Free-rider attacks on federated learning consist in dissimulating participation to the federated learning process with the goal of obtaining the final aggregated model without actually contributing with any data. We introduce here the first theoretical and experimental analysis of free-rider attacks on federated learning schemes based on iterative parameters aggregation, such as FedAvg or FedProx, and provide formal guarantees for these attacks to converge to the aggregated models of the fair participants. We first show that a straightforward implementation of this attack can be simply achieved by not updating the local parameters during the iterative federated optimization. As this attack can be detected by adopting simple countermeasures at the server level, we subsequently study more complex disguising schemes based on stochastic updates of the free-rider parameters. We demonstrate the proposed strategies on a number of experimental scenarios, in both iid and non-iid settings. We conclude by providing recommendations to avoid free-rider attacks in real world applications of federated learning, especially in sensitive domains where security of data and models is critical.

本文旨在介绍基于FedAvg或FedProx等迭代参数聚合的联邦学习方案中存在的免费骑客攻击，并提供了针对这些攻击的正式保证。研究表明，这种攻击可通过不更新本地参数实现，同时还介绍了更复杂的伪造方案。最后，提供了避免此类攻击的建议。

联邦学习中模型聚合的免费骑车者攻击