pith. sign in

arxiv: 2605.02110 · v1 · submitted 2026-05-04 · 💻 cs.LG · cs.CR

Adversarial Update-Based Federated Unlearning for Poisoned Model Recovery

Wenwei Zhao , Xiaowen Li , Yao Liu , Zhuo Lu This is my paper

Pith reviewed 2026-05-09 16:59 UTC · model grok-4.3

classification 💻 cs.LG cs.CR
keywords federated learningmodel unlearningpoisoning attacksadversarial optimizationmodel recoveryfederated unlearning
0
0 comments X

The pith

Federated adversarial unlearning recovers poisoned models by deriving corrective updates from a short window of malicious gradients via proxy optimization.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Federated Adversarial Unlearning (FAUN) to fix global models damaged by poisoning attacks in federated learning without full retraining. It retains only recent malicious client updates and runs adversarial optimization on a proxy dataset to produce updates that cancel out the poison directions. These updates are applied for a small number of rounds, then followed by standard fine-tuning on clean data. Experiments across three standard datasets show the recovered model reaches accuracy levels comparable to retraining from scratch, uses far fewer rounds, and brings attack success rates to near zero.

Core claim

FAUN retains a short window of malicious clients' updates and employs adversarial optimization on a proxy dataset to derive updates that eliminate malicious directions. Applying these updates for a few unlearning rounds, followed by benign fine-tuning, enables fast removal of malicious effects and stable recovery comparable to retraining while requiring far fewer rounds and reducing attack success rates to near zero.

What carries the argument

Adversarial optimization on a proxy dataset to generate corrective updates that oppose retained malicious client directions.

If this is right

  • Model performance recovers to levels comparable with full retraining from scratch.
  • The number of communication rounds needed for recovery drops substantially.
  • Attack success rates fall to near zero after the unlearning process.
  • Storage is limited to a short window of past updates rather than the full history.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The method assumes access to an unpoisoned proxy dataset that may not always be available in real federated deployments.
  • It could extend to ongoing unlearning requests over time by dynamically adjusting the update window.
  • Similar adversarial update generation might address other removal tasks such as privacy-based client data deletion.

Load-bearing premise

Adversarial optimization on a proxy dataset reliably produces updates that remove malicious influences without degrading performance on clean data.

What would settle it

If the model accuracy after the unlearning rounds and benign fine-tuning fails to match the accuracy from retraining on clean data, or if attack success rates remain substantially above zero.

read the original abstract

Federated learning (FL) is vulnerable to poisoning attacks, where malicious clients upload manipulated updates to degrade the performance of the global model. Although detection methods can identify and remove malicious clients, the model remains affected. Retraining from scratch is effective but costly, and existing unlearning methods remain unsatisfactory in both effectiveness and efficiency. We propose Federated Adversarial Unlearning (FAUN), a lightweight framework that retains only a short window of malicious clients' updates and employs adversarial optimization on a proxy dataset to derive updates that eliminate malicious directions. Applying these updates for a few unlearning rounds, followed by benign fine-tuning, enables fast removal of malicious effects and stable recovery. Experiments on three canonical datasets show that FAUN achieves recovery comparable to retraining while requiring far fewer rounds and reduces attack success rates to near zero, confirming FAUN successfully eliminates the contributions of unlearned clients.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The manuscript proposes Federated Adversarial Unlearning (FAUN), a lightweight framework for recovering from poisoning attacks in federated learning. It retains only a short window of malicious client updates, applies adversarial optimization on a proxy dataset to derive corrective updates that eliminate malicious directions, performs a few unlearning rounds, and follows with benign fine-tuning. Experiments on three canonical datasets are claimed to show recovery performance comparable to full retraining from scratch, but with far fewer communication rounds, and attack success rates reduced to near zero.

Significance. If the empirical claims hold under rigorous validation, FAUN would offer a practical efficiency gain over retraining for poisoned model recovery in FL, addressing both effectiveness and communication cost limitations of prior unlearning approaches. The framework's reliance on a short update window and proxy-based adversarial optimization could make unlearning more deployable in resource-constrained settings, provided the proxy assumption generalizes.

