Xueluan Gong,Yanjiao Chen,Qian Wang,Weihan Kong

DOI: https://doi.org/10.1109/mwc.017.2100714

IF: 12.777

2023-01-01

IEEE Wireless Communications

Abstract:The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.

Tuan Nguyen,Dung Thuy Nguyen,Khoa D Doan,Kok-Seng Wong

2024-07-06

Abstract:Despite the promise of Federated Learning (FL) for privacy-preserving model training on distributed data, it remains susceptible to backdoor attacks. These attacks manipulate models by embedding triggers (specific input patterns) in the training data, forcing misclassification as predefined classes during deployment. Traditional single-trigger attacks and recent work on cooperative multiple-trigger attacks, where clients collaborate, highlight limitations in attack realism due to coordination requirements. We investigate a more alarming scenario: non-cooperative multiple-trigger attacks. Here, independent adversaries introduce distinct triggers targeting unique classes. These parallel attacks exploit FL's decentralized nature, making detection difficult. Our experiments demonstrate the alarming vulnerability of FL to such attacks, where individual backdoors can be successfully learned without impacting the main task. This research emphasizes the critical need for robust defenses against diverse backdoor attacks in the evolving FL landscape. While our focus is on empirical analysis, we believe it can guide backdoor research toward more realistic settings, highlighting the crucial role of FL in building robust defenses against diverse backdoor threats. The code is available at \url{https://anonymous.4open.science/r/nba-980F/}.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Wei Yu,Saier Alharbi,Yifan Guo

DOI: https://doi.org/10.1109/JIOT.2024.3368754

IF: 10.6

2024-06-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) devices generate massive amounts of data from local devices, making federated learning (FL) a viable distributed machine learning paradigm to learn a global model while keeping private data locally in various IoT systems. However, recent studies show that FL’s decentralized nature makes it susceptible to backdoor attacks. Existing defenses like robust aggregation defenses have reduced attack success rates (ASRs) by identifying significant statistical differences between normal and backdoored models individually. However, these defenses fail to consider the potential collusion among attackers to bypass statistical measures utilized in defenses. In this article, we propose a novel attack approach, called collusive backdoor attacks (CBAs), which bypasses robust aggregation defense by considering both local backdoor training and post-training model manipulations among collusive attackers. Particularly, we introduce a nontrivial perturbation estimation scheme to add manipulations over model update vectors after local backdoor training and use the Gram-Schmidt process to speed up the estimation process. This makes the magnitude of the perturbed poisoned model to the same level as normal models, evading robust aggregation-based defense while maintaining attack efficacy. After that, we provide a pilot study to verify the feasibility of our perturbation estimation scheme, followed by its convergence analysis. By evaluating the attack performance on four representative data sets, our CBA approach maintains high ASRs under benchmark robust aggregation defenses in both independent and identically distributed (IID) and non-IID local data settings. Particularly, it increases the ASR by 126% on average compared to individual backdoor attacks.

Engineering,Computer Science

Tao Liu,Wu Yang,Chen Xu,Jiguang Lv,Huanran Wang,Yuhang Zhang,Shuchun Xu,Dapeng Man

2024-11-06

Abstract:Federated learning, a novel paradigm designed to protect data privacy, is vulnerable to backdoor attacks due to its distributed nature. Current research often designs attacks based on a single attacker with a single backdoor, overlooking more realistic and complex threats in federated learning. We propose a more practical threat model for federated learning: the distributed multi-target backdoor. In this model, multiple attackers control different clients, embedding various triggers and targeting different classes, collaboratively implanting backdoors into the global model via central aggregation. Empirical validation shows that existing methods struggle to maintain the effectiveness of multiple backdoors in the global model. Our key insight is that similar backdoor triggers cause parameter conflicts and injecting new backdoors disrupts gradient directions, significantly weakening some backdoors performance. To solve this, we propose a Distributed Multi-Target Backdoor Attack (DMBA), ensuring efficiency and persistence of backdoors from different malicious clients. To avoid parameter conflicts, we design a multi-channel dispersed frequency trigger strategy to maximize trigger differences. To mitigate gradient interference, we introduce backdoor replay in local training to neutralize conflicting gradients. Extensive validation shows that 30 rounds after the attack, Attack Success Rates of three different backdoors from various clients remain above 93%. The code will be made publicly available after the review period.

