Papers
Topics
Authors
Recent
Search
2000 character limit reached

Multi-Target Federated Backdoor Attack Based on Feature Aggregation

Published 23 Feb 2025 in cs.CR and cs.CV | (2502.16545v1)

Abstract: Current federated backdoor attacks focus on collaboratively training backdoor triggers, where multiple compromised clients train their local trigger patches and then merge them into a global trigger during the inference phase. However, these methods require careful design of the shape and position of trigger patches and lack the feature interactions between trigger patches during training, resulting in poor backdoor attack success rates. Moreover, the pixels of the patches remain untruncated, thereby making abrupt areas in backdoor examples easily detectable by the detection algorithm. To this end, we propose a novel benchmark for the federated backdoor attack based on feature aggregation. Specifically, we align the dimensions of triggers with images, delimit the trigger's pixel boundaries, and facilitate feature interaction among local triggers trained by each compromised client. Furthermore, leveraging the intra-class attack strategy, we propose the simultaneous generation of backdoor triggers for all target classes, significantly reducing the overall production time for triggers across all target classes and increasing the risk of the federated model being attacked. Experiments demonstrate that our method can not only bypass the detection of defense methods while patch-based methods fail, but also achieve a zero-shot backdoor attack with a success rate of 77.39%. To the best of our knowledge, our work is the first to implement such a zero-shot attack in federated learning. Finally, we evaluate attack performance by varying the trigger's training factors, including poison location, ratio, pixel bound, and trigger training duration (local epochs and communication rounds).

Summary

  • The paper introduces a novel multi-target federated backdoor attack that leverages feature aggregation to align triggers with image features and achieve a 77.39% zero-shot success rate.
  • It employs an intra-class training strategy to generate backdoor triggers for all target classes simultaneously, maintaining model performance on clean data.
  • Experimental validation shows that the proposed approach outperforms traditional methods under varied conditions and bypasses robust defensive mechanisms.

Multi-Target Federated Backdoor Attack Based on Feature Aggregation

Introduction

The paper, "Multi-Target Federated Backdoor Attack Based on Feature Aggregation" (2502.16545), introduces an advanced technique for executing federated backdoor attacks by leveraging feature aggregation. Traditional federated backdoor attacks typically involve modifying data to implant backdoor triggers without sufficient interaction between trigger patches, which can hinder success rates and fail against robust defensive mechanisms. This paper proposes a new paradigm that aligns trigger dimensions with images, facilitating effective feature interaction among compromised clients to bolster attack efficacy.

Federated Learning Context

Federated learning is primarily a distributed machine learning framework aimed at enhancing privacy, where a global model is collaboratively trained across multiple client devices without exchanging raw data. This architecture, despite its privacy-preserving benefits, exhibits vulnerabilities particularly from adversaries that can conduct poisoning attacks. These attacks are broadly categorized into model and data poisoning, with backdoor attacks being a prominent subset of targeted attacks. Backdoor attacks introduce triggers during training that induce the trained model to misclassify specific inputs at inference.

Methodology

The study introduces the Multi-Target Federated Backdoor Attack (MT-FBA), employing feature aggregation to significantly enrich the interaction of triggers across different clients. This approach aims to align trigger dimensions to the inputs and bounds pixel modifications within an ϵ\epsilon radius to evade detection. Key to this methodology is the intra-class attack strategy, which generates triggers for all target classes simultaneously, thus enhancing the model's susceptibility to being compromised.

Innovations

  1. Feature Aggregation: The alignment of triggers with images is coupled with feature aggregation to enhance the attack's stealth and efficacy. This interaction across local triggers learns an overall distribution, solidifying the backdoor's presence without the need for manually specified trigger characteristics.
  2. Intra-Class Attack: By using an intra-class training strategy, backdoor triggers for all classes are generated simultaneously. This approach multiplies the potential impact of backdoor attacks on the federated model without significantly affecting its performance on clean data.
  3. Zero-Shot Backdoor Attack: The paper achieves a zero-shot backdoor attack, with an impressive 77.39% success rate, where a global backdoor can be executed without any prior feigned training phase inclusion of the backdoor trigger, demonstrating a first-of-its-kind achievement in federated learning scenarios.

Experimental Validation

Experiments conducted demonstrate that MT-FBA not only bypasses current defense mechanisms effectively, it also performs robustly even under various training conditions like different poison locations, ratios, pixel bounds, and training durations. Comparisons with other federated backdoor attack methods showed superior performance in terms of attack success rate and stealth, underscoring the potency of the feature aggregation approach.

Implications and Future Directions

The introduction of MT-FBA presents significant implications for federated learning security. This strategy underscores the potential need for advanced detection and defense mechanisms that can combat more subtle and well-integrated backdoor attacks. As federated learning continues to be applied in sensitive areas such as healthcare and edge computing, understanding and mitigating such backdoor threats become imperative. The paper suggests an exploration of new defense methods that focus on real-time sample verification during inference, highlighting the evolving nature of adversarial threats and required countermeasures.

Conclusion

In summary, the "Multi-Target Federated Backdoor Attack Based on Feature Aggregation" extends the boundaries of federated learning vulnerabilities by harnessing comprehensive feature aggregation. This approach marks a pivotal step in executing undetectable and potent backdoor attacks across multiple target classes, revealing a crucial dimension to federated learning security overlooked by prior models. It sets a foundation for future research in defense strategies against complex, globalized adversarial threats in distributed learning environments.

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up