning (FL) is an emerging distributed machine learning paradigm enabling multiple clients to train a global model collaboratively without sharing their raw data. While FL enhances data privacy by design, it remains vulnerable to various security and privacy threats. This survey provides a comprehensive overview of more than 200 papers regarding the state-of-the-art attacks and defense mechanisms developed to address these challenges, categorizing them into security-enhancing and privacy-preserving techniques. Security-enhancing methods aim to improve FL robustness against malicious behaviors such as byzantine attacks, poisoning, and Sybil attacks. At the same time, privacy-preserving techniques focus on protecting sensitive data through cryptographic approaches, differential privacy, and secure aggregation. We critically analyze the strengths and limitations of existing methods, highlight the trade-offs between privacy, security, and model performance, and discuss the implications of non-IID data distributions on the effectiveness of these defenses. Furthermore, we identify open research challenges and future directions, including the need for scalable, adaptive, and energy-efficient solutions operating in dynamic and heterogeneous FL environments. Our survey aims to guide researchers and practitioners in developing robust and privacy-preserving FL systems, fostering advancements safeguarding collaborative learning frameworks' integrity and confidentiality.
Key Contributions
- Comprehensive taxonomy of 200+ FL attack and defense papers, categorized into security-enhancing (Byzantine robustness, poisoning, Sybil) and privacy-preserving (DP, secure aggregation, cryptographic) techniques
- Critical analysis of trade-offs between privacy, security, and model utility under non-IID data distributions
- Survey of FL frameworks, real-world applications, and open research challenges including scalability and energy efficiency in heterogeneous environments
🛡️ Threat Analysis
Extensively covers Byzantine attacks and data/model poisoning in FL — malicious clients corrupting the global model — along with robust aggregation defenses (a primary focus of the security section).
The privacy section covers gradient leakage/inversion attacks and defenses including secure aggregation and differential privacy specifically to prevent reconstruction of participants' training data from shared gradients.
FL backdoor/trojan attacks are a standard major topic in FL security surveys; poisoning with trigger-based hidden behavior is distinct from general Byzantine degradation and warrants its own tag.