Computer Vision and Pattern Recognition

Chenghui Shi,Shouling Ji,Xudong Pan,Xuhong Zhang,Mi Zhang,Min Yang,Jun Zhou,Jianwei Yin,Ting Wang

DOI: https://doi.org/10.1109/tdsc.2024.3376790

2024-01-01

Abstract:Federated Learning (FL) is nowadays one of the most promising paradigms for privacy-preserving distributed learning. Without revealing its local private data to outsiders, a client in FL systems collaborates to build a global Deep Neural Network (DNN) by submitting its local model parameter update to a central server for iterative aggregation. With secure multi-party computation protocols, the submitted update of any client is also by design invisible to the server. Seemingly, this standard design is a win-win for client privacy and service provider utility. Ironically, any attacker may also use manipulated or impersonated client to submit almost any attack payloads under the umbrella of the FL protocol itself. In this work, we craft a practical backdoor attack on FL systems that is proved to be simultaneously effective and stealthy on diverse use cases of FL systems and leading commercial FL platforms in the real world. Basically, we first identify a small number of redundant neurons which tend to be rarely or slightly updated in the model, and then inject backdoor into these redundant neurons instead of the whole model. In this way, our backdoor attack can achieve a high attack success rate with a minor impact on the accuracy of the original task. As countermeasures, we further consider several common technical choices including robust aggregation mechanisms, differential privacy mechanism,s and network pruning. However, none of the defenses show desirable defense capability against our backdoor attack. Our results strongly highlight the vulnerability of existing FL systems against backdoor attacks and the urgent need to develop more effective defense mechanisms.

Yanqi Qiao,Dazhuang Liu,Congwen Chen,Rui Wang,Kaitai Liang

2023-09-29

Abstract:Current backdoor attacks against federated learning (FL) strongly rely on universal triggers or semantic patterns, which can be easily detected and filtered by certain defense mechanisms such as norm clipping, comparing parameter divergences among local updates. In this work, we propose a new stealthy and robust backdoor attack with flexible triggers against FL defenses. To achieve this, we build a generative trigger function that can learn to manipulate the benign samples with an imperceptible flexible trigger pattern and simultaneously make the trigger pattern include the most significant hidden features of the attacker-chosen label. Moreover, our trigger generator can keep learning and adapt across different rounds, allowing it to adjust to changes in the global model. By filling the distinguishable difference (the mapping between the trigger pattern and target label), we make our attack naturally stealthy. Extensive experiments on real-world datasets verify the effectiveness and stealthiness of our attack compared to prior attacks on decentralized learning framework with eight well-studied defenses.

Machine Learning,Cryptography and Security

Haomin Zhuang,Mingxian Yu,Hao Wang,Yang Hua,Jian Li,Xu Yuan

2024-04-15

Abstract:Federated learning (FL) has been widely deployed to enable machine learning training on sensitive data across distributed devices. However, the decentralized learning paradigm and heterogeneity of FL further extend the attack surface for backdoor attacks. Existing FL attack and defense methodologies typically focus on the whole model. None of them recognizes the existence of backdoor-critical (BC) layers-a small subset of layers that dominate the model vulnerabilities. Attacking the BC layers achieves equivalent effects as attacking the whole model but at a far smaller chance of being detected by state-of-the-art (SOTA) defenses. This paper proposes a general in-situ approach that identifies and verifies BC layers from the perspective of attackers. Based on the identified BC layers, we carefully craft a new backdoor attack methodology that adaptively seeks a fundamental balance between attacking effects and stealthiness under various defense strategies. Extensive experiments show that our BC layer-aware backdoor attacks can successfully backdoor FL under seven SOTA defenses with only 10% malicious clients and outperform the latest backdoor attack methods.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Xueluan Gong,Yanjiao Chen,Huayang Huang,Yuqing Liao,Shuai Wang,Qian Wang

