Table of Contents
Fetching ...

Bad-PFL: Exploring Backdoor Attacks against Personalized Federated Learning

Mingyuan Fan, Zhanyi Hu, Fuyi Wang, Cen Chen

TL;DR

This work investigates backdoor vulnerabilities in personalized federated learning (PFL), challenging the notion that PFL is naturally resistant to backdoor attacks. It introduces Bad-PFL, a backdoor method that uses a generator to extract natural target features as a trigger ($\mathcal{T}(x)=x+\delta+\xi$, with $\delta=\epsilon\cdot\mathcal{G}_w(x)$ and $\xi=\sigma\cdot\mathrm{sign}(\nabla_x \mathcal{L})$, under $\|\delta\|_{\infty}\le \epsilon$ and $\|\xi\|_{\infty}\le \sigma$) and couples this with mutual adaptation to persist in personalized models trained on natural data. Empirical evaluations on SVHN, CIFAR-10, and CIFAR-100 across 100 clients and multiple PFL methods show Bad-PFL achieving high ASR (often $\ge 80\%$) even under state-of-the-art defenses, with strong persistence especially as the number of compromised clients grows. Ablation studies confirm the critical roles of both target features $\delta$ and disruptive noise $\xi$, while analyses of detection defenses indicate Bad-PFL remains stealthy. The results emphasize the need for defense strategies that address natural-feature triggers and the lasting influence of data distributions in PFL.

Abstract

Data heterogeneity and backdoor attacks rank among the most significant challenges facing federated learning (FL). For data heterogeneity, personalized federated learning (PFL) enables each client to maintain a private personalized model to cater to client-specific knowledge. Meanwhile, vanilla FL has proven vulnerable to backdoor attacks. However, recent advancements in PFL community have demonstrated a potential immunity against such attacks. This paper explores this intersection further, revealing that existing federated backdoor attacks fail in PFL because backdoors about manually designed triggers struggle to survive in personalized models. To tackle this, we design Bad-PFL, which employs features from natural data as our trigger. As long as the model is trained on natural data, it inevitably embeds the backdoor associated with our trigger, ensuring its longevity in personalized models. Moreover, our trigger undergoes mutual reinforcement training with the model, further solidifying the backdoor's durability and enhancing attack effectiveness. The large-scale experiments across three benchmark datasets demonstrate the superior performance of our attack against various PFL methods, even when equipped with state-of-the-art defense mechanisms.

Bad-PFL: Exploring Backdoor Attacks against Personalized Federated Learning

TL;DR

This work investigates backdoor vulnerabilities in personalized federated learning (PFL), challenging the notion that PFL is naturally resistant to backdoor attacks. It introduces Bad-PFL, a backdoor method that uses a generator to extract natural target features as a trigger (, with and , under and ) and couples this with mutual adaptation to persist in personalized models trained on natural data. Empirical evaluations on SVHN, CIFAR-10, and CIFAR-100 across 100 clients and multiple PFL methods show Bad-PFL achieving high ASR (often ) even under state-of-the-art defenses, with strong persistence especially as the number of compromised clients grows. Ablation studies confirm the critical roles of both target features and disruptive noise , while analyses of detection defenses indicate Bad-PFL remains stealthy. The results emphasize the need for defense strategies that address natural-feature triggers and the lasting influence of data distributions in PFL.

Abstract

Data heterogeneity and backdoor attacks rank among the most significant challenges facing federated learning (FL). For data heterogeneity, personalized federated learning (PFL) enables each client to maintain a private personalized model to cater to client-specific knowledge. Meanwhile, vanilla FL has proven vulnerable to backdoor attacks. However, recent advancements in PFL community have demonstrated a potential immunity against such attacks. This paper explores this intersection further, revealing that existing federated backdoor attacks fail in PFL because backdoors about manually designed triggers struggle to survive in personalized models. To tackle this, we design Bad-PFL, which employs features from natural data as our trigger. As long as the model is trained on natural data, it inevitably embeds the backdoor associated with our trigger, ensuring its longevity in personalized models. Moreover, our trigger undergoes mutual reinforcement training with the model, further solidifying the backdoor's durability and enhancing attack effectiveness. The large-scale experiments across three benchmark datasets demonstrate the superior performance of our attack against various PFL methods, even when equipped with state-of-the-art defense mechanisms.
Paper Structure (35 sections, 7 equations, 19 figures, 24 tables, 1 algorithm)

This paper contains 35 sections, 7 equations, 19 figures, 24 tables, 1 algorithm.

Figures (19)

  • Figure 1: The overview of Bad-PFL. The right is the trigger generation function of Bad-PFL. When a compromised client is selected, it first trains the generator, and then uses this function to add triggers to the clean data for training its local model. Following this, the client trains its personalized model and uploads the backdoored local model.
  • Figure 2: Preformance comparison of varying compromised client numbers for FedBN and FedRep.
  • Figure 3: Preformance comparison from different local steps for both FedBN and FedRep.
  • Figure 4: Preformance comparison under varying poisoning rates for FedBN and FedRep.
  • Figure 5: Attack performance comparison with varying data heterogeneity degree.
  • ...and 14 more figures