Xueluan Gong,Yanjiao Chen,Qian Wang,Weihan Kong

DOI: https://doi.org/10.1109/mwc.017.2100714

IF: 12.777

2023-01-01

IEEE Wireless Communications

Abstract:The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.

Yujie Zhang,Neil Gong,Michael K. Reiter

2024-09-10

Abstract:Federated Learning (FL) is a decentralized machine learning method that enables participants to collaboratively train a model without sharing their private data. Despite its privacy and scalability benefits, FL is susceptible to backdoor attacks, where adversaries poison the local training data of a subset of clients using a backdoor trigger, aiming to make the aggregated model produce malicious results when the same backdoor condition is met by an inference-time input. Existing backdoor attacks in FL suffer from common deficiencies: fixed trigger patterns and reliance on the assistance of model poisoning. State-of-the-art defenses based on analyzing clients' model updates exhibit a good defense performance on these attacks because of the significant divergence between malicious and benign client model updates. To effectively conceal malicious model updates among benign ones, we propose DPOT, a backdoor attack strategy in FL that dynamically constructs backdoor objectives by optimizing a backdoor trigger, making backdoor data have minimal effect on model updates. We provide theoretical justifications for DPOT's attacking principle and display experimental results showing that DPOT, via only a data-poisoning attack, effectively undermines state-of-the-art defenses and outperforms existing backdoor attack techniques on various datasets.

Cryptography and Security,Artificial Intelligence,Machine Learning

Pei Fang,Jinghui Chen

DOI: https://doi.org/10.48550/arXiv.2301.08170

2023-01-20

Abstract:Federated Learning (FL) is a popular distributed machine learning paradigm that enables jointly training a global model without sharing clients' data. However, its repetitive server-client communication gives room for backdoor attacks with aim to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. In response to such backdoor threats on federated learning, various defense measures have been proposed. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning in a practical setting by proposing a new federated backdoor attack method for possible countermeasures. Different from traditional training (on triggered data) and rescaling (the malicious client model) based backdoor injection, the proposed backdoor attack framework (1) directly modifies (a small proportion of) local model weights to inject the backdoor trigger via sign flips; (2) jointly optimize the trigger pattern with the client model, thus is more persistent and stealthy for circumventing existing defenses. In a case study, we examine the strength and weaknesses of recent federated backdoor defenses from three major categories and provide suggestions to the practitioners when training federated models in practice.

Machine Learning,Artificial Intelligence,Cryptography and Security

Xueluan Gong,Yanjiao Chen,Huayang Huang,Yuqing Liao,Shuai Wang,Qian Wang

DOI: https://doi.org/10.1109/mnet.011.2000783

IF: 10.294

2022-01-01

IEEE Network

Abstract:Federated learning enables distributed training of deep learning models among user equipment (UE) to obtain a high-quality global model. A centralized server aggregates the updates submitted by UEs without knowledge of the local training data or process. Despite its privacy preserving merit, we reveal a severe security concern. Malicious UEs can manipulate their training data by injecting a back-door trigger. Thus, the global model that aggregates those malicious updates may make false predictions on the samples with the backdoor trigger. However, the effect of a single backdoor trigger will quickly be diluted by subsequent benign updates. In this work, we present an effective coordinated backdoor attack against federated learning using multiple local triggers; the global trigger consists of various separate local triggers. Moreover, in contrast to using random triggers, we propose using model-dependent triggers (i.e., generated based on local models of attackers) to conduct backdoor attacks. We conduct extensive experiments to assess the effectiveness of our proposed backdoor attacks on MNIST and CIFAR-10 datasets. Experimental results show that our proposed methodology outperforms both coordinated attacks using random triggers and single trigger backdoor attacks in terms of attack success rate. We also show that Byzantine-resilient aggregation methodologies are not robust to our proposed attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yanqi Qiao,Dazhuang Liu,Congwen Chen,Rui Wang,Kaitai Liang

2023-09-29

Abstract:Current backdoor attacks against federated learning (FL) strongly rely on universal triggers or semantic patterns, which can be easily detected and filtered by certain defense mechanisms such as norm clipping, comparing parameter divergences among local updates. In this work, we propose a new stealthy and robust backdoor attack with flexible triggers against FL defenses. To achieve this, we build a generative trigger function that can learn to manipulate the benign samples with an imperceptible flexible trigger pattern and simultaneously make the trigger pattern include the most significant hidden features of the attacker-chosen label. Moreover, our trigger generator can keep learning and adapt across different rounds, allowing it to adjust to changes in the global model. By filling the distinguishable difference (the mapping between the trigger pattern and target label), we make our attack naturally stealthy. Extensive experiments on real-world datasets verify the effectiveness and stealthiness of our attack compared to prior attacks on decentralized learning framework with eight well-studied defenses.

Machine Learning,Cryptography and Security

Hui Zeng,Tongqing Zhou,Xinyi Wu,Zhiping Cai

DOI: https://doi.org/10.1109/srds55811.2022.00017

2022-01-01

Abstract:The privacy-preserving nature of Federated Learning (FL) exposes such a distributed learning paradigm to the planting of backdoors with locally corrupted data. We discover that FL backdoors, under a new on-off multi-shot attack form, are essentially stealthy against existing defenses that are built on model statistics and spectral analysis. First-hand observations of such attacks show that the backdoored models are indistinguishable from normal ones w.r.t. both low-level and high-level representations. We thus emphasize that a critical redemption, if not the only, for the tricky stealthiness is reactive tracing and posterior mitigation. A three-step remedy framework is then proposed by exploring the temporal and inferential correlations of models on a trapped sample from an attack. In particular, we use shift ensemble detection and co-occurrence analysis for adversary identification, and repair the model via malicious ingredients removal under theoretical error guarantee. Extensive experiments on various backdoor settings demonstrate that our framework can achieve accuracy on attack round identification of ∼80% and on attackers of ∼50%, which are ∼28.76% better than existing proactive defenses. Meanwhile, it can successfully eliminate the influence of backdoors with only a 5%∼6% performance drop.

Yihang Lin,Pengyuan Zhou,Zhiqian Wu,Yong Liao

2023-12-18

Abstract:Federated learning allows clients to collaboratively train a global model without uploading raw data for privacy preservation. This feature, i.e., the inability to review participants' datasets, has recently been found responsible for federated learning's vulnerability in the face of backdoor attacks. Existing defense methods fall short from two perspectives: 1) they consider only very specific and limited attacker models and unable to cope with advanced backdoor attacks, such as distributed backdoor attacks, which break down the global trigger into multiple distributed triggers. 2) they conduct detection based on model granularity thus the performance gets impacted by the model dimension. To address these challenges, we propose Federated Layer Detection (FLD), a novel model filtering approach for effectively defending against backdoor attacks. FLD examines the models based on layer granularity to capture the complete model details and effectively detect potential backdoor models regardless of model dimension. We provide theoretical analysis and proof for the convergence of FLD. Extensive experiments demonstrate that FLD effectively mitigates state-of-the-art backdoor attacks with negligible impact on the accuracy of the primary task.

Machine Learning,Cryptography and Security

Eugene Bagdasaryan,Andreas Veit,Yiqing Hua,Deborah Estrin,Vitaly Shmatikov

DOI: https://doi.org/10.48550/arXiv.1807.00459

2018-07-02

Cryptography and Security

Abstract:Federated learning enables thousands of participants to construct a deep learning model without sharing their private training data with each other. For example, multiple smartphones can jointly train a next-word predictor for keyboards without revealing what individual users type. We demonstrate that any participant in federated learning can introduce hidden backdoor functionality into the joint global model, e.g., to ensure that an image classifier assigns an attacker-chosen label to images with certain features, or that a word predictor completes certain sentences with an attacker-chosen word. We design and evaluate a new model-poisoning methodology based on model replacement. An attacker selected in a single round of federated learning can cause the global model to immediately reach 100% accuracy on the backdoor task. We evaluate the attack under different assumptions for the standard federated-learning tasks and show that it greatly outperforms data poisoning. Our generic constrain-and-scale technique also evades anomaly detection-based defenses by incorporating the evasion into the attacker's loss function during training.

Jiawang Liu,Changgen Peng,Weijie Tan,Chenghui Shi

DOI: https://doi.org/10.3390/e26020164

IF: 2.738

2024-02-15

Entropy

Abstract:Federated learning (FL) is a distributed machine learning framework that enables scattered participants to collaboratively train machine learning models without revealing information to other participants. Due to its distributed nature, FL is susceptible to being manipulated by malicious clients. These malicious clients can launch backdoor attacks by contaminating local data or tampering with local model gradients, thereby damaging the global model. However, existing backdoor attacks in distributed scenarios have several vulnerabilities. For example, 1) the triggers in distributed backdoor attacks are mostly visible and easily perceivable by humans; 2) these triggers are mostly applied in the spatial domain, inevitably corrupting the semantic information of the contaminated pixels. To address these issues, this paper introduces a frequency-domain injection-based backdoor attack in FL. Specifically, by performing a Fourier transform, the trigger and the clean image are linearly mixed in the frequency domain, injecting the low-frequency information of the trigger into the clean image while preserving its semantic information. Experiments on multiple image classification datasets demonstrate that the attack method proposed in this paper is stealthier and more effective in FL scenarios compared to existing attack methods.

physics, multidisciplinary

Chenghui Shi,Shouling Ji,Xudong Pan,Xuhong Zhang,Mi Zhang,Min Yang,Jun Zhou,Jianwei Yin,Ting Wang

DOI: https://doi.org/10.1109/tdsc.2024.3376790

2024-01-01

Abstract:Federated Learning (FL) is nowadays one of the most promising paradigms for privacy-preserving distributed learning. Without revealing its local private data to outsiders, a client in FL systems collaborates to build a global Deep Neural Network (DNN) by submitting its local model parameter update to a central server for iterative aggregation. With secure multi-party computation protocols, the submitted update of any client is also by design invisible to the server. Seemingly, this standard design is a win-win for client privacy and service provider utility. Ironically, any attacker may also use manipulated or impersonated client to submit almost any attack payloads under the umbrella of the FL protocol itself. In this work, we craft a practical backdoor attack on FL systems that is proved to be simultaneously effective and stealthy on diverse use cases of FL systems and leading commercial FL platforms in the real world. Basically, we first identify a small number of redundant neurons which tend to be rarely or slightly updated in the model, and then inject backdoor into these redundant neurons instead of the whole model. In this way, our backdoor attack can achieve a high attack success rate with a minor impact on the accuracy of the original task. As countermeasures, we further consider several common technical choices including robust aggregation mechanisms, differential privacy mechanism,s and network pruning. However, none of the defenses show desirable defense capability against our backdoor attack. Our results strongly highlight the vulnerability of existing FL systems against backdoor attacks and the urgent need to develop more effective defense mechanisms.

Ye Liu,Shan Chang,Denghui Li,Shaohuai Shi,Bo Li

DOI: https://doi.org/10.1109/mnet.2024.3486228

IF: 10.294

2024-01-01

IEEE Network

Abstract:Federated Learning (FL) enables privacy-preserving collaborative training and builds a federation through exchanges of immutable data such as model parameters or gradient updates. FL remains vulnerable to a variety of attacks during critical processes like local model training and parameter transmission, in which the backdoor attack is particularly evident. In this paper, we propose a novel backdoor data poisoning attack method, RoPe-Door, using a trigger generation algorithm to improve the robustness and persistence of attacks even under Byzantine aggregation methods. We conduct extensive experiments on four image classification tasks to evaluate the effectiveness of RoPe-Door. The experimental results demonstrate that, compared to backdoor attacks using random triggers, RoPe-Door exhibits significant advantages in robustness, persistence, and attack effectiveness under both IID and Non-IID data settings.

Tuan Nguyen,Dung Thuy Nguyen,Khoa D Doan,Kok-Seng Wong

2024-07-06

Abstract:Despite the promise of Federated Learning (FL) for privacy-preserving model training on distributed data, it remains susceptible to backdoor attacks. These attacks manipulate models by embedding triggers (specific input patterns) in the training data, forcing misclassification as predefined classes during deployment. Traditional single-trigger attacks and recent work on cooperative multiple-trigger attacks, where clients collaborate, highlight limitations in attack realism due to coordination requirements. We investigate a more alarming scenario: non-cooperative multiple-trigger attacks. Here, independent adversaries introduce distinct triggers targeting unique classes. These parallel attacks exploit FL's decentralized nature, making detection difficult. Our experiments demonstrate the alarming vulnerability of FL to such attacks, where individual backdoors can be successfully learned without impacting the main task. This research emphasizes the critical need for robust defenses against diverse backdoor attacks in the evolving FL landscape. While our focus is on empirical analysis, we believe it can guide backdoor research toward more realistic settings, highlighting the crucial role of FL in building robust defenses against diverse backdoor threats. The code is available at \url{https://anonymous.4open.science/r/nba-980F/}.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Qingya Wang,Yi Wu,Haojun Xuan,Huishu Wu

DOI: https://doi.org/10.3390/math12233751

IF: 2.4

2024-11-29

Mathematics

Abstract:Federated Learning (FL) is vulnerable to backdoor attacks in which attackers inject malicious behaviors into the global model. To counter these attacks, existing works mainly introduce sophisticated defenses by analyzing model parameters and utilizing robust aggregation strategies. However, we find that FL systems can still be attacked by exploiting their inherent complexity. In this paper, we propose a novel three-stage backdoor attack strategy named FLARE: A Backdoor Attack to Federated Learning with Refined Evasion, which is designed to operate under the radar of conventional defense strategies. Our proposal begins with a trigger inspection stage to leverage the initial susceptibilities of FL systems, followed by a trigger insertion stage where the synthesized trigger is stealthily embedded at a low poisoning rate. Finally, the trigger is amplified to increase the attack's success rate during the backdoor activation stage. Experiments on the effectiveness of FLARE show significant enhancements in both the stealthiness and success rate of backdoor attacks across multiple federated learning environments. In particular, the success rate of our backdoor attack can be improved by up to 45× compared to existing methods.

mathematics

Xu Dai,Dan Li,Haotong Han,Erfu Wang

DOI: https://doi.org/10.1109/JCICE61382.2024.00041

2024-05-10

Abstract:The widespread adoption of deep learning has led to recurring data security issues. Consequently, there is an even greater need to preserve data privacy, resulting in data becoming increasingly challenging to share and creating what are often referred to as ‘data islands’, which FL effectively addresses. FL, a new deep learning paradigm, enables collaborative model training across multiple terminals distributively, facilitating data sharing and machine learning modeling while ensuring robust data privacy protection. Individual client could be backdoor attacked by poisoning the data. This paper introduces a robust defense method for backdoor attacks based on reverse trigger engineering, model hardening, and attention distillation mechanisms. In this paper, we conduct a lot of experiments on different classical datasets with different settings, and the results demonstrates that the proposed strategy improve robustness by reducing the attack success rate while preserving main task accuracy.

Computer Science

Yuexin Xuan,Xiaojun Chen,Zhendong Zhao,Bisheng Tang,Ye Dong

2023-06-19

Abstract:Federated learning (FL), which aims to facilitate data collaboration across multiple organizations without exposing data privacy, encounters potential security risks. One serious threat is backdoor attacks, where an attacker injects a specific trigger into the training dataset to manipulate the model's prediction. Most existing FL backdoor attacks are based on horizontal federated learning (HFL), where the data owned by different parties have the same features. However, compared to HFL, backdoor attacks on vertical federated learning (VFL), where each party only holds a disjoint subset of features and the labels are only owned by one party, are rarely studied. The main challenge of this attack is to allow an attacker without access to the data labels, to perform an effective attack. To this end, we propose BadVFL, a novel and practical approach to inject backdoor triggers into victim models without label information. BadVFL mainly consists of two key steps. First, to address the challenge of attackers having no knowledge of labels, we introduce a SDD module that can trace data categories based on gradients. Second, we propose a SDP module that can improve the attack's effectiveness by enhancing the decision dependency between the trigger and attack target. Extensive experiments show that BadVFL supports diverse datasets and models, and achieves over 93% attack success rate with only 1% poisoning rate.

Cryptography and Security,Machine Learning

Lucheng Chen,Xiaoshuang Liu,Ailing Wang,Weiwei Zhai,Xiang Cheng

DOI: https://doi.org/10.3390/sym16111497

2024-11-09

Symmetry

Abstract:Federated Learning (FL), as a distributed machine learning framework, can effectively learn symmetric and asymmetric patterns from large-scale participants. However, FL is susceptible to malicious backdoor attacks through attackers injecting triggers into the backdoored model, resulting in backdoor samples being misclassified as target classes. Due to the stealthy nature of backdoor attacks in FL, it is difficult for users to discover the symmetric and asymmetric backdoor properties. Currently, backdoor defense methods in FL cause model performance degradation while reducing backdoors. In addition, some methods will assume the existence of clean samples, which does not match the realistic scenarios. To address such issues, we propose FLSAD, an effective backdoor defense method in FL via self-attention distillation. FLSAD can recover the triggers using an entropy maximization estimator. Based on the recovered triggers, we leverage the self-attention distillation to eliminate the backdoor. Compared with the baseline backdoor defense methods, FLSAD can reduce the success rates of different state-of-the-art backdoor attacks to 2% on four real-world datasets through extensive evaluation.

multidisciplinary sciences

Hongyun Cai,Jiahao Wang,Lijing Gao,Fengyu Li

DOI: https://doi.org/10.1016/j.knosys.2024.111511

IF: 8.139

2024-04-01

Knowledge-Based Systems

Abstract:Federated learning (FL) is susceptible to backdoor attacks, where malicious model updates are covertly inserted into the model’s aggregation process, which can result in inaccurate predictions for certain inputs, compromising the integrity of FL. Existing defenses, which aim to identify and remove potentially poisoned model updates, may incorrectly exclude model updates from benign clients with heterogeneous data even in the absence of an attack, compromising the model’s usability and resulting in unfair treatment of these benign clients. For defense approaches that utilize adaptive model parameter clipping and noise injection, the continuous injection of noise also considerably deteriorates the model’s usability. To address the aforementioned issues, a novel defense named FLMAAcBD ( F ederated L earning M odel A nomalous Ac tivation B ehavior D etection) is proposed, which adopts a backdoor anomaly detection module for the global model and a backdoor removal module for potentially malicious model updates to defend against backdoor attacks. Extensive experiments on three datasets validate that FLMAAcBD can defend against various backdoor attacks. Moreover, compared with the baseline methods, FLMAAcBD has less impact on the model’s usability.

computer science, artificial intelligence

Binbin Ding,Penghui Yang,Zeqing Ge,Shengjun Huang

2024-08-16

Abstract:Federated learning enables multiple clients to collaboratively train machine learning models under the overall planning of the server while adhering to privacy requirements. However, the server cannot directly oversee the local training process, creating an opportunity for malicious clients to introduce backdoors. Existing research shows that backdoor attacks activate specific neurons in the compromised model, which remain dormant when processing clean data. Leveraging this insight, we propose a method called Flipping Weight Updates of Low-Activation Input Neurons (FLAIN) to defend against backdoor attacks in federated learning. Specifically, after completing global training, we employ an auxiliary dataset to identify low-activation input neurons and flip the associated weight updates. We incrementally raise the threshold for low-activation inputs and flip the weight updates iteratively, until the performance degradation on the auxiliary data becomes unacceptable. Extensive experiments validate that our method can effectively reduce the success rate of backdoor attacks to a low level in various attack scenarios including those with non-IID data distribution or high MCRs, causing only minimal performance degradation on clean data.

Machine Learning,Artificial Intelligence

Jinhe Long,Zekai Chen,Fuyi Wang,Jianping Cai,Ximeng Liu

DOI: https://doi.org/10.1109/icme57554.2024.10687918

2024-01-01

Abstract:Federated Learning (FL) enables multiple clients to collaborate in training neural network models while retaining their private data locally. Despite its advantages, FL is vulnerable to backdoor attacks due to its distributed nature. Attackers introduce triggers into the global model, causing it to make specified predictions on inputs containing these triggers. Existing detection or clustering defense methods based on distance and similarity have significant limitations. Methods based on clipping and adding noise can only slightly mitigate the impact of backdoor attacks. To achieve a better defense, we introduce FedCL, a backdoor defense framework that accurately detects backdoor models by assessing the uncertainty of model predictions. Additionally, it employs dynamic clipping to limit model updates’ impact, successfully mitigating backdoor attacks without compromising the global model’s accuracy. The experiments indicate that FedCL moderately improves by 0.01%↑ ∼ 85.78%↑ than the state-of-the-art (SOTA) defense methods, especially in the CIFAR-10 task trained with more complex networks.

Haomin Zhuang,Mingxian Yu,Hao Wang,Yang Hua,Jian Li,Xu Yuan

2024-04-15

Abstract:Federated learning (FL) has been widely deployed to enable machine learning training on sensitive data across distributed devices. However, the decentralized learning paradigm and heterogeneity of FL further extend the attack surface for backdoor attacks. Existing FL attack and defense methodologies typically focus on the whole model. None of them recognizes the existence of backdoor-critical (BC) layers-a small subset of layers that dominate the model vulnerabilities. Attacking the BC layers achieves equivalent effects as attacking the whole model but at a far smaller chance of being detected by state-of-the-art (SOTA) defenses. This paper proposes a general in-situ approach that identifies and verifies BC layers from the perspective of attackers. Based on the identified BC layers, we carefully craft a new backdoor attack methodology that adaptively seeks a fundamental balance between attacking effects and stealthiness under various defense strategies. Extensive experiments show that our BC layer-aware backdoor attacks can successfully backdoor FL under seven SOTA defenses with only 10% malicious clients and outperform the latest backdoor attack methods.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning