GuardFed: A Trustworthy Federated Learning Framework Against Dual-Facet Attacks

TL;DR

This paper introduces a new dual-facet attack model on federated learning that simultaneously harms model accuracy and fairness, and proposes GuardFed, a defense framework that effectively mitigates these attacks while maintaining both utility and fairness.

Contribution

The paper presents the Dual-Facet Attack (DFA) model and the GuardFed defense framework, addressing the gap in defending against attacks that target both utility and fairness in federated learning.

Findings

GuardFed effectively defends against dual-facet attacks.

It maintains high accuracy and fairness under diverse adversarial conditions.

Existing defenses are insufficient against the proposed DFA models.

Abstract

Federated learning (FL) enables privacy-preserving collaborative model training but remains vulnerable to adversarial behaviors that compromise model utility or fairness across sensitive groups. While extensive studies have examined attacks targeting either objective, strategies that simultaneously degrade both utility and fairness remain largely unexplored. To bridge this gap, we introduce the Dual-Facet Attack (DFA), a novel threat model that concurrently undermines predictive accuracy and group fairness. Two variants, Synchronous DFA (S-DFA) and Split DFA (Sp-DFA), are further proposed to capture distinct real-world collusion scenarios. Experimental results show that existing robust FL defenses, including hybrid aggregation schemes, fail to resist DFAs effectively. To counter these threats, we propose GuardFed, a self-adaptive defense framework that maintains a fairness-aware reference model using a small amount of clean server data augmented with synthetic samples. In each training round, GuardFed computes a dual-perspective trust score for every client by jointly evaluating its utility deviation and fairness degradation, thereby enabling selective aggregation of trustworthy updates. Extensive experiments on real-world datasets demonstrate that GuardFed consistently preserves both accuracy and fairness under diverse non-IID and adversarial conditions, achieving state-of-the-art performance compared with existing robust FL methods.