You Can Backdoor Personalized Federated Learning

TL;DR

This work challenges the assumption that parameter decoupling in personalized federated learning protects against backdoor attacks by revealing persistent vulnerability due to classifier and data heterogeneity. It introduces BapFL, a practical backdoor attack combining poisoning of the feature encoder and diversification of local classifiers, with minimal overhead. Across three datasets and multiple defenses, BapFL achieves high ASR while maintaining main-task performance, and remains potent even under Multi-Krum defenses and PGD adaptations. The findings underscore the need for robust, pFL-specific defenses and invite further research into secure personalization in federated settings.

Abstract

Existing research primarily focuses on backdoor attacks and defenses within the generic federated learning scenario, where all clients collaborate to train a single global model. A recent study conducted by Qin et al. (2023) marks the initial exploration of backdoor attacks within the personalized federated learning (pFL) scenario, where each client constructs a personalized model based on its local data. Notably, the study demonstrates that pFL methods with \textit{parameter decoupling} can significantly enhance robustness against backdoor attacks. However, in this paper, we whistleblow that pFL methods with parameter decoupling are still vulnerable to backdoor attacks. The resistance of pFL methods with parameter decoupling is attributed to the heterogeneous classifiers between malicious clients and benign counterparts. We analyze two direct causes of the heterogeneous classifiers: (1) data heterogeneity inherently exists among clients and (2) poisoning by malicious clients further exacerbates the data heterogeneity. To address these issues, we propose a two-pronged attack method, BapFL, which comprises two simple yet effective strategies: (1) poisoning only the feature encoder while keeping the classifier fixed and (2) diversifying the classifier through noise introduction to simulate that of the benign clients. Extensive experiments on three benchmark datasets under varying conditions demonstrate the effectiveness of our proposed attack. Additionally, we evaluate the effectiveness of six widely used defense methods and find that BapFL still poses a significant threat even in the presence of the best defense, Multi-Krum. We hope to inspire further research on attack and defense strategies in pFL scenarios. The code is available at: https://github.com/BapFL/code.

Figures (11)

• Figure 1: Attack success rate (ASR) of black-box backdoor attacks against FedAvg and two pFL methods based on parameter decoupling, namely FedBN and FedPer. Details of the attack setup are discussed in Section \ref{['sec:exp-setup']}.
• Figure 2: Illustration of factor $F_{2}$. Green triangles denote the poisoned samples whose ground truth labels are class 1, and the target label is class 0. Poisoning has significantly altered the data distribution, resulting in a noticeable shift in the classifier boundary compared to that of the benign client.
• Figure 3: Illustration of factor $F_{1}$. The presence of data heterogeneity between client $C_{A}$ and client $C_{B}$ results in significant variation in their respective classifiers.
• Figure 4: Poisoned inputs with a grid pattern trigger from MNIST (top row), Fashion-MNIST (medium row), and CIFAR-10 (bottom row).
• Figure 5: ASR and MTA curves of all attacks on three datasets.