Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Partner in Crime: Boosting Targeted Poisoning Attacks against Federated Learning

Shihua Sun, Shridatt Sugrim, Angelos Stavrou, Haining Wang

TL;DR

Federated Learning systems are vulnerable to targeted poisoning that aims to misclassify samples from a specific source class to a designated target class. The authors propose BoTPA, a general pre-training boosting framework that selects intermediate classes via Input Similarity from Contribution Degrees and crafts soft labels for an Amplifier set to amplify the attack effect, without adding new malicious data. Theoretical analysis shows boosted updates align with vanilla attack directions, and experiments across FMNIST, CIFAR-10, and CH-MNIST demonstrate substantial RI-ASR gains under both data and model poisoning, even in the presence of Byzantine defenses like Krum, Median, and Flame, and under non-IID data. Visualizations of latent spaces corroborate the boundary-shaping effect, underscoring BoTPA’s impact on decision boundaries. These results highlight the need for density-based defenses and point to new directions for FL security research and defense design.

Abstract

Federated Learning (FL) exposes vulnerabilities to targeted poisoning attacks that aim to cause misclassification specifically from the source class to the target class. However, using well-established defense frameworks, the poisoning impact of these attacks can be greatly mitigated. We introduce a generalized pre-training stage approach to Boost Targeted Poisoning Attacks against FL, called BoTPA. Its design rationale is to leverage the model update contributions of all data points, including ones outside of the source and target classes, to construct an Amplifier set, in which we falsify the data labels before the FL training process, as a means to boost attacks. We comprehensively evaluate the effectiveness and compatibility of BoTPA on various targeted poisoning attacks. Under data poisoning attacks, our evaluations reveal that BoTPA can achieve a median Relative Increase in Attack Success Rate (RI-ASR) between 15.3% and 36.9% across all possible source-target class combinations, with varying percentages of malicious clients, compared to its baseline. In the context of model poisoning, BoTPA attains RI-ASRs ranging from 13.3% to 94.7% in the presence of the Krum and Multi-Krum defenses, from 2.6% to 49.2% under the Median defense, and from 2.9% to 63.5% under the Flame defense.

Partner in Crime: Boosting Targeted Poisoning Attacks against Federated Learning

TL;DR

Federated Learning systems are vulnerable to targeted poisoning that aims to misclassify samples from a specific source class to a designated target class. The authors propose BoTPA, a general pre-training boosting framework that selects intermediate classes via Input Similarity from Contribution Degrees and crafts soft labels for an Amplifier set to amplify the attack effect, without adding new malicious data. Theoretical analysis shows boosted updates align with vanilla attack directions, and experiments across FMNIST, CIFAR-10, and CH-MNIST demonstrate substantial RI-ASR gains under both data and model poisoning, even in the presence of Byzantine defenses like Krum, Median, and Flame, and under non-IID data. Visualizations of latent spaces corroborate the boundary-shaping effect, underscoring BoTPA’s impact on decision boundaries. These results highlight the need for density-based defenses and point to new directions for FL security research and defense design.

Abstract

Federated Learning (FL) exposes vulnerabilities to targeted poisoning attacks that aim to cause misclassification specifically from the source class to the target class. However, using well-established defense frameworks, the poisoning impact of these attacks can be greatly mitigated. We introduce a generalized pre-training stage approach to Boost Targeted Poisoning Attacks against FL, called BoTPA. Its design rationale is to leverage the model update contributions of all data points, including ones outside of the source and target classes, to construct an Amplifier set, in which we falsify the data labels before the FL training process, as a means to boost attacks. We comprehensively evaluate the effectiveness and compatibility of BoTPA on various targeted poisoning attacks. Under data poisoning attacks, our evaluations reveal that BoTPA can achieve a median Relative Increase in Attack Success Rate (RI-ASR) between 15.3% and 36.9% across all possible source-target class combinations, with varying percentages of malicious clients, compared to its baseline. In the context of model poisoning, BoTPA attains RI-ASRs ranging from 13.3% to 94.7% in the presence of the Krum and Multi-Krum defenses, from 2.6% to 49.2% under the Median defense, and from 2.9% to 63.5% under the Flame defense.
Paper Structure (33 sections, 2 theorems, 18 equations, 13 figures, 1 table, 2 algorithms)

This paper contains 33 sections, 2 theorems, 18 equations, 13 figures, 1 table, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. FL System
  4. Untargeted Poisoning Attacks in FL systems
  5. Targeted Poisoning Attacks in FL systems
  6. Targeted data poisoning attack
  7. Targeted model poisoning attacks
  8. Defenses
  9. Design and Application of Soft Labels
  10. Threat Model
  11. BoTPA Framework
  12. System Design Overview
  13. Construction of Amplifier Set
  14. Soft Label Design for Amplifier Set
  15. Theoretical Analysis
  16. ...and 18 more sections

Key Result

Proposition 1

Suppose the FL model is updated using the gradient descent algorithm by minimizing the cross-entropy loss function. Let $m$ denote the number of local training iterations in each communication round. If a targeted data poisoning attack, attempting to classify source class $s$ as target class $r$, oc where $\delta_{rs}(\boldsymbol{x}, \boldsymbol{w}) = \nabla_{\boldsymbol{w}} \log f_{r}(\boldsymbo

Figures (13)

  • Figure 1: The FL system under targeted data poisoning and model poisoning attacks: (A) procedure for maliciously changing labels, (B) model manipulation process. Attacker (1) is performing model poisoning, and Attacker (2) is performing data poisoning.
  • Figure 2: Overview of BoTPA. The right box represents the poisoned FL system, and the left box displays the BoTPA procedures.
  • Figure 3: Illustration of local model updates under no attack, vanilla poisoning attack, and boosted poisoning attack.
  • Figure 4: Global model accuracy under vanilla and boosted data poisoning attacks. $s \rightarrow r$ denotes an attack aiming to misclassify data samples from class $s$ to class $r$.
  • Figure 5: Performance comparison of stealthy model poisoning attacks with varying ratios of malicious clients under Krum and Multi-Krum.
  • ...and 8 more figures

Theorems & Definitions (4)

  • Proposition 1
  • proof
  • Proposition 2
  • proof