Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Beyond Traditional Threats: A Persistent Backdoor Attack on Federated Learning

Tao Liu, Yuhang Zhang, Zhu Feng, Zhiqin Yang, Chen Xu, Dapeng Man, Wu Yang

TL;DR

This work addresses the persistence of backdoor attacks in federated learning by introducing FCBA, a combinatorics-based method that generates a full set of local triggers and assigns them to distinct malicious clients. By leveraging a model replacement strategy and a centralized aggregation of diverse local backdoor patterns, FCBA achieves higher attack persistence than prior methods across MNIST, CIFAR-10, and GTSRB, even under post-convergence injection. The authors provide extensive experiments, ablations, and robustness analyses, showing FCBA's strong persistence and its resistance to several defenses and differential privacy settings. The findings highlight a critical security concern for FL deployments and offer a framework for threat assessment and robustness evaluation against sophisticated backdoor strategies.

Abstract

Backdoors on federated learning will be diluted by subsequent benign updates. This is reflected in the significant reduction of attack success rate as iterations increase, ultimately failing. We use a new metric to quantify the degree of this weakened backdoor effect, called attack persistence. Given that research to improve this performance has not been widely noted,we propose a Full Combination Backdoor Attack (FCBA) method. It aggregates more combined trigger information for a more complete backdoor pattern in the global model. Trained backdoored global model is more resilient to benign updates, leading to a higher attack success rate on the test set. We test on three datasets and evaluate with two models across various settings. FCBA's persistence outperforms SOTA federated learning backdoor attacks. On GTSRB, postattack 120 rounds, our attack success rate rose over 50% from baseline. The core code of our method is available at https://github.com/PhD-TaoLiu/FCBA.

Beyond Traditional Threats: A Persistent Backdoor Attack on Federated Learning

TL;DR

This work addresses the persistence of backdoor attacks in federated learning by introducing FCBA, a combinatorics-based method that generates a full set of local triggers and assigns them to distinct malicious clients. By leveraging a model replacement strategy and a centralized aggregation of diverse local backdoor patterns, FCBA achieves higher attack persistence than prior methods across MNIST, CIFAR-10, and GTSRB, even under post-convergence injection. The authors provide extensive experiments, ablations, and robustness analyses, showing FCBA's strong persistence and its resistance to several defenses and differential privacy settings. The findings highlight a critical security concern for FL deployments and offer a framework for threat assessment and robustness evaluation against sophisticated backdoor strategies.

Abstract

Backdoors on federated learning will be diluted by subsequent benign updates. This is reflected in the significant reduction of attack success rate as iterations increase, ultimately failing. We use a new metric to quantify the degree of this weakened backdoor effect, called attack persistence. Given that research to improve this performance has not been widely noted,we propose a Full Combination Backdoor Attack (FCBA) method. It aggregates more combined trigger information for a more complete backdoor pattern in the global model. Trained backdoored global model is more resilient to benign updates, leading to a higher attack success rate on the test set. We test on three datasets and evaluate with two models across various settings. FCBA's persistence outperforms SOTA federated learning backdoor attacks. On GTSRB, postattack 120 rounds, our attack success rate rose over 50% from baseline. The core code of our method is available at https://github.com/PhD-TaoLiu/FCBA.
Paper Structure (45 sections, 7 equations, 33 figures, 4 tables)

This paper contains 45 sections, 7 equations, 33 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Backdoor Attack on Federated Learning
  4. Defenses against Backdoor Attack
  5. Full Combination Backdoor Attack on Federated Learning
  6. Federated Learning
  7. Threat Model
  8. Attack scenario.
  9. Attacker’s knowledge and capabilities.
  10. Attack workflow.
  11. Full Combination Backdoor Attack
  12. Generate Full Combination Trigger.
  13. Identify Malicious Clients.
  14. Designing Attack Objective Functions.
  15. Experiment & Analysis
  16. ...and 30 more sections

Figures (33)

  • Figure 1: Overview of full combination backdoor attack (FCBA) in FL. At round $t+1$, the aggregator merges local data (both benign and adversarial) from $t$ to update $G_{t+1}$. During a backdoor attack, the attacker uses trigger partition $m$ to create local trigger patterns and identifies $M$ malicious clients, each with a unique trigger pattern.
  • Figure 2: Trigger factors (size, gap and location) in backdoored images.
  • Figure 3: ASR of FCBA and DBA. FCBA is more effective and persistent than DBA.
  • Figure 4: CDA of FCBA and DBA. FCBA is more hidden than DBA.
  • Figure 5: Visualization of clean samples and trigger samples before and after DBA. After the attack, the global model can clearly distinguish between the two types of samples. However, as the rounds increase, the separation between the sample distributions becomes increasingly blurred.
  • ...and 28 more figures