PhD Position F/M Distributed Training of Machine Learning Models with Malicious Clients

PhD Position F/M Distributed Training of Machine Learning Models with Malicious Clients

Fonction : Doctorant

Inria is the French National Institute for Research in Digital Science, of which the Inria Côte d'Azur University Center is a part. With strong expertise in computer science and applied mathematics, the research projects of the Inria Côte d'Azur University Center cover all aspects of digital science and technology and generate innovation. Based mainly in Sophia Antipolis, but also in Nice and Montpellier, it brings together 47 research teams and nine support services. It is active in the fields of artificial intelligence, data science, IT system security, robotics, network engineering, natural risk prevention, ecological transition, digital biology, computational neuroscience, health data, and more. The Inria Center at Université Côte d'Azur is a major player in terms of scientific excellence, thanks to the results it has achieved and its collaborations at both European and international level.

This PhD thesis is part of the Inria–Hivenet Challenge Cupseli: Collaborative Unified Platform for a Scalable and Efficient Learning Infrastructure . Cupseli aims to enable large-scale AI training and inference on distributed, heterogeneous, and potentially volatile computing resources, while preserving security, privacy, and performance.

The PhD candidate will be hired by Hivenet (soon to become Antimatter) in Cannes, but mostly hosted at the Inria Centre at Université Côte d’Azur, in Sophia Antipolis, and will work in the Inria team NEO, as well as with Hivenet. The thesis is part of the Security and Privacy axis of Cupseli, which focuses on protecting distributed learning systems against malicious behavior and information leakage.

Research objectives

The goal of this PhD is to study privacy vulnerabilities in federated and distributed training systems in the presence of malicious clients, and to design principled defenses against them.

A first objective will be to advance existing privacy attacks in distributed learning. The candidate will investigate how a malicious participant can manipulate its local training objective or model update in order to extract richer private information from honest clients. The focus will go beyond recovering simple class-level representations, with the goal of understanding what information can be inferred about individual samples, data properties, or local data distributions.

A second objective will be to study stealthy model-poisoning attacks . In practical systems, malicious updates are often constrained by anomaly detection, robust aggregation, clipping, or validation mechanisms. The thesis will therefore consider bounded poisoning models, where the attacker is restricted to a neighborhood of legitimate updates. This will make it possible to analyze attacks that are powerful enough to leak private information, but sufficiently small to remain hard to detect.

A third objective will be to design and evaluate defenses. The thesis will study how existing mechanisms such as robust aggregation, clipping, anomaly detection, regularization, privacy-preserving training, or client-side validation can mitigate privacy leakage induced by malicious participants. When existing defenses are insufficient, the candidate will propose new methods that explicitly account for the trade‑off between privacy protection, robustness, and final model accuracy.

The work will combine theoretical analysis with experimental validation. The candidate will implement attacks and defenses in controlled simulation environments for federated and distributed learning, using standard machine learning datasets and relevant threat models. The empirical study will evaluate both the utility of the trained model and the effectiveness of the attacks and defenses, with particular attention to stealthiness and practical detectability.

Qualifications

The candidate should have a solid mathematical background, in particular in probability, optimization, information theory, or statistical machine learning. A strong interest in privacy and security for machine learning is expected.

Good programming skills are required, preferably in Python. Previous experience with PyTorch, TensorFlow, JAX, or federated learning libraries is a plus. Knowledge of adversarial machine learning, privacy attacks, robust learning, or distributed optimization would be appreciated but is not mandatory.

The candidate should be able to work both theoretically and experimentally, and should be motivated by the design of rigorous models that can lead to practical insights for real distributed AI systems.

Fluency in English is expected.

Avantages

• Partial reimbursement of public transport costs
• Leave: 7 weeks of annual leave + 10 extra days off due to RTT (statutory reduction in working hours) + possibility of exceptional leave (sick children, moving home, etc.)
• Possibility of teleworking (after 6 months of employment) and flexible organization of working hours
• Professional equipment available (videoconferencing, loan of computer equipment, etc.)
• Social, cultural and sports events and activities
• Access to vocational training
• Social security coverage

Duration: 36 monthsLocation: Sophia Antipolis, FranceGross Salary per month: 2300 €