Xueluan Gong,Yanjiao Chen,Qian Wang,Weihan Kong

DOI: https://doi.org/10.1109/mwc.017.2100714

IF: 12.777

2023-01-01

IEEE Wireless Communications

Abstract:The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.

Jie Yang,Jun Zheng,Haochen Wang,Jiaxing Li,Haipeng Sun,Weifeng Han,Nan Jiang,Yu-An Tan

DOI: https://doi.org/10.3390/s23031052

2023-01-17

Abstract:Federated learning has a distributed collaborative training mode, widely used in IoT scenarios of edge computing intelligent services. However, federated learning is vulnerable to malicious attacks, mainly backdoor attacks. Once an edge node implements a backdoor attack, the embedded backdoor mode will rapidly expand to all relevant edge nodes, which poses a considerable challenge to security-sensitive edge computing intelligent services. In the traditional edge collaborative backdoor defense method, only the cloud server is trusted by default. However, edge computing intelligent services have limited bandwidth and unstable network connections, which make it impossible for edge devices to retrain their models or update the global model. Therefore, it is crucial to detect whether the data of edge nodes are polluted in time. This paper proposes a layered defense framework for edge-computing intelligent services. At the edge, we combine the gradient rising strategy and attention self-distillation mechanism to maximize the correlation between edge device data and edge object categories and train a clean model as much as possible. On the server side, we first implement a two-layer backdoor detection mechanism to eliminate backdoor updates and use the attention self-distillation mechanism to restore the model performance. Our results show that the two-stage defense mode is more suitable for the security protection of edge computing intelligent services. It can not only weaken the effectiveness of the backdoor at the edge end but also conduct this defense at the server end, making the model more secure. The precision of our model on the main task is almost the same as that of the clean model.

Yihang Lin,Pengyuan Zhou,Zhiqian Wu,Yong Liao

2023-12-18

Abstract:Federated learning allows clients to collaboratively train a global model without uploading raw data for privacy preservation. This feature, i.e., the inability to review participants' datasets, has recently been found responsible for federated learning's vulnerability in the face of backdoor attacks. Existing defense methods fall short from two perspectives: 1) they consider only very specific and limited attacker models and unable to cope with advanced backdoor attacks, such as distributed backdoor attacks, which break down the global trigger into multiple distributed triggers. 2) they conduct detection based on model granularity thus the performance gets impacted by the model dimension. To address these challenges, we propose Federated Layer Detection (FLD), a novel model filtering approach for effectively defending against backdoor attacks. FLD examines the models based on layer granularity to capture the complete model details and effectively detect potential backdoor models regardless of model dimension. We provide theoretical analysis and proof for the convergence of FLD. Extensive experiments demonstrate that FLD effectively mitigates state-of-the-art backdoor attacks with negligible impact on the accuracy of the primary task.

Machine Learning,Cryptography and Security

Thuy Dung Nguyen,Anh Duy Nguyen,Kok-Seng Wong,Huy Hieu Pham,Thanh Hung Nguyen,Phi Le Nguyen,Truong Thao Nguyen

2023-04-30

Abstract:Federated learning (FL) enables multiple clients to train a model without compromising sensitive data. The decentralized nature of FL makes it susceptible to adversarial attacks, especially backdoor insertion during training. Recently, the edge-case backdoor attack employing the tail of the data distribution has been proposed as a powerful one, raising questions about the shortfall in current defenses' robustness guarantees. Specifically, most existing defenses cannot eliminate edge-case backdoor attacks or suffer from a trade-off between backdoor-defending effectiveness and overall performance on the primary task. To tackle this challenge, we propose FedGrad, a novel backdoor-resistant defense for FL that is resistant to cutting-edge backdoor attacks, including the edge-case attack, and performs effectively under heterogeneous client data and a large number of compromised clients. FedGrad is designed as a two-layer filtering mechanism that thoroughly analyzes the ultimate layer's gradient to identify suspicious local updates and remove them from the aggregation process. We evaluate FedGrad under different attack scenarios and show that it significantly outperforms state-of-the-art defense mechanisms. Notably, FedGrad can almost 100% correctly detect the malicious participants, thus providing a significant reduction in the backdoor effect (e.g., backdoor accuracy is less than 8%) while not reducing the main accuracy on the primary task.

