ADCA: Attention-Driven Multi-Party Collusion Attack in Federated Self-Supervised Learning
Jiayao Wang, Yiping Zhang, Jiale Zhang, Wenliang Yuan, Qilin Wu, Junwu Zhu, Dongfang Zhao
TL;DR
This work addresses backdoor threats in Federated Self-Supervised Learning by introducing ADCA, a two-stage attack leveraging distributed trigger decomposition and an attention-driven malicious alliance to preserve backdoor signals during aggregation. By decomposing a global trigger into local parts and using cross-attention to fuse malicious updates, ADCA achieves strong ASR while maintaining ACC, outperforming centralized-trigger baselines across multiple datasets and SSL methods. The authors demonstrate ADCA’s effectiveness, stability under non-IID data and varying client counts, and robustness against several defenses, highlighting a critical need for defense strategies tailored to distributed backdoor tactics in FSSL. Overall, ADCA reveals a substantial vulnerability in FSSL pipelines and provides a rigorous experimental demonstration of how distributed backdoors can persist and evade standard defenses, informing future defense research and secure FSSL design.
Abstract
Federated Self-Supervised Learning (FSSL) integrates the privacy advantages of distributed training with the capability of self-supervised learning to leverage unlabeled data, showing strong potential across applications. However, recent studies have shown that FSSL is also vulnerable to backdoor attacks. Existing attacks are limited by their trigger design, which typically employs a global, uniform trigger that is easily detected, gets diluted during aggregation, and lacks robustness in heterogeneous client environments. To address these challenges, we propose the Attention-Driven multi-party Collusion Attack (ADCA). During local pre-training, malicious clients decompose the global trigger to find optimal local patterns. Subsequently, these malicious clients collude to form a malicious coalition and establish a collaborative optimization mechanism within it. In this mechanism, each submits its model updates, and an attention mechanism dynamically aggregates them to explore the best cooperative strategy. The resulting aggregated parameters serve as the initial state for the next round of training within the coalition, thereby effectively mitigating the dilution of backdoor information by benign updates. Experiments on multiple FSSL scenarios and four datasets show that ADCA significantly outperforms existing methods in Attack Success Rate (ASR) and persistence, proving its effectiveness and robustness.