Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Backdoor Federated Learning by Poisoning Backdoor-Critical Layers

Haomin Zhuang, Mingxian Yu, Hao Wang, Yang Hua, Jian Li, Xu Yuan

TL;DR

The paper reveals that backdoor efficacy in federated learning can be concentrated in a small set of backdoor-critical (BC) layers. It introduces Layer Substitution Analysis to identify BC layers and proposes two layer-wise attacks, Layer-wise Poisoning (LP) and Layer-wise Flipping (LF), that selectively target these layers to achieve high backdoor success while evading state-of-the-art defenses. Across CNN, ResNet, and VGG models and multiple datasets, LP/LF outperform baselines and can bypass seven defenses with as few as $0.1$ of the clients malicious, while preserving main-task accuracy. These findings highlight a fundamental layer-wise vulnerability in FL and motivate defense strategies that account for BC-layer dynamics and targeted layer defenses.

Abstract

Federated learning (FL) has been widely deployed to enable machine learning training on sensitive data across distributed devices. However, the decentralized learning paradigm and heterogeneity of FL further extend the attack surface for backdoor attacks. Existing FL attack and defense methodologies typically focus on the whole model. None of them recognizes the existence of backdoor-critical (BC) layers-a small subset of layers that dominate the model vulnerabilities. Attacking the BC layers achieves equivalent effects as attacking the whole model but at a far smaller chance of being detected by state-of-the-art (SOTA) defenses. This paper proposes a general in-situ approach that identifies and verifies BC layers from the perspective of attackers. Based on the identified BC layers, we carefully craft a new backdoor attack methodology that adaptively seeks a fundamental balance between attacking effects and stealthiness under various defense strategies. Extensive experiments show that our BC layer-aware backdoor attacks can successfully backdoor FL under seven SOTA defenses with only 10% malicious clients and outperform the latest backdoor attack methods.

Backdoor Federated Learning by Poisoning Backdoor-Critical Layers

TL;DR

The paper reveals that backdoor efficacy in federated learning can be concentrated in a small set of backdoor-critical (BC) layers. It introduces Layer Substitution Analysis to identify BC layers and proposes two layer-wise attacks, Layer-wise Poisoning (LP) and Layer-wise Flipping (LF), that selectively target these layers to achieve high backdoor success while evading state-of-the-art defenses. Across CNN, ResNet, and VGG models and multiple datasets, LP/LF outperform baselines and can bypass seven defenses with as few as of the clients malicious, while preserving main-task accuracy. These findings highlight a fundamental layer-wise vulnerability in FL and motivate defense strategies that account for BC-layer dynamics and targeted layer defenses.

Abstract

Federated learning (FL) has been widely deployed to enable machine learning training on sensitive data across distributed devices. However, the decentralized learning paradigm and heterogeneity of FL further extend the attack surface for backdoor attacks. Existing FL attack and defense methodologies typically focus on the whole model. None of them recognizes the existence of backdoor-critical (BC) layers-a small subset of layers that dominate the model vulnerabilities. Attacking the BC layers achieves equivalent effects as attacking the whole model but at a far smaller chance of being detected by state-of-the-art (SOTA) defenses. This paper proposes a general in-situ approach that identifies and verifies BC layers from the perspective of attackers. Based on the identified BC layers, we carefully craft a new backdoor attack methodology that adaptively seeks a fundamental balance between attacking effects and stealthiness under various defense strategies. Extensive experiments show that our BC layer-aware backdoor attacks can successfully backdoor FL under seven SOTA defenses with only 10% malicious clients and outperform the latest backdoor attack methods.
Paper Structure (40 sections, 7 equations, 25 figures, 12 tables)

This paper contains 40 sections, 7 equations, 25 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Federated Learning (FL)
  4. Threat Model of Backdoor Attacks
  5. Identifying BC Layers
  6. Overview
  7. Layer Substitution Analysis
  8. Poisoning BC Layers
  9. Layer-wise Poisoning (LP) Attack
  10. Layer-wise Flipping (LF) Attack
  11. Evaluation
  12. Metrics
  13. The Attacks' Stealthiness
  14. The Attacks' Effectiveness
  15. Sensitivity Analysis
  16. ...and 25 more sections

Figures (25)

  • Figure 1: (a) The changes in backdoor success rate (BSR) of the malicious model with a layer substituted from the benign model. (b) The changes of BSR of the benign model with layer(s) substituted from the malicious model ("All except fc1.weight" indicates replacing all layers except the fc1.weight with layers from the malicious model).
  • Figure 2: Identifying BC layers with Layer Substitution Analysis. $b2m(l)$ indicates inserting the $l$,-th layer in the benign model to the malicious model, $m2b(L^*)$ indicates inserting the malicious model's layers within the subset $L^*$ to the benign model, and BSR indicates Backdoor Success Rate.
  • Figure 3: VGG19 trained with different robust aggregation rules on non-IID data. Acc indicates the main task accuracy, and BSR indicates Backdoor Success Rate.
  • Figure 4: BSR v.s. different $\tau$ values used by LP attack.
  • Figure 5: Different values of $\lambda$ in CNN trained on Fashion-MNIST and ResNet18 trained on CIFAR-10.
  • ...and 20 more figures