Computer Vision and Pattern Recognition

Pei Fang,Jinghui Chen

DOI: https://doi.org/10.48550/arXiv.2301.08170

2023-01-20

Abstract:Federated Learning (FL) is a popular distributed machine learning paradigm that enables jointly training a global model without sharing clients' data. However, its repetitive server-client communication gives room for backdoor attacks with aim to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. In response to such backdoor threats on federated learning, various defense measures have been proposed. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning in a practical setting by proposing a new federated backdoor attack method for possible countermeasures. Different from traditional training (on triggered data) and rescaling (the malicious client model) based backdoor injection, the proposed backdoor attack framework (1) directly modifies (a small proportion of) local model weights to inject the backdoor trigger via sign flips; (2) jointly optimize the trigger pattern with the client model, thus is more persistent and stealthy for circumventing existing defenses. In a case study, we examine the strength and weaknesses of recent federated backdoor defenses from three major categories and provide suggestions to the practitioners when training federated models in practice.

Machine Learning,Artificial Intelligence,Cryptography and Security

Tao Liu,Wu Yang,Chen Xu,Jiguang Lv,Huanran Wang,Yuhang Zhang,Shuchun Xu,Dapeng Man

2024-11-06

Abstract:Federated learning, a novel paradigm designed to protect data privacy, is vulnerable to backdoor attacks due to its distributed nature. Current research often designs attacks based on a single attacker with a single backdoor, overlooking more realistic and complex threats in federated learning. We propose a more practical threat model for federated learning: the distributed multi-target backdoor. In this model, multiple attackers control different clients, embedding various triggers and targeting different classes, collaboratively implanting backdoors into the global model via central aggregation. Empirical validation shows that existing methods struggle to maintain the effectiveness of multiple backdoors in the global model. Our key insight is that similar backdoor triggers cause parameter conflicts and injecting new backdoors disrupts gradient directions, significantly weakening some backdoors performance. To solve this, we propose a Distributed Multi-Target Backdoor Attack (DMBA), ensuring efficiency and persistence of backdoors from different malicious clients. To avoid parameter conflicts, we design a multi-channel dispersed frequency trigger strategy to maximize trigger differences. To mitigate gradient interference, we introduce backdoor replay in local training to neutralize conflicting gradients. Extensive validation shows that 30 rounds after the attack, Attack Success Rates of three different backdoors from various clients remain above 93%. The code will be made publicly available after the review period.

Computer Vision and Pattern Recognition

Siquan Huang,Yijiang Li,Chong Chen,Leyu Shi,Ying Gao

DOI: https://doi.org/10.1109/iccv51070.2023.00429

2023-01-01

Abstract:The decentralized and privacy-preserving nature of federated learning (FL) makes it vulnerable to backdoor attacks aiming to manipulate the behavior of the resulting model on specific adversary-chosen inputs. However, most existing defenses based on statistical differences take effect only against specific attacks, especially when the malicious gradients are similar to benign ones or the data are highly non-independent and identically distributed (non-IID). In this paper, we revisit the distance-based defense methods and discover that i) Euclidean distance becomes meaningless in high dimensions and ii) malicious gradients with diverse characteristics cannot be identified by a single metric. To this end, we present a simple yet effective defense strategy with multi-metrics and dynamic weighting to identify backdoors adaptively. Furthermore, our novel defense has no reliance on predefined assumptions over attack settings or data distributions and little impact on benign performance. To evaluate the effectiveness of our approach, we conduct comprehensive experiments on different datasets under various attack settings, where our method achieves the best defensive performance. For instance, we achieve the lowest backdoor accuracy of 3.06% under the difficult Edge-case PGD, showing significant superiority over previous defenses. The results also demonstrate that our method can be well-adapted to a wide range of non-IID degrees without sacrificing the benign performance.

Zhou Tan,Jianping Cai,De Li,Puwei Lian,Ximeng Liu,Yan Che

DOI: https://doi.org/10.1016/j.neunet.2024.107016

IF: 7.8

2024-12-13

Neural Networks

Abstract:Federated Learning (FL) is an efficient, distributed machine learning paradigm that enables multiple clients to jointly train high-performance deep learning models while maintaining training data locally. However, due to its distributed computing nature, malicious clients can manipulate the prediction of the trained model through backdoor attacks. Existing defense methods require significant computational and communication overhead during the training or testing phases, limiting their practicality in resource-constrained scenarios and being unsuitable for the Non-IID data distribution typical in general FL scenarios. To address these challenges, we propose the FedPD framework, in which servers and clients exchange prototypes rather than model parameters, preventing the implantation of backdoor channels by malicious clients during FL training and effectively eliminating the success of backdoor attacks at the source, significantly reducing communication overhead. Additionally, prototypes can serve as global knowledge to correct clients' local training. Experiments and performance analysis show that FedPD achieves superior and consistent defense performance compared to existing representative approaches against backdoor attacks. In specific scenarios, FedPD can reduce the success rate of attacks by 90.73% compared to FedAvg without defense while maintaining the main task accuracy above 90%.