major comments (3)
  1. [§3] §3 (Method description): The central mechanism derives corrective updates via adversarial optimization on a proxy dataset to cancel poison-induced directions. No analysis or guarantee is provided that this process preserves benign performance when the proxy distribution differs from the true client data (e.g., class imbalance or feature shift), which is load-bearing for the claim of stable recovery without side effects.
  2. [§4] §4 (Experiments): The headline results (recovery comparable to retraining, near-zero ASR, fewer rounds) are reported only on canonical datasets where proxy construction is straightforward. No ablation studies on proxy mismatch are described, leaving the weakest assumption untested and undermining generalizability of the empirical validation.
  3. [§4] §4 (Experiments): The abstract and method claim experimental success but the provided details omit baselines, exact metrics, error bars, attack model specifications, and statistical significance tests. This prevents assessment of whether the reported gains are robust or merely artifacts of the chosen setup.
minor comments (2)
  1. [§3.2] Notation for the proxy dataset and adversarial loss could be clarified with explicit definitions to avoid ambiguity in the optimization step.
  2. [§2] The related work section should include more recent federated unlearning references for completeness.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive comments. We address each major point below and describe the revisions we will incorporate to improve the manuscript's rigor and clarity.

read point-by-point responses

  1. Referee: [§3] §3 (Method description): The central mechanism derives corrective updates via adversarial optimization on a proxy dataset to cancel poison-induced directions. No analysis or guarantee is provided that this process preserves benign performance when the proxy distribution differs from the true client data (e.g., class imbalance or feature shift), which is load-bearing for the claim of stable recovery without side effects.

    Authors: We agree that a formal analysis or guarantee on benign performance preservation under proxy mismatches would strengthen the claims. The manuscript emphasizes empirical results on standard setups but lacks explicit discussion of distribution shift assumptions. In revision, we will add a dedicated subsection on proxy assumptions, potential limitations from mismatches, and supporting sensitivity analysis. revision: partial

  2. Referee: [§4] §4 (Experiments): The headline results (recovery comparable to retraining, near-zero ASR, fewer rounds) are reported only on canonical datasets where proxy construction is straightforward. No ablation studies on proxy mismatch are described, leaving the weakest assumption untested and undermining generalizability of the empirical validation.

    Authors: We acknowledge the absence of ablations testing proxy mismatches. To address this directly, the revised manuscript will include new ablation experiments that systematically vary proxy characteristics (e.g., class imbalance and feature shifts) and report their impact on recovery performance and attack success rate. revision: yes

  3. Referee: [§4] §4 (Experiments): The abstract and method claim experimental success but the provided details omit baselines, exact metrics, error bars, attack model specifications, and statistical significance tests. This prevents assessment of whether the reported gains are robust or merely artifacts of the chosen setup.

    Authors: We apologize for the insufficient detail in the experimental reporting. The revised version will expand the experiments section to include complete baseline descriptions, exact metric definitions, error bars across repeated runs, full attack model specifications, and statistical significance testing results. revision: yes

Circularity Check

0 steps flagged

No significant circularity; empirical method with external experimental validation

full rationale

The paper proposes an empirical federated unlearning framework (FAUN) that retains a short window of malicious updates and applies adversarial optimization on a proxy dataset, followed by benign fine-tuning. No mathematical derivations, equations, or first-principles predictions are presented that reduce any claimed result to its inputs by construction. The central claims of recovery comparable to retraining and near-zero attack success rates are supported solely by experiments on three canonical datasets, with no self-definitional steps, fitted parameters renamed as predictions, or load-bearing self-citations. The approach is self-contained against external benchmarks via direct empirical comparison, consistent with a non-circular empirical contribution.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the assumption that adversarial optimization can isolate and cancel malicious update directions using only a proxy dataset and recent malicious updates. No free parameters are explicitly named in the abstract. The method introduces the FAUN framework as a new entity.

axioms (1)
  • domain assumption Malicious effects from poisoning can be removed by deriving and applying corrective updates via adversarial optimization on a proxy dataset.
    This is the core premise enabling the unlearning step without full retraining.
invented entities (1)
  • FAUN framework no independent evidence
    purpose: Lightweight unlearning of poisoned updates in federated learning
    New method proposed to retain short window of malicious updates and perform adversarial optimization.

pith-pipeline@v0.9.0 · 5447 in / 1293 out tokens · 31464 ms · 2026-05-09T16:59:44.355190+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

30 extracted references · 30 canonical work pages · 1 internal anchor

  1. [1]

    INTRODUCTION Federated learning (FL) has emerged as a promising paradigm that enables collaborative model training across distributed clients without exposing their raw data[1]. However, the decentralized nature of FL also makes it highly vulnerable to poisoning attacks[2, 3, 4], where malicious clients delib- erately manipulate their local updates to deg...