DOI: https://doi.org/10.1109/mnet.011.2000783

IF: 10.294

2022-01-01

IEEE Network

Abstract:Federated learning enables distributed training of deep learning models among user equipment (UE) to obtain a high-quality global model. A centralized server aggregates the updates submitted by UEs without knowledge of the local training data or process. Despite its privacy preserving merit, we reveal a severe security concern. Malicious UEs can manipulate their training data by injecting a back-door trigger. Thus, the global model that aggregates those malicious updates may make false predictions on the samples with the backdoor trigger. However, the effect of a single backdoor trigger will quickly be diluted by subsequent benign updates. In this work, we present an effective coordinated backdoor attack against federated learning using multiple local triggers; the global trigger consists of various separate local triggers. Moreover, in contrast to using random triggers, we propose using model-dependent triggers (i.e., generated based on local models of attackers) to conduct backdoor attacks. We conduct extensive experiments to assess the effectiveness of our proposed backdoor attacks on MNIST and CIFAR-10 datasets. Experimental results show that our proposed methodology outperforms both coordinated attacks using random triggers and single trigger backdoor attacks in terms of attack success rate. We also show that Byzantine-resilient aggregation methodologies are not robust to our proposed attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Hui Zeng,Tongqing Zhou,Xinyi Wu,Zhiping Cai

DOI: https://doi.org/10.1109/srds55811.2022.00017

2022-01-01

Abstract:The privacy-preserving nature of Federated Learning (FL) exposes such a distributed learning paradigm to the planting of backdoors with locally corrupted data. We discover that FL backdoors, under a new on-off multi-shot attack form, are essentially stealthy against existing defenses that are built on model statistics and spectral analysis. First-hand observations of such attacks show that the backdoored models are indistinguishable from normal ones w.r.t. both low-level and high-level representations. We thus emphasize that a critical redemption, if not the only, for the tricky stealthiness is reactive tracing and posterior mitigation. A three-step remedy framework is then proposed by exploring the temporal and inferential correlations of models on a trapped sample from an attack. In particular, we use shift ensemble detection and co-occurrence analysis for adversary identification, and repair the model via malicious ingredients removal under theoretical error guarantee. Extensive experiments on various backdoor settings demonstrate that our framework can achieve accuracy on attack round identification of ∼80% and on attackers of ∼50%, which are ∼28.76% better than existing proactive defenses. Meanwhile, it can successfully eliminate the influence of backdoors with only a 5%∼6% performance drop.

Qingya Wang,Yi Wu,Haojun Xuan,Huishu Wu

DOI: https://doi.org/10.3390/math12233751

IF: 2.4

2024-11-29

Mathematics

Abstract:Federated Learning (FL) is vulnerable to backdoor attacks in which attackers inject malicious behaviors into the global model. To counter these attacks, existing works mainly introduce sophisticated defenses by analyzing model parameters and utilizing robust aggregation strategies. However, we find that FL systems can still be attacked by exploiting their inherent complexity. In this paper, we propose a novel three-stage backdoor attack strategy named FLARE: A Backdoor Attack to Federated Learning with Refined Evasion, which is designed to operate under the radar of conventional defense strategies. Our proposal begins with a trigger inspection stage to leverage the initial susceptibilities of FL systems, followed by a trigger insertion stage where the synthesized trigger is stealthily embedded at a low poisoning rate. Finally, the trigger is amplified to increase the attack's success rate during the backdoor activation stage. Experiments on the effectiveness of FLARE show significant enhancements in both the stealthiness and success rate of backdoor attacks across multiple federated learning environments. In particular, the success rate of our backdoor attack can be improved by up to 45× compared to existing methods.

