Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Non-Cooperative Backdoor Attacks in Federated Learning: A New Threat Landscape

Tuan Nguyen, Dung Thuy Nguyen, Khoa D Doan, Kok-Seng Wong

TL;DR

This work identifies a realistic threat model for federated learning: non-cooperative backdoor attacks (NBA) where multiple independent clients inject distinct triggers targeting different classes. It formalizes the NBA framework and conducts extensive empirical evaluation across four datasets under non-IID conditions, exploring single-shot, multiple-shot, and semi-multiple-shot scenarios with up to eight attackers. Key findings show that individual backdoors can be learned with limited impact on main task accuracy under certain conditions, while standard defenses like norm clipping may be ineffective and differential privacy can degrade overall performance. The study highlights the need for robust defenses and incentive structures, proposing watermarking-based backdoors as a potential direction for protecting intellectual property in cross-silo settings and guiding future defense research in realistic FL threat landscapes.

Abstract

Despite the promise of Federated Learning (FL) for privacy-preserving model training on distributed data, it remains susceptible to backdoor attacks. These attacks manipulate models by embedding triggers (specific input patterns) in the training data, forcing misclassification as predefined classes during deployment. Traditional single-trigger attacks and recent work on cooperative multiple-trigger attacks, where clients collaborate, highlight limitations in attack realism due to coordination requirements. We investigate a more alarming scenario: non-cooperative multiple-trigger attacks. Here, independent adversaries introduce distinct triggers targeting unique classes. These parallel attacks exploit FL's decentralized nature, making detection difficult. Our experiments demonstrate the alarming vulnerability of FL to such attacks, where individual backdoors can be successfully learned without impacting the main task. This research emphasizes the critical need for robust defenses against diverse backdoor attacks in the evolving FL landscape. While our focus is on empirical analysis, we believe it can guide backdoor research toward more realistic settings, highlighting the crucial role of FL in building robust defenses against diverse backdoor threats. The code is available at \url{https://anonymous.4open.science/r/nba-980F/}.

Non-Cooperative Backdoor Attacks in Federated Learning: A New Threat Landscape

TL;DR

This work identifies a realistic threat model for federated learning: non-cooperative backdoor attacks (NBA) where multiple independent clients inject distinct triggers targeting different classes. It formalizes the NBA framework and conducts extensive empirical evaluation across four datasets under non-IID conditions, exploring single-shot, multiple-shot, and semi-multiple-shot scenarios with up to eight attackers. Key findings show that individual backdoors can be learned with limited impact on main task accuracy under certain conditions, while standard defenses like norm clipping may be ineffective and differential privacy can degrade overall performance. The study highlights the need for robust defenses and incentive structures, proposing watermarking-based backdoors as a potential direction for protecting intellectual property in cross-silo settings and guiding future defense research in realistic FL threat landscapes.

Abstract

Despite the promise of Federated Learning (FL) for privacy-preserving model training on distributed data, it remains susceptible to backdoor attacks. These attacks manipulate models by embedding triggers (specific input patterns) in the training data, forcing misclassification as predefined classes during deployment. Traditional single-trigger attacks and recent work on cooperative multiple-trigger attacks, where clients collaborate, highlight limitations in attack realism due to coordination requirements. We investigate a more alarming scenario: non-cooperative multiple-trigger attacks. Here, independent adversaries introduce distinct triggers targeting unique classes. These parallel attacks exploit FL's decentralized nature, making detection difficult. Our experiments demonstrate the alarming vulnerability of FL to such attacks, where individual backdoors can be successfully learned without impacting the main task. This research emphasizes the critical need for robust defenses against diverse backdoor attacks in the evolving FL landscape. While our focus is on empirical analysis, we believe it can guide backdoor research toward more realistic settings, highlighting the crucial role of FL in building robust defenses against diverse backdoor threats. The code is available at \url{https://anonymous.4open.science/r/nba-980F/}.
Paper Structure (29 sections, 5 equations, 12 figures, 10 tables)

This paper contains 29 sections, 5 equations, 12 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Background and related work
  3. Federated learning
  4. Backdoor attacks and defenses in FL
  5. Non-Cooperative Backdoor Attacks against federated learning
  6. General framework
  7. Factors in Non-Cooperative Backdoor Attacks
  8. Experiments
  9. Datasets and experiment setup
  10. Backdoor attacks with one adversary
  11. Single-shot attack
  12. Multiple-shot attack
  13. Non-Cooperative Backdoor Attacks
  14. Single-shot attack
  15. Multiple-shot attack
  16. ...and 14 more sections

Figures (12)

  • Figure 1: Non-Cooperative Backdoor Attacks (NBA) scenario in FL: the red color represents the malicious client with their own unique trigger and target class, aiming to inject the backdoor trigger. Here, $(T_i, C_i)$ denotes the trigger and target class of the $i$-th attacker.
  • Figure 2: Eight trigger patterns used in our NBA experiments, all with fixed sizes of 24 pixels.
  • Figure 3: Backdoor accuracy of 8 triggers in single-shot attack with one adversary and $\gamma=100$.
  • Figure 4: Backdoor accuracy in multiple-shot setting with one adversary ($\gamma=1$)
  • Figure 5: Backdoor accuracy in single-shot NBA with $\gamma=100$ and gap 10 rounds.
  • ...and 7 more figures