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  2. [2]

    Federated Learning (FL) and poisoning attack We consider a federated learning (FL) system with a client setC={1,

    PRELIMINARIES 2.1. Federated Learning (FL) and poisoning attack We consider a federated learning (FL) system with a client setC={1, . . . , n}. At thet-th training round, the global model is denoted byw t ∈R d. Each clienti∈ Ctrains on its local datasetD i and computes the local gradient update gt i =∇ wt L(wt;D i), whereLis the empirical loss func- tion....

    work page

  3. [3]

    Our method FAUN exploits the server’s ability to store historical client updates and to utilize a small proxy dataset for adversarial optimiza- tion

    METHODOLOGY We propose an adversarial update-based federated unlearning framework that efficiently removes the influence of malicious clients from a poisoned global model. Our method FAUN exploits the server’s ability to store historical client updates and to utilize a small proxy dataset for adversarial optimiza- tion. The key idea is to approximate and ...

    work page

  4. [4]

    Experiment Setups Datasets and model architectures:We conduct experiments on three datasets: MNIST [19], CIFAR-10 [20], and AG News [21]

    EXPERIMENTS 4.1. Experiment Setups Datasets and model architectures:We conduct experiments on three datasets: MNIST [19], CIFAR-10 [20], and AG News [21]. MNIST and CIFAR-10 are 10-class image bench- marks, while AG News is a 4-class text classification dataset. We use a lightweight CNN [22] for MNIST, ResNet-18 [23] for CIFAR-10, and FastText [24] for AG...

    work page

  5. [5]

    FAUN constructs adversarial updates from a short window of malicious clients’ updates and a small proxy dataset to capture and eliminate worst-case malicious directions

    CONCLUSION We introduced Federated Adversarial Unlearning (FAUN), a method for recovering federated learning models after poi- soning attacks. FAUN constructs adversarial updates from a short window of malicious clients’ updates and a small proxy dataset to capture and eliminate worst-case malicious directions. Limiting adversarial elimination to a few ro...

    work page

  6. [6]

    Federated learning: Challenges, methods, and future directions,

    Tian Li, Anit Kumar Sahu, Ameet Talwalkar, and Vir- ginia Smith, “Federated learning: Challenges, methods, and future directions,”IEEE Signal Process. Mag., vol. 37, no. 3, pp. 50–60, 2020

    work page 2020

  7. [7]

    Local model poisoning attacks to byzantine- robust federated learning,

    Minghong Fang, Xiaoyu Cao, Jinyuan Jia, and Neil Gong, “Local model poisoning attacks to byzantine- robust federated learning,” inUSENIX Security, 2020, pp. 1605–1622

    work page 2020

  8. [8]

    A little is enough: Circumventing defenses for distributed learning,

    Gilad Baruch, Moran Baruch, and Yoav Goldberg, “A little is enough: Circumventing defenses for distributed learning,”NeurIPS, vol. 32, 2019

    work page 2019

  9. [9]

    Mpaf: Model poisoning attacks to federated learning based on fake clients,

    Xiaoyu Cao and Neil Zhenqiang Gong, “Mpaf: Model poisoning attacks to federated learning based on fake clients,” inCVPR, 2022, pp. 3396–3404

    work page 2022

  10. [10]

    Fldetector: Defending federated learning against model poisoning attacks via detecting malicious clients,

    Z. Zhang, X. Cao, J. Jia, and N. Z. Gong, “Fldetector: Defending federated learning against model poisoning attacks via detecting malicious clients,” inKDD, 2022, pp. 2545–2555

    work page 2022

  11. [11]

    Defl: Defend- ing against model poisoning attacks in federated learn- ing via critical learning periods awareness,

    G. Yan, H. Wang, X. Yuan, and J. Li, “Defl: Defend- ing against model poisoning attacks in federated learn- ing via critical learning periods awareness,” inAAAI, 2023, vol. 37, pp. 10711–10719

    work page 2023

  12. [12]

    Mesas: Poisoning de- fense for federated learning resilient against adaptive at- tackers,

    T. Krauß and A. Dmitrienko, “Mesas: Poisoning de- fense for federated learning resilient against adaptive at- tackers,” inCCS, 2023, pp. 1526–1540

    work page 2023

  13. [13]

    Fedrecover: Recovering from poisoning attacks in federated learning using historical information,

    X. Cao, J. Jia, Z. Zhang, and N. Z. Gong, “Fedrecover: Recovering from poisoning attacks in federated learning using historical information,” inIEEE S&P, 2023, pp. 1366–1383

    work page 2023

  14. [14]

    Fed- eraser: Enabling efficient client-level data removal from federated learning models,

    G. Liu, X. Ma, Y . Yang, C. Wang, and J. Liu, “Fed- eraser: Enabling efficient client-level data removal from federated learning models,” inIWQoS, 2021, pp. 1–10

    work page 2021

  15. [15]

    Towards efficient and certified recovery from poisoning attacks in federated learning,

    Y . Jiang, J. Shen, Z. Liu, C. W. Tan, and K. Y . Lam, “Towards efficient and certified recovery from poisoning attacks in federated learning,”IEEE TIFS, 2025

    work page 2025

  16. [16]

