Performance Guaranteed Poisoning Attacks in Federated Learning: A Sliding Mode Approach
Huazi Pan, Yanjun Zhang, Leo Yu Zhang, Scott Adams, Abbas Kouzani, Suiyang Khoo
TL;DR
This work tackles the problem of controllable poisoning attacks in federated learning, where an attacker aims to degrade global model performance to a predefined objective with adjustable speed. The authors propose FedSA, a sliding mode control–based attack that treats the FL process as a nonlinear dynamic system and enforces a finite-time convergence toward a poisoned reference model $ ilde{w}$ by steering the global state through a designed sliding surface. FedSA offers provable guarantees on convergence and allows dynamic adjustment of attack objectives via a constant $C$ and convergence speed via the gain $k$, enabling stealthier, faster, and more flexible poisoning than prior approaches. Extensive experiments on CIFAR-10, MNIST, and Tiny ImageNet against a broad set of Byzantine-robust defenses show FedSA achieving near-target accuracies with relatively few malicious clients, highlighting a pressing need for defense mechanisms specifically designed to counter controllable poisoning, including asynchronous FL scenarios in future work.
Abstract
Manipulation of local training data and local updates, i.e., the poisoning attack, is the main threat arising from the collaborative nature of the federated learning (FL) paradigm. Most existing poisoning attacks aim to manipulate local data/models in a way that causes denial-of-service (DoS) issues. In this paper, we introduce a novel attack method, named Federated Learning Sliding Attack (FedSA) scheme, aiming at precisely introducing the extent of poisoning in a subtle controlled manner. It operates with a predefined objective, such as reducing global model's prediction accuracy by 10%. FedSA integrates robust nonlinear control-Sliding Mode Control (SMC) theory with model poisoning attacks. It can manipulate the updates from malicious clients to drive the global model towards a compromised state, achieving this at a controlled and inconspicuous rate. Additionally, leveraging the robust control properties of FedSA allows precise control over the convergence bounds, enabling the attacker to set the global accuracy of the poisoned model to any desired level. Experimental results demonstrate that FedSA can accurately achieve a predefined global accuracy with fewer malicious clients while maintaining a high level of stealth and adjustable learning rates.