Tao Liu,Wu Yang,Chen Xu,Jiguang Lv,Huanran Wang,Yuhang Zhang,Shuchun Xu,Dapeng Man
Abstract:Federated learning, a novel paradigm designed to protect data privacy, is vulnerable to backdoor attacks due to its distributed nature. Current research often designs attacks based on a single attacker with a single backdoor, overlooking more realistic and complex threats in federated learning. We propose a more practical threat model for federated learning: the distributed multi-target backdoor. In this model, multiple attackers control different clients, embedding various triggers and targeting different classes, collaboratively implanting backdoors into the global model via central aggregation. Empirical validation shows that existing methods struggle to maintain the effectiveness of multiple backdoors in the global model. Our key insight is that similar backdoor triggers cause parameter conflicts and injecting new backdoors disrupts gradient directions, significantly weakening some backdoors performance. To solve this, we propose a Distributed Multi-Target Backdoor Attack (DMBA), ensuring efficiency and persistence of backdoors from different malicious clients. To avoid parameter conflicts, we design a multi-channel dispersed frequency trigger strategy to maximize trigger differences. To mitigate gradient interference, we introduce backdoor replay in local training to neutralize conflicting gradients. Extensive validation shows that 30 rounds after the attack, Attack Success Rates of three different backdoors from various clients remain above 93%. The code will be made publicly available after the review period.
What problem does this paper attempt to address?
The problem that this paper attempts to solve is to implement a more practical and complex threat model in federated learning - the distributed multi - target backdoor attack. Specifically, the paper focuses on how multiple attackers can implant multiple triggers by controlling different clients, target different classes, and collaboratively embed backdoors in the global model under the distributed characteristics of federated learning. Existing research is often based on the assumption of a single attacker implanting a single backdoor, ignoring more realistic and complex threat scenarios in the federated learning environment. Therefore, this paper proposes a new distributed multi - target backdoor attack method (DMBA), aiming to improve the efficiency and persistence of backdoor attacks in different malicious clients.
### Main contributions of the paper:
1. **Propose DMBA**: This is a method to implement distributed multi - target backdoor attacks in federated learning, with a practical threat model and a new objective function, suitable for complex attack scenarios. Experiments show that DMBA outperforms three baseline attack methods on various datasets and models, showing stronger persistence and stealth.
2. **Multi - channel dispersed - frequency - block perturbation strategy**: In order to reduce model parameter conflicts caused by highly similar triggers, the paper proposes a triggering strategy based on multi - channel dispersed - frequency - block perturbation. This strategy enhances the discriminability of triggers while maintaining stealth by converting the pixel matrices of different channels to the frequency domain and introducing perturbations in different frequency blocks.
3. **Backdoor replay component**: Inspired by the idea of experience replay in reinforcement learning, the paper introduces a backdoor replay component to guide the backdoor training process of malicious clients. This component allows learning from a small number of previous backdoor samples and training together with new samples, thereby neutralizing conflicting gradients, prolonging the poisoning time, and alleviating the catastrophic forgetting of backdoors.
### Methodology:
1. **New threat model**: The paper simulates complex attack scenarios in federated learning, where multiple attackers control different clients, and each client defines a unique backdoor task, and these backdoors can be injected into the model at different times. The attackers' aim is to effectively inject unique backdoors without affecting the performance of the main task.
2. **Distributed multi - target triggering strategy**: As shown in Figure 2, different attackers select different color channels (R/G/B), convert these channels to the frequency domain, and then introduce slight perturbations in different frequency blocks as triggers. This can avoid significant visual quality loss caused by low - frequency changes while ensuring the uniqueness of the triggers.
3. **Backdoor replay component**: By mixing a small number of different backdoor samples in local training, this component reduces the effects of catastrophic forgetting and gradient - direction interference, improving the persistence of DMBA.
### Experiments and analysis:
- **Experimental setup**: The experiments used three datasets (CIFAR - 10, CIFAR - 100, GTSRB) and three models (ResNet - 18, 4Conv+2fc). Attackers embed triggers in the R/G/B channels respectively and perturb a 3x3 frequency block in the DCT - transformed matrix.
- **Evaluation metrics**: Include attack performance metrics (ACC, ASR, ASR - 30) and trigger stealth metrics (SSIM, LPIPS, PSNR).
- **Results**: The experimental results show that DMBA performs excellently in both attack performance and stealth, with an average ASR exceeding 93%, and even after 30 rounds of attack, the ASR remains above 83%. Compared with other methods, DMBA shows higher stability and persistence in multi - target backdoor attacks.
### Conclusion:
The paper proposes a new distributed multi - target backdoor attack method (DMBA). Through the multi - channel dispersed - frequency - block perturbation strategy and the backdoor replay component, it effectively solves the challenges of multi - target backdoor attacks in federated learning and improves the efficiency and persistence of attacks.