# Attacks on Federated Learning Models
Summarised from “Federated Learning Attacks and Defenses: A Survey.”, Chen et al, 2022

## Poisoning Attacks

### Data Poisoning
 - An attacker tampering with or adding data to the training set maliciously, which eventually leads to the destruction or hijacking of the model.
 - Implemented by the owner of the private data.

### Model Poisoning
 - The attacker changes the parameters of the target model directly, causing errors in the global model or leaving a backdoor.
 - More efficient than data poisoning
 - Perturbing the weights of convolutional neural networks in a targeted manner can be used to insert backdoors
 - By using available bit-flipping techniques, the target model can be converted into the Trojan infection model [

## Inference Attacks
 - Although the data transmitted from the client to the server is not the original data, there is still a risk of leakage
 - Inference attacks indicate that attackers can use the eavesdropped information to infer useful information to a certain extent, which obviously destroys the confidentiality of the model.
 - How to: train a model with similar functions on a specified sample and then judge whether the sample is used for the target model’s training.
 - There have been studies to prove that this attack can infer the accent information of the training set in FL of speech recognition.
 

## Reconstruction Attacks
 - Unlike inference attacks that cannot reveal raw data, reconstruction attacks can obtain the original information of the training dataset by collecting some information such as predicted confidence values, model parameters, and gradients.
 - Confidentiality attack
 - First approach: Shows that when the adversary has white-box access rights, the adversary can use the linear model to estimate the attribute information of the original data.
 - **Generative Adversarial Networks (GAN)**: Points out that attackers can obtain samples of other participants, and this process only requires black-box access.
 - **Deep Leakage from Gradients (DLG)** shows that the attacker could recover the original data by analyzing the gradient information
 - **Improved Deep Leakage from Gradients (DLG)**: Improves the accuracy of data recovery
 - **Inverting gradients based on DLG** were proposed and it broadened the attack scenario to include the actual industrialized scenario rather than being limited to the strong assumption of low-resolution recovery and a shallow network.
 - **Generative Regression Neural Network (GRNN)** based on GAN was proposed to restore the original training data without the need for additional information. It indicated that GRNN has stronger robustness and higher accuracy than previous methods.

## Model Extraction Attack
 - When FL has finished training the model, the global model will serve outsiders in the form of an API. At this time, the user may query the relevant information of the target model through the API loop and finally achieve the effect of extracting the model.
 - Tram` er et al. first demonstrated that this attack will be effective when the attacker has the same distribution of data and model-related information as the model.
 - Another attack proposed can obtain hyperparameters located at the bottom layer of the model
 - Orekondy et al. proposed the Knockoff Net, through which attackers can steal based on the confidence value output by the API, and the stealing effect is positively correlated with the complexity of the target model.

## Evasion Attacks (seem interesting)

 - Evasion attack is a type of attack in which an attacker deceives the target machine learning system by constructing specific input samples without changing the target machine learning system.
 - Usually occurs during the prediction phase, when the model has finished training.
 - The effect of this kind of attack can be summarized as the model extrapolates the original answer “A” to be the wrong answer “B”.
  - Evasion attack is an integrity attack due to the spoofing of the model.
  

## Byzantine Attacks
 - Byzantine attack is a type of attack in which an attacker hides among the participants of FL and arbitrarily uploads malicious data, aiming to destroy the global model
 - To deal with this attack, it is common to combine stochastic gradient descent (SGD) with different robust aggregation rules
 - Similar to this idea, it has been proven that by poisoning the local model, the global model has a large test error rate