mathematics

Pei Fang,Jinghui Chen

DOI: https://doi.org/10.48550/arXiv.2301.08170

2023-01-20

Abstract:Federated Learning (FL) is a popular distributed machine learning paradigm that enables jointly training a global model without sharing clients' data. However, its repetitive server-client communication gives room for backdoor attacks with aim to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. In response to such backdoor threats on federated learning, various defense measures have been proposed. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning in a practical setting by proposing a new federated backdoor attack method for possible countermeasures. Different from traditional training (on triggered data) and rescaling (the malicious client model) based backdoor injection, the proposed backdoor attack framework (1) directly modifies (a small proportion of) local model weights to inject the backdoor trigger via sign flips; (2) jointly optimize the trigger pattern with the client model, thus is more persistent and stealthy for circumventing existing defenses. In a case study, we examine the strength and weaknesses of recent federated backdoor defenses from three major categories and provide suggestions to the practitioners when training federated models in practice.

Machine Learning,Artificial Intelligence,Cryptography and Security

Minyeong Choe,Cheolhee Park,Changho Seo,Hyunil Kim

2024-09-23

Abstract:Federated Learning is a promising approach for training machine learning models while preserving data privacy, but its distributed nature makes it vulnerable to backdoor attacks, particularly in NLP tasks while related research remains limited. This paper introduces SDBA, a novel backdoor attack mechanism designed for NLP tasks in FL environments. Our systematic analysis across LSTM and GPT-2 models identifies the most vulnerable layers for backdoor injection and achieves both stealth and long-lasting durability through layer-wise gradient masking and top-k% gradient masking within these layers. Experiments on next token prediction and sentiment analysis tasks show that SDBA outperforms existing backdoors in durability and effectively bypasses representative defense mechanisms, with notable performance in LLM such as GPT-2. These results underscore the need for robust defense strategies in NLP-based FL systems.

Machine Learning,Cryptography and Security

Xingshuo Han,Xiang Lan,Haozhao Wang,Shengmin Xu,Shen Ren,Jason Zeng,Ming Wu,Michael Heinrich,Tianwei Zhang

2024-11-25

Abstract:Federated learning (FL) enables the training of deep learning models on distributed clients to preserve data privacy. However, this learning paradigm is vulnerable to backdoor attacks, where malicious clients can upload poisoned local models to embed backdoors into the global model, leading to attacker-desired predictions. Existing backdoor attacks mainly focus on FL with independently and identically distributed (IID) scenarios, while real-world FL training data are typically non-IID. Current strategies for non-IID backdoor attacks suffer from limitations in maintaining effectiveness and durability. To address these challenges, we propose a novel backdoor attack method, \name, specifically designed for the FL framework using the scaffold aggregation algorithm in non-IID settings. \name leverages a Generative Adversarial Network (GAN) based on the global model to complement the training set, achieving high accuracy on both backdoor and benign samples. It utilizes a specific feature as the backdoor trigger to ensure stealthiness, and exploits the Scaffold's control variate to predict the global model's convergence direction, ensuring the backdoor's persistence. Extensive experiments on three benchmark datasets demonstrate the high effectiveness, stealthiness, and durability of \name. Notably, our attack remains effective over 60 rounds in the global model and up to 3 times longer than existing baseline attacks after stopping the injection of malicious updates.