    Asynchronous federated unlearning,

    Ningxin Su and Baochun Li, “Asynchronous federated unlearning,” inINFOCOM, 2023, pp. 1–10

    work page 2023

  17. [17]

    Revfrf: Enabling cross-domain ran- dom forest training with revocable federated learning,

    Yang Liu, Zhuo Ma, Yilong Yang, Ximeng Liu, Jianfeng Ma, and Kui Ren, “Revfrf: Enabling cross-domain ran- dom forest training with revocable federated learning,” IEEE TDSC, vol. 19, no. 6, pp. 3671–3685, 2021

    work page 2021

  18. [18]

    Adversarial at- tack generation empowered by min-max optimization,

    Jingkang Wang, Tianyun Zhang, Sijia Liu, Pin-Yu Chen, Jiacen Xu, Makan Fardad, and Bo Li, “Adversarial at- tack generation empowered by min-max optimization,” inNeurIPS, 2021, vol. 34, pp. 16020–16033

    work page 2021

  19. [19]

    Manipulating the byzantine: Optimizing model poisoning attacks and defenses for federated learning,

    Virat Shejwalkar and Amir Houmansadr, “Manipulating the byzantine: Optimizing model poisoning attacks and defenses for federated learning,” inNDSS, 2021

    work page 2021

  20. [20]

    How to backdoor federated learning,

    Eugene Bagdasaryan, Andreas Veit, Yiqing Hua, Deb- orah Estrin, and Vitaly Shmatikov, “How to backdoor federated learning,” inAISTATS, 2020, pp. 2938–2948

    work page 2020

  21. [21]

    Analyzing federated learning through an adversarial lens,

    Arjun Nitin Bhagoji, Supriyo Chakraborty, Prateek Mit- tal, and Seraphin Calo, “Analyzing federated learning through an adversarial lens,” inICML, 2019, pp. 634– 643

    work page 2019

  22. [22]

    Fltrust: Byzantine-robust federated learn- ing via trust bootstrapping,

    Xiaoyu Cao, Minghong Fang, Jia Liu, and Neil Zhen- qiang Gong, “Fltrust: Byzantine-robust federated learn- ing via trust bootstrapping,” inNDSS, 2021

    work page 2021

  23. [23]

    Adversarial training for free!,

    Ali Shafahi, Mahyar Najibi, Mohammad Amin Ghiasi, Zheng Xu, John Dickerson, Christoph Studer, Larry S Davis, Gavin Taylor, and Tom Goldstein, “Adversarial training for free!,”NeurIPS, vol. 32, 2019

    work page 2019

  24. [24]

    Gradient-based learning applied to document recognition,

    Yann LeCun, L ´eon Bottou, Yoshua Bengio, and Patrick Haffner, “Gradient-based learning applied to document recognition,”Proc. IEEE, vol. 86, no. 11, pp. 2278– 2324, 1998

    work page 1998

  25. [25]

    Learning mul- tiple layers of features from tiny images,

    Alex Krizhevsky and Geoffrey Hinton, “Learning mul- tiple layers of features from tiny images,”Tech. Rep., Univ. Toronto, 2009

    work page 2009

  26. [26]

    Scalefl: Resource- adaptive federated learning with heterogeneous clients,

    Fatih Ilhan, Gong Su, and Ling Liu, “Scalefl: Resource- adaptive federated learning with heterogeneous clients,” inCVPR, 2023, pp. 24532–24541

    work page 2023

  27. [27]

    Gradient-based learning applied to document recognition,

    Yann LeCun, L ´eon Bottou, Yoshua Bengio, and Patrick Haffner, “Gradient-based learning applied to document recognition,”Proc. IEEE, vol. 86, no. 11, pp. 2278– 2324, 2002

    work page 2002

  28. [28]

    Deep residual learning for image recognition,

    Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun, “Deep residual learning for image recognition,” in CVPR, 2016, pp. 770–778

    work page 2016

  29. [29]

    Impact of convolutional neural net- work and FastText embedding on text classification,

    Muhammad Umer, Zainab Imtiaz, Muhammad Ahmad, Michele Nappi, Carlo Medaglia, Gyu Sang Choi, and Arif Mehmood, “Impact of convolutional neural net- work and FastText embedding on text classification,” Multimedia Tools Appl., vol. 82, no. 4, pp. 5569–5585, 2023

    work page 2023

  30. [30]

    Concepts of independence for proportions with a generalization of the dirichlet distribution,

    Robert J. Connor and James E. Mosimann, “Concepts of independence for proportions with a generalization of the dirichlet distribution,”J. Amer . Stat. Assoc., vol. 64, no. 325, pp. 194–206, 1969

    work page 1969