Watch Out for the Lifespan: Evaluating Backdoor Attacks Against Federated Model Adaptation

TL;DR

This paper analyzes how LoRA, a parameter-efficient fine-tuning method, affects backdoor attacks during federated model adaptation, with a focus on backdoor lifespan and injection dynamics. It introduces formal metrics for backdoor persistence and evaluates three representative attacks (Neurotoxin, DBA, A3FL) against a Vision Transformer under realistic FL settings, using PiSSA-based LoRA initialization. The key finding is that, under optimal backdoor injection, lower LoRA ranks can prolong backdoor persistence, but the observed lifespan is highly sensitive to the attack window and convergence dynamics, revealing evaluation biases in prior work. The study highlights the need for robust evaluation protocols in long-term FL security and proposes practical mitigations, such as iterative LoRA resets, to accelerate backdoor forgetting without sacrificing benign performance. These insights have practical implications for risk assessment and defense design in critical FL deployments, and the authors provide public code to facilitate replication and further research.

Abstract

Large models adaptation through Federated Learning (FL) addresses a wide range of use cases and is enabled by Parameter-Efficient Fine-Tuning techniques such as Low-Rank Adaptation (LoRA). However, this distributed learning paradigm faces several security threats, particularly to its integrity, such as backdoor attacks that aim to inject malicious behavior during the local training steps of certain clients. We present the first analysis of the influence of LoRA on state-of-the-art backdoor attacks targeting model adaptation in FL. Specifically, we focus on backdoor lifespan, a critical characteristic in FL, that can vary depending on the attack scenario and the attacker's ability to effectively inject the backdoor. A key finding in our experiments is that for an optimally injected backdoor, the backdoor persistence after the attack is longer when the LoRA's rank is lower. Importantly, our work highlights evaluation issues of backdoor attacks against FL and contributes to the development of more robust and fair evaluations of backdoor attacks, enhancing the reliability of risk assessments for critical FL systems. Our code is publicly available.

Figures (11)

• Figure 1: ACC and ASR on $ViT$. The black vertical line is the end of $AW=[0,30]$. NB: we use (b) a non-linear x-axis to zoom in on $AW$.
• Figure 2: ASR with $AW=[0,30]$ for ViT without and wit LoRA ($r=2, 8, 32$). NB: Note the use of a Non-linear x-axis to zoom in on the AW.
• Figure 3: Accuracy (ACC) of the benign task and ASR for the baseline attack.
• Figure 4: Influence of injection quality on lifespan (baseline attack) with three AW.
• Figure 5: (top) ASR with $AW=[0,200]$ for $r= 2$, $8$, $32$ and $ViT$. (bottom) 2d representation of the features space (with t-SNE) for $ViT$ and $r=2$ at round 200 and 1200. Attack is the baseline. The color of the poisoned samples ($\times$) corresponds to the groundtruth label ($y$)