computer science, artificial intelligence,neurosciences

Xiaohuan Bi,Xi Li

2024-10-23

Abstract:Federated learning (FL) enables decentralized model training while preserving privacy. Recently, integrating Foundation Models (FMs) into FL has boosted performance but also introduced a novel backdoor attack mechanism. Attackers can exploit the FM's capabilities to embed backdoors into synthetic data generated by FMs used for model fusion, subsequently infecting all client models through knowledge sharing without involvement in the long-lasting FL process. These novel attacks render existing FL backdoor defenses ineffective, as they primarily detect anomalies among client updates, which may appear uniformly malicious under this attack. Our work proposes a novel data-free defense strategy by constraining abnormal activations in the hidden feature space during model aggregation on the server. The activation constraints, optimized using synthetic data alongside FL training, mitigate the attack while barely affecting model performance, as the parameters remain untouched. Extensive experiments demonstrate its effectiveness against both novel and classic backdoor attacks, outperforming existing defenses while maintaining model performance.

Machine Learning,Cryptography and Security

Yein Kim,Huili Chen,Farinaz Koushanfar

DOI: https://doi.org/10.48550/arXiv.2202.11196

2022-02-22

Abstract:The goal of federated learning (FL) is to train one global model by aggregating model parameters updated independently on edge devices without accessing users' private data. However, FL is susceptible to backdoor attacks where a small fraction of malicious agents inject a targeted misclassification behavior in the global model by uploading polluted model updates to the server. In this work, we propose DifFense, an automated defense framework to protect an FL system from backdoor attacks by leveraging differential testing and two-step MAD outlier detection, without requiring any previous knowledge of attack scenarios or direct access to local model parameters. We empirically show that our detection method prevents a various number of potential attackers while consistently achieving the convergence of the global model comparable to that trained under federated averaging (FedAvg). We further corroborate the effectiveness and generalizability of our method against prior defense techniques, such as Multi-Krum and coordinate-wise median aggregation. Our detection method reduces the average backdoor accuracy of the global model to below 4% and achieves a false negative rate of zero.

Cryptography and Security,Machine Learning

Eugene Bagdasaryan,Andreas Veit,Yiqing Hua,Deborah Estrin,Vitaly Shmatikov

DOI: https://doi.org/10.48550/arXiv.1807.00459

2018-07-02

Cryptography and Security

Abstract:Federated learning enables thousands of participants to construct a deep learning model without sharing their private training data with each other. For example, multiple smartphones can jointly train a next-word predictor for keyboards without revealing what individual users type. We demonstrate that any participant in federated learning can introduce hidden backdoor functionality into the joint global model, e.g., to ensure that an image classifier assigns an attacker-chosen label to images with certain features, or that a word predictor completes certain sentences with an attacker-chosen word. We design and evaluate a new model-poisoning methodology based on model replacement. An attacker selected in a single round of federated learning can cause the global model to immediately reach 100% accuracy on the backdoor task. We evaluate the attack under different assumptions for the standard federated-learning tasks and show that it greatly outperforms data poisoning. Our generic constrain-and-scale technique also evades anomaly detection-based defenses by incorporating the evasion into the attacker's loss function during training.

Yuxi Mi,Yiheng Sun,Jihong Guan,Shuigeng Zhou

2023-08-24

Abstract:Federated learning has seen increased adoption in recent years in response to the growing regulatory demand for data privacy. However, the opaque local training process of federated learning also sparks rising concerns about model faithfulness. For instance, studies have revealed that federated learning is vulnerable to backdoor attacks, whereby a compromised participant can stealthily modify the model's behavior in the presence of backdoor triggers. This paper proposes an effective defense against the attack by examining shared model updates. We begin with the observation that the embedding of backdoors influences the participants' local model weights in terms of the magnitude and orientation of their model gradients, which can manifest as distinguishable disparities. We enable a robust identification of backdoors by studying the statistical distribution of the models' subsets of gradients. Concretely, we first segment the model gradients into fragment vectors that represent small portions of model parameters. We then employ anomaly detection to locate the distributionally skewed fragments and prune the participants with the most outliers. We embody the findings in a novel defense method, ARIBA. We demonstrate through extensive analyses that our proposed methods effectively mitigate state-of-the-art backdoor attacks with minimal impact on task utility.

