Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Venomancer: Towards Imperceptible and Target-on-Demand Backdoor Attacks in Federated Learning

Son Nguyen, Thinh Nguyen, Khoa D Doan, Kok-Seng Wong

TL;DR

Federated Learning is vulnerable to backdoor attacks, and Venomancer addresses the dual challenges of imperceptibility and target-on-demand control. It introduces a two-stage, generator-based framework that optimizes a trigger via a visual loss and uses conditional adversarial training to support arbitrary target classes at inference; Stage 2 injects the backdoor by balancing clean and backdoor objectives. Across MNIST, Fashion-MNIST, CIFAR-10, and CIFAR-100, Venomancer achieves high backdoor accuracy while preserving reasonable clean accuracy and remains robust against several state-of-the-art defenses. This work exposes a practical FL vulnerability and underscores the need for stronger defenses and detectors to safeguard distributed learning systems.

Abstract

Federated Learning (FL) is a distributed machine learning approach that maintains data privacy by training on decentralized data sources. Similar to centralized machine learning, FL is also susceptible to backdoor attacks, where an attacker can compromise some clients by injecting a backdoor trigger into local models of those clients, leading to the global model's behavior being manipulated as desired by the attacker. Most backdoor attacks in FL assume a predefined target class and require control over a large number of clients or knowledge of benign clients' information. Furthermore, they are not imperceptible and are easily detected by human inspection due to clear artifacts left on the poison data. To overcome these challenges, we propose Venomancer, an effective backdoor attack that is imperceptible and allows target-on-demand. Specifically, imperceptibility is achieved by using a visual loss function to make the poison data visually indistinguishable from the original data. Target-on-demand property allows the attacker to choose arbitrary target classes via conditional adversarial training. Additionally, experiments showed that the method is robust against state-of-the-art defenses such as Norm Clipping, Weak DP, Krum, Multi-Krum, RLR, FedRAD, Deepsight, and RFLBAT. The source code is available at https://github.com/nguyenhongson1902/Venomancer.

Venomancer: Towards Imperceptible and Target-on-Demand Backdoor Attacks in Federated Learning

TL;DR

Federated Learning is vulnerable to backdoor attacks, and Venomancer addresses the dual challenges of imperceptibility and target-on-demand control. It introduces a two-stage, generator-based framework that optimizes a trigger via a visual loss and uses conditional adversarial training to support arbitrary target classes at inference; Stage 2 injects the backdoor by balancing clean and backdoor objectives. Across MNIST, Fashion-MNIST, CIFAR-10, and CIFAR-100, Venomancer achieves high backdoor accuracy while preserving reasonable clean accuracy and remains robust against several state-of-the-art defenses. This work exposes a practical FL vulnerability and underscores the need for stronger defenses and detectors to safeguard distributed learning systems.

Abstract

Federated Learning (FL) is a distributed machine learning approach that maintains data privacy by training on decentralized data sources. Similar to centralized machine learning, FL is also susceptible to backdoor attacks, where an attacker can compromise some clients by injecting a backdoor trigger into local models of those clients, leading to the global model's behavior being manipulated as desired by the attacker. Most backdoor attacks in FL assume a predefined target class and require control over a large number of clients or knowledge of benign clients' information. Furthermore, they are not imperceptible and are easily detected by human inspection due to clear artifacts left on the poison data. To overcome these challenges, we propose Venomancer, an effective backdoor attack that is imperceptible and allows target-on-demand. Specifically, imperceptibility is achieved by using a visual loss function to make the poison data visually indistinguishable from the original data. Target-on-demand property allows the attacker to choose arbitrary target classes via conditional adversarial training. Additionally, experiments showed that the method is robust against state-of-the-art defenses such as Norm Clipping, Weak DP, Krum, Multi-Krum, RLR, FedRAD, Deepsight, and RFLBAT. The source code is available at https://github.com/nguyenhongson1902/Venomancer.
Paper Structure (62 sections, 10 equations, 14 figures, 9 tables, 2 algorithms)

This paper contains 62 sections, 10 equations, 14 figures, 9 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries and related work
  3. Federated Learning
  4. Existing backdoor attacks in FL
  5. Existing defenses in FL
  6. Threat model
  7. Attacker's goals
  8. Attacker's capabilities
  9. Proposed method
  10. Target-on-Demand backdoor attack
  11. Stage 1: Training generator
  12. How to select the best generator?
  13. Stage 2: Injecting backdoor
  14. Experiments
  15. Experimental setup
  16. ...and 47 more sections

Figures (14)

  • Figure 1: Venomancer framework. Our proposed backdoor attack consists of two training stages: (1) Training generator and (2) Injecting backdoor. In the first stage, the generator $\mathcal{G}_{\xi^t}$ is updated using $\xi_{best}^{t-1}$ to generate the adversarial noise $\delta$. The generative model is trained using a combination of $\mathcal{L}_{backdoor}$, which misleads the local model into assigning poisoned images to a selected target class, and $\mathcal{L}_{visual}$ that constrains the similarity between backdoor samples and original images. In the second stage, the local model is trained to perform well on clean samples while incorrectly classifying backdoor data to the target class. After that, the malicious local update is sent back to the central server for aggregation.
  • Figure 2: The effectiveness of Venomancer over the FL training process in selected datasets
  • Figure 3: Comparison between our method and the target-on-demand version of A3FL and Blend attacks
  • Figure 4: The triggers used by A3FL and our attack
  • Figure 5: The robustness of our attack against state-of-the-art-defenses on CIFAR-10
  • ...and 9 more figures