ML Security PapersFedThief: Harming Others to Benefit Oneself in Self-Centered Federated Learning
Published on arXiv
2509.00540
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
FedThief degrades global model performance while enabling the attacker's ensemble model to significantly outperform the global model, providing a net competitive advantage over honest FL participants.
FedThief
Novel technique introduced
In federated learning, participants' uploaded model updates cannot be directly verified, leaving the system vulnerable to malicious attacks. Existing attack strategies have adversaries upload tampered model updates to degrade the global model's performance. However, attackers also degrade their own private models, gaining no advantage. In real-world scenarios, attackers are driven by self-centered motives: their goal is to gain a competitive advantage by developing a model that outperforms those of other participants, not merely to cause disruption. In this paper, we study a novel Self-Centered Federated Learning (SCFL) attack paradigm, in which attackers not only degrade the performance of the global model through attacks but also enhance their own models within the federated learning process. We propose a framework named FedThief, which degrades the performance of the global model by uploading modified content during the upload stage. At the same time, it enhances the private model's performance through divergence-aware ensemble techniques, where "divergence" quantifies the deviation between private and global models, that integrate global updates and local knowledge. Extensive experiments show that our method effectively degrades the global model performance while allowing the attacker to obtain an ensemble model that significantly outperforms the global model.
Key Contributions
- Introduces the Self-Centered Federated Learning (SCFL) attack paradigm, where the adversary both degrades the global model and improves their own private model simultaneously
- Proposes FedThief, which uploads modified updates to harm global model performance while using divergence-aware ensemble techniques to combine global updates with local knowledge for private model enhancement
- Demonstrates that an attacker can obtain a private ensemble model that significantly outperforms the global model, achieving a net competitive advantage over honest participants
🛡️ Threat Analysis
FedThief is a Byzantine attack in federated learning where a malicious participant uploads tampered model updates to degrade the global model's performance — exactly the threat profile described under ML02 for Byzantine FL attacks. The novel 'self-centered' angle (using divergence-aware ensembling to also benefit the attacker's private model) does not map to a separate OWASP category; the core attack vector remains malicious model update injection.