Federated learning (FL) is a distributed machine learning paradigm that enables training models on decentralized data. The field of FL security against poisoning attacks is plagued with confusion due to the proliferation of research that makes different assumptions about the capabilities of adversaries and the adversary models they operate under. Our work aims to clarify this confusion by presenting a comprehensive analysis of the various poisoning attacks and defensive aggregation rules (AGRs) proposed in the literature, and connecting them under a common framework. To connect existing adversary models, we present a hybrid adversary model, which lies in the middle of the spectrum of adversaries, where the adversary compromises a few clients, trains a generative (e.g., DDPM) model with their compromised samples, and generates new synthetic data to solve an optimization for a stronger (e.g., cheaper, more practical) attack against different robust aggregation rules. By presenting the spectrum of FL adversaries, we aim to provide practitioners and researchers with a clear understanding of the different types of threats they need to consider when designing FL systems, and identify areas where further research is needed.

翻译：联邦学习（FL）是一种分布式机器学习范式，能够在分散的数据上训练模型。针对投毒攻击的联邦学习安全研究领域目前存在混淆，这源于众多研究对攻击者能力及其所遵循的对手模型做出了不同假设。本研究旨在通过全面分析文献中提出的各种投毒攻击和防御性聚合规则（AGRs），并将其统一到共同框架下，从而澄清这一混淆。为衔接现有对手模型，我们提出了一种混合对手模型，该模型位于攻击者能力谱系中间位置：攻击者先攻陷少量客户端，利用其受攻陷样本训练生成模型（例如DDPM），生成新的合成数据，以求解针对不同鲁棒聚合规则的更强（例如更廉价、更实用）攻击优化问题。通过呈现联邦学习攻击者的完整谱系，我们旨在帮助从业者和研究人员清晰理解设计联邦学习系统时需考虑的不同威胁类型，并识别需要进一步研究的领域。