Machine Learning

Xiaoting Lyu,Yufei Han,Wei Wang,Jingkai Liu,Yongsheng Zhu,Guangquan Xu,Jiqiang Liu,Xiangliang Zhang

2024-06-10

Abstract:Federated Learning (FL) is a collaborative machine learning technique where multiple clients work together with a central server to train a global model without sharing their private data. However, the distribution shift across non-IID datasets of clients poses a challenge to this one-model-fits-all method hindering the ability of the global model to effectively adapt to each client's unique local data. To echo this challenge, personalized FL (PFL) is designed to allow each client to create personalized local models tailored to their private data. While extensive research has scrutinized backdoor risks in FL, it has remained underexplored in PFL applications. In this study, we delve deep into the vulnerabilities of PFL to backdoor attacks. Our analysis showcases a tale of two cities. On the one hand, the personalization process in PFL can dilute the backdoor poisoning effects injected into the personalized local models. Furthermore, PFL systems can also deploy both server-end and client-end defense mechanisms to strengthen the barrier against backdoor attacks. On the other hand, our study shows that PFL fortified with these defense methods may offer a false sense of security. We propose \textit{PFedBA}, a stealthy and effective backdoor attack strategy applicable to PFL systems. \textit{PFedBA} ingeniously aligns the backdoor learning task with the main learning task of PFL by optimizing the trigger generation process. Our comprehensive experiments demonstrate the effectiveness of \textit{PFedBA} in seamlessly embedding triggers into personalized local models. \textit{PFedBA} yields outstanding attack performance across 10 state-of-the-art PFL algorithms, defeating the existing 6 defense mechanisms. Our study sheds light on the subtle yet potent backdoor threats to PFL systems, urging the community to bolster defenses against emerging backdoor challenges.

Machine Learning,Cryptography and Security

Tao Liu,Yuhang Zhang,Zhu Feng,Zhiqin Yang,Chen Xu,Dapeng Man,Wu Yang

2024-04-26

Abstract:Backdoors on federated learning will be diluted by subsequent benign updates. This is reflected in the significant reduction of attack success rate as iterations increase, ultimately failing. We use a new metric to quantify the degree of this weakened backdoor effect, called attack persistence. Given that research to improve this performance has not been widely noted,we propose a Full Combination Backdoor Attack (FCBA) method. It aggregates more combined trigger information for a more complete backdoor pattern in the global model. Trained backdoored global model is more resilient to benign updates, leading to a higher attack success rate on the test set. We test on three datasets and evaluate with two models across various settings. FCBA's persistence outperforms SOTA federated learning backdoor attacks. On GTSRB, postattack 120 rounds, our attack success rate rose over 50% from baseline. The core code of our method is available at

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Yongkang Wang,Di-Hua Zhai,Dongyu Han,Yuyin Guan,Yuanqing Xia

DOI: https://doi.org/10.1109/jiot.2023.3325634

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is widely used in the Internet of Things (IoT) systems. However, FL is susceptible to backdoor attacks due to its inherently distributed and privacy-preserving nature. Existing studies assume that backdoor triggers on different malicious clients are universal, and most defense algorithms are designed to counter backdoor attacks based on this assumption. Recently, dynamic backdoor attacks have been proposed to undermine robust algorithms in centralized machine learning. We introduce dynamic backdoor attacks into the FL system and develop three types of dynamic backdoors named Aggregation, Single, and Continuous to target the FL system. To defend against such attacks, we propose a novel robust algorithm called MITDBA, which utilizes gramian information to capture high-order representations, then employs spectral signatures to detect and remove malicious clients, finally utilizes clipping operations to filter the selected local models during the aggregation process. We conduct attack and defense experiments on MNIST, CIFAR-10, and GTSRB datasets. The experimental results demonstrate that our designed attack strategies can successfully insert dynamic backdoors into the global model, bypassing the existing state-of-the-art defenses, but these attacks can be effectively mitigated by MITDBA.

Ye Liu,Shan Chang,Denghui Li,Shaohuai Shi,Bo Li

DOI: https://doi.org/10.1109/mnet.2024.3486228

IF: 10.294

2024-01-01

IEEE Network

Abstract:Federated Learning (FL) enables privacy-preserving collaborative training and builds a federation through exchanges of immutable data such as model parameters or gradient updates. FL remains vulnerable to a variety of attacks during critical processes like local model training and parameter transmission, in which the backdoor attack is particularly evident. In this paper, we propose a novel backdoor data poisoning attack method, RoPe-Door, using a trigger generation algorithm to improve the robustness and persistence of attacks even under Byzantine aggregation methods. We conduct extensive experiments on four image classification tasks to evaluate the effectiveness of RoPe-Door. The experimental results demonstrate that, compared to backdoor attacks using random triggers, RoPe-Door exhibits significant advantages in robustness, persistence, and attack effectiveness under both IID and Non-IID data settings.

