What problem does this paper attempt to address?

The problem that this paper attempts to solve is: in the non - independent and identically distributed (non - IID) data scenario, the backdoor attack problem in the Federated Learning (FL) framework based on the Scaffold aggregation algorithm. Specifically, the existing backdoor attack methods mainly focus on the IID scenario, and in the more realistic non - IID scenario, the effectiveness and persistence of these attack methods are limited. To meet this challenge, the paper proposes a new backdoor attack method - BadSFL, specifically for the Scaffold Federated Learning (SFL) framework. ### Main problems: 1. **Limitations of existing backdoor attack methods**: - The existing backdoor attack methods mainly target the IID scenario. In the non - IID scenario, due to the heterogeneity of data distribution, the effectiveness and persistence of these methods are limited. - Attackers lack a complete understanding of the entire dataset distribution, resulting in a large difference between the generated malicious model and the global model, which is easily detected. - In the SFL framework, the control variate is used to correct client drift, which makes it difficult for traditional backdoor attack methods to maintain their effectiveness. 2. **Challenges in the non - IID scenario**: - The heterogeneity of data distribution leads to inconsistency between local models and global models, making the direct application of attack methods in the IID scenario ineffective. - The existence of the control variate requires attackers to consider how to use or avoid this mechanism to ensure the success of backdoor attacks. ### Solutions: To solve the above problems, the paper proposes the BadSFL attack method, which mainly includes the following aspects: 1. **GAN - assisted data supplementation**: - Use the Generative Adversarial Network (GAN) to generate samples that simulate data from other clients to supplement the attacker's local dataset. This helps attackers better simulate the global data distribution and improve the attack effect. 2. **Stealthy trigger selection**: - Select specific features as backdoor triggers to ensure the stealth of the attack. For example, select a specific color or pattern in a certain type of image as the trigger condition. 3. **Utilization of control variate**: - Use the control variate in SFL to predict the convergence direction of the global model and ensure the persistence of backdoor attacks. By optimizing the control variate, make malicious updates more in line with the SFL protocol, thereby avoiding detection. 4. **Optimized attack objective function**: - Modify the standard backdoor attack objective function and add an extra term to ensure that backdoor updates can persist in future training rounds. The specific formula is as follows: \[ w^*_p=\arg\min_{w_p}\left[L(D_p, w_p)+L(D_p, P_j(w_p, c))\right] \] where \(L\) is the loss function, \(D_p\) is a dataset containing original and synthetic data, \(P_j(w_p, c)\) is the predicted future global model, and \(j\) represents the number of future rounds. ### Experimental verification: The paper verifies the effectiveness and persistence of BadSFL through experiments on three benchmark datasets, MNIST, CIFAR - 10, and CIFAR - 100. The experimental results show that BadSFL can not only achieve a backdoor task accuracy rate of more than 80% within the first 10 rounds, but also the backdoor function can remain effective for more than 60 rounds after the attacker exits the training process, which is significantly better than the existing baseline attack methods. ### Summary: The main contribution of the paper is to propose a new backdoor attack method BadSFL for the Scaffold federated learning framework, which solves the limitations of existing attack methods in the non - IID scenario, and verifies its effectiveness and persistence through experiments.