Let's Focus: Focused Backdoor Attack against Federated Transfer Learning
Marco Arazzi, Stefanos Koffas, Antonino Nocera, Stjepan Picek
TL;DR
The paper investigates backdoor vulnerabilities in Federated Transfer Learning and introduces FB-FTL, a focused backdoor that leverages GradCam-guided trigger placement and dataset distillation to embed target-class features into poisoned updates. By freezing the feature extractor and training only classification layers, the approach exploits information from public data and XAI-guided regions to craft dynamic triggers that degrade or steer predictions toward a chosen class with high success rates. Across CIFAR-10, CINIC-10, SVHN, and GTSRB, FB-FTL achieves an average attack success around 80% while preserving main-task performance, and remains effective against several Horizontal and Vertical FL defenses. These results reveal a notable vulnerability in Federated Transfer Learning and motivate defenses that consider pre-training privacy and targeted feature distortion rather than only updating-level defenses.
Abstract
Federated Transfer Learning (FTL) is the most general variation of Federated Learning. According to this distributed paradigm, a feature learning pre-step is commonly carried out by only one party, typically the server, on publicly shared data. After that, the Federated Learning phase takes place to train a classifier collaboratively using the learned feature extractor. Each involved client contributes by locally training only the classification layers on a private training set. The peculiarity of an FTL scenario makes it hard to understand whether poisoning attacks can be developed to craft an effective backdoor. State-of-the-art attack strategies assume the possibility of shifting the model attention toward relevant features introduced by a forged trigger injected in the input data by some untrusted clients. Of course, this is not feasible in FTL, as the learned features are fixed once the server performs the pre-training step. Consequently, in this paper, we investigate this intriguing Federated Learning scenario to identify and exploit a vulnerability obtained by combining eXplainable AI (XAI) and dataset distillation. In particular, the proposed attack can be carried out by one of the clients during the Federated Learning phase of FTL by identifying the optimal local for the trigger through XAI and encapsulating compressed information of the backdoor class. Due to its behavior, we refer to our approach as a focused backdoor approach (FB-FTL for short) and test its performance by explicitly referencing an image classification scenario. With an average 80% attack success rate, obtained results show the effectiveness of our attack also against existing defenses for Federated Learning.