Yujie Zhang,Neil Gong,Michael K. Reiter

2024-09-10

Abstract:Federated Learning (FL) is a decentralized machine learning method that enables participants to collaboratively train a model without sharing their private data. Despite its privacy and scalability benefits, FL is susceptible to backdoor attacks, where adversaries poison the local training data of a subset of clients using a backdoor trigger, aiming to make the aggregated model produce malicious results when the same backdoor condition is met by an inference-time input. Existing backdoor attacks in FL suffer from common deficiencies: fixed trigger patterns and reliance on the assistance of model poisoning. State-of-the-art defenses based on analyzing clients' model updates exhibit a good defense performance on these attacks because of the significant divergence between malicious and benign client model updates. To effectively conceal malicious model updates among benign ones, we propose DPOT, a backdoor attack strategy in FL that dynamically constructs backdoor objectives by optimizing a backdoor trigger, making backdoor data have minimal effect on model updates. We provide theoretical justifications for DPOT's attacking principle and display experimental results showing that DPOT, via only a data-poisoning attack, effectively undermines state-of-the-art defenses and outperforms existing backdoor attack techniques on various datasets.

Cryptography and Security,Artificial Intelligence,Machine Learning

Xu Dai,Dan Li,Haotong Han,Erfu Wang

DOI: https://doi.org/10.1109/JCICE61382.2024.00041

2024-05-10

Abstract:The widespread adoption of deep learning has led to recurring data security issues. Consequently, there is an even greater need to preserve data privacy, resulting in data becoming increasingly challenging to share and creating what are often referred to as ‘data islands’, which FL effectively addresses. FL, a new deep learning paradigm, enables collaborative model training across multiple terminals distributively, facilitating data sharing and machine learning modeling while ensuring robust data privacy protection. Individual client could be backdoor attacked by poisoning the data. This paper introduces a robust defense method for backdoor attacks based on reverse trigger engineering, model hardening, and attention distillation mechanisms. In this paper, we conduct a lot of experiments on different classical datasets with different settings, and the results demonstrates that the proposed strategy improve robustness by reducing the attack success rate while preserving main task accuracy.

Computer Science

Yongkang Wang,Dihua Zhai,Yufeng Zhan,Yuanqing Xia

DOI: https://doi.org/10.48550/arxiv.2201.03772

2022-01-01

Abstract: Federated learning (FL) is a distributed machine learning paradigm where enormous scattered clients (e.g. mobile devices or IoT devices) collaboratively train a model under the orchestration of a central server (e.g. service provider), while keeping the training data decentralized. Unfortunately, FL is susceptible to a variety of attacks, including backdoor attack, which is made substantially worse in the presence of malicious attackers. Most of algorithms usually assume that the malicious at tackers no more than benign clients or the data distribution is independent identically distribution (IID). However, no one knows the number of malicious attackers and the data distribution is usually non identically distribution (Non-IID). In this paper, we propose RFLBAT which utilizes principal component analysis (PCA) technique and Kmeans clustering algorithm to defend against backdoor attack. Our algorithm RFLBAT does not bound the number of backdoored attackers and the data distribution, and requires no auxiliary information outside of the learning process. We conduct extensive experiments including a variety of backdoor attack types. Experimental results demonstrate that RFLBAT outperforms the existing state-of-the-art algorithms and is able to resist various backdoor attack scenarios including different number of attackers (DNA), different Non-IID scenarios (DNS), different number of clients (DNC) and distributed backdoor attack (DBA).