Artificial Intelligence

Chenghui Shi,Shouling Ji,Xudong Pan,Xuhong Zhang,Mi Zhang,Min Yang,Jun Zhou,Jianwei Yin,Ting Wang

DOI: https://doi.org/10.1109/tdsc.2024.3376790

2024-01-01

Abstract:Federated Learning (FL) is nowadays one of the most promising paradigms for privacy-preserving distributed learning. Without revealing its local private data to outsiders, a client in FL systems collaborates to build a global Deep Neural Network (DNN) by submitting its local model parameter update to a central server for iterative aggregation. With secure multi-party computation protocols, the submitted update of any client is also by design invisible to the server. Seemingly, this standard design is a win-win for client privacy and service provider utility. Ironically, any attacker may also use manipulated or impersonated client to submit almost any attack payloads under the umbrella of the FL protocol itself. In this work, we craft a practical backdoor attack on FL systems that is proved to be simultaneously effective and stealthy on diverse use cases of FL systems and leading commercial FL platforms in the real world. Basically, we first identify a small number of redundant neurons which tend to be rarely or slightly updated in the model, and then inject backdoor into these redundant neurons instead of the whole model. In this way, our backdoor attack can achieve a high attack success rate with a minor impact on the accuracy of the original task. As countermeasures, we further consider several common technical choices including robust aggregation mechanisms, differential privacy mechanism,s and network pruning. However, none of the defenses show desirable defense capability against our backdoor attack. Our results strongly highlight the vulnerability of existing FL systems against backdoor attacks and the urgent need to develop more effective defense mechanisms.

Wenhan Chang,Tianqing Zhu

DOI: https://doi.org/10.1016/j.cose.2024.103744

IF: 5.105

2024-02-04

Computers & Security

Abstract:Research on federated learning has continued to develop over the past few years. Many federated learning algorithms and frameworks have been developed to ensure model accuracy and protect client data privacy, which has been extensively beneficial for the development of artificial intelligence security technology. However, it is possible to recover private training data from publicly shared gradients, which is referred to as a data leakage attack. In this paper, we propose two feasible defense methods, based on gradient sparsification and pseudo-gradient, to defend against the state-of-the-art attack methods and achieve maximum protection of the private data of all federated learning participants. Both methods use cosine similarity to measure the angular difference between the gradients updated by the clients during training and the gradients sent back by the server. Taking the cosine similarity as a reference and aiming to protect clients' privacy while maintaining the accuracy of the global model, the clients can choose an appropriate strategy for disguising their uploaded gradient. Through extensive experiments, we demonstrate that both defense methods can protect users' private data while preserving the accuracy of the global model in federated learning.

computer science, information systems

Phillip Rieger,Torsten Krauß,Markus Miettinen,Alexandra Dmitrienko,Ahmad-Reza Sadeghi

DOI: https://doi.org/10.48550/arXiv.2210.07714

2023-08-22

Abstract:Federated Learning (FL) is a promising approach enabling multiple clients to train Deep Neural Networks (DNNs) collaboratively without sharing their local training data. However, FL is susceptible to backdoor (or targeted poisoning) attacks. These attacks are initiated by malicious clients who seek to compromise the learning process by introducing specific behaviors into the learned model that can be triggered by carefully crafted inputs. Existing FL safeguards have various limitations: They are restricted to specific data distributions or reduce the global model accuracy due to excluding benign models or adding noise, are vulnerable to adaptive defense-aware adversaries, or require the server to access local models, allowing data inference attacks. This paper presents a novel defense mechanism, CrowdGuard, that effectively mitigates backdoor attacks in FL and overcomes the deficiencies of existing techniques. It leverages clients' feedback on individual models, analyzes the behavior of neurons in hidden layers, and eliminates poisoned models through an iterative pruning scheme. CrowdGuard employs a server-located stacked clustering scheme to enhance its resilience to rogue client feedback. The evaluation results demonstrate that CrowdGuard achieves a 100% True-Positive-Rate and True-Negative-Rate across various scenarios, including IID and non-IID data distributions. Additionally