ML Security PapersUnveiling the Security Risks of Federated Learning in the Wild: From Research to Practice
Jiahao Chen 1, Zhiming Zhao 1, Yuwen Pu 2, Chunyi Zhou 1, Zhou Feng 1, Songze Li 3, Shouling Ji 1
Published on arXiv
2603.20615
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
Under practical settings, FL poisoning attacks show markedly reduced effectiveness and stability compared to idealized evaluations, with several strong attacks losing effectiveness or causing benign-task degradation
TFLlib
Novel technique introduced
Federated learning (FL) has attracted substantial attention in both academia and industry, yet its practical security posture remains poorly understood. In particular, a large body of poisoning research is evaluated under idealized assumptions about attacker participation, client homogeneity, and success metrics, which can substantially distort how security risks are perceived in deployed FL systems. This paper revisits FL security from a measurement perspective. We systematize three major sources of mismatch between research and practice: unrealistic poisoning threat models, the omission of hybrid heterogeneity, and incomplete metrics that overemphasize peak attack success while ignoring stability and utility cost. To study these gaps, we build TFLlib, a uniform evaluation framework that supports image, text, and tabular FL tasks and re-implements representative poisoning attacks under practical settings. Our empirical study shows that idealized evaluation often overstates security risk. Under practical settings, attack performance becomes markedly more dataset-dependent and unstable, and several attacks that appear consistently strong in idealized FL lose effectiveness or incur clear benign-task degradation once practical constraints are enforced. These findings further show that final-round attack success alone is insufficient for security assessment; practical measurement must jointly consider effectiveness, temporal stability, and collateral utility loss. Overall, this work argues that many conclusions in the FL poisoning literature are not directly transferable to real deployments. By tightening the threat model and using measurement protocols aligned with practice, we provide a more realistic view of the security risks faced by contemporary FL systems and distill concrete guidance for future FL security evaluation. Our code is available at https://github.com/xaddwell/TFLlib
Key Contributions
- TFLlib: unified evaluation framework for FL poisoning attacks across image, text, and tabular tasks
- Systematization of three major research-practice gaps: unrealistic threat models, omission of heterogeneity, and incomplete metrics
- Empirical evidence that idealized evaluation overstates FL security risks, with attacks becoming dataset-dependent and unstable under practical constraints
🛡️ Threat Analysis
Primary focus on data poisoning attacks in federated learning, evaluating how malicious clients can corrupt the global model through poisoned training data under realistic threat models.