FedFG: Privacy-Preserving and Robust Federated Learning via Flow-Matching Generation

TL;DR

FedFG introduces a flow-matching generation-based federated learning framework that enhances privacy and robustness against poisoning attacks while maintaining high accuracy.

Contribution

The paper proposes a novel federated learning method using flow-matching generators to protect privacy and improve robustness against attacks.

Findings

Achieves higher accuracy compared to prior methods.

Effectively resists multiple poisoning attack strategies.

Maintains strong privacy protections for clients.

Abstract

Federated learning (FL) enables distributed clients to collaboratively train a global model using local private data. Nevertheless, recent studies show that conventional FL algorithms still exhibit deficiencies in privacy protection, and the server lacks a reliable and stable aggregation rule for updating the global model. This situation creates opportunities for adversaries: on the one hand, they may eavesdrop on uploaded gradients or model parameters, potentially leaking benign clients' private data; on the other hand, they may compromise clients to launch poisoning attacks that corrupt the global model. To balance accuracy and security, we propose FedFG, a robust FL framework based on flow-matching generation that simultaneously preserves client privacy and resists sophisticated poisoning attacks. On the client side, each local network is decoupled into a private feature extractor and a public classifier. Each client is further equipped with a flow-matching generator that replaces the extractor when interacting with the server, thereby protecting private features while learning an approximation of the underlying data distribution. Complementing the client-side design, the server employs a client-update verification scheme and a novel robust aggregation mechanism driven by synthetic samples produced by the flow-matching generator. Experiments on MNIST, FMNIST, and CIFAR-10 demonstrate that, compared with prior work, our approach adapts to multiple attack strategies and achieves higher accuracy while maintaining strong privacy protection.