What problem does this paper attempt to address?

The problem that this paper attempts to solve is to carry out data poisoning attacks (DPA) in Byzantine - robust federated learning (FL). Specifically, the paper focuses on how to successfully carry out poisoning attacks on Byzantine - robust federated learning systems without unrealistic assumptions. Byzantine - robust federated learning systems resist the influence of malicious clients by using robust aggregation rules, which makes traditional data poisoning attacks difficult to be effective. Therefore, this paper proposes a new method, BadSampler, which utilizes the catastrophic forgetting mechanism to achieve effective attacks on Byzantine - robust federated learning systems. ### Main contributions of the paper 1. **Designed BadSampler**: A clean - label data poisoning attack method for Byzantine - robust federated learning systems. Different from existing attacks, BadSampler only uses clean - label data and induces catastrophic forgetting of the model by changing the sampling order of local data, thereby reducing the generalization ability of the model. 2. **Proposed two optimized adversarial sampling strategies**: - **Top - 𝜅 sampling strategy**: Select samples with higher losses as the candidate pool and extract difficult samples from it for training to maximize the generalization error of the model. - **Meta - sampling strategy**: Utilize the concept of meta - learning and guide sampling by adjusting the histograms of training and validation error distributions to further improve the effectiveness of the attack. 3. **Conducted extensive experimental evaluations**: Conducted experiments on convex and non - convex models on two public datasets and compared with existing defense methods, demonstrating the effectiveness of BadSampler. Experimental results show that BadSampler can significantly reduce the model accuracy of advanced defense methods such as FLTrust. ### Core ideas of the paper - **Utilize catastrophic forgetting**: Through carefully designed adversarial sampling strategies, make the model gradually forget the previously learned knowledge during the training process, thereby reducing its generalization ability. - **Maintain good training behavior**: While inducing catastrophic forgetting, maintain a low training error to avoid being detected by advanced defense mechanisms. - **Adapt to the dynamic training process**: Clients in federated learning are dynamically changing, and BadSampler can adapt to this dynamic nature and perform effective adversarial sampling through different compromised clients. ### Technical details - **Design of sampling strategies**: - **Top - 𝜅 sampling strategy**: Select the top 𝜅 samples with the highest losses as the candidate pool and extract samples from it for training. - **Meta - sampling strategy**: Use the histogram distributions of training and validation errors as meta - states and determine the sampling weight of each sample through the Gaussian function. - **Definition of optimization problems**: - The objective is to maximize the generalization error while minimizing the training error to avoid being filtered out by the defense mechanism. - The formal representation of the optimization problem is: \[ \max_{B'_1, B'_2, \ldots, B'_m} \text{Err}, \] \[ \text{subject to } B' = A(B'_1, B'_2, \ldots, B'_m), \] \[ (x, y) \in D_m, \] \[ \min_{(x, y) \in D_m} E^m_{D_t}. \] - **Theoretical analysis**: - Through theoretical analysis, it is proved that the error upper bound of BadSampler is related to the internal FL parameters and is efficient within the actual parameter range. ### Conclusion This paper successfully realizes data poisoning attacks on Byzantine - robust federated learning systems by introducing the catastrophic forgetting mechanism and designing a new adversarial sampling strategy - BadSampler. Experimental results show that BadSampler can significantly reduce the generalization ability of the model while maintaining good training behavior and has a strong attack effect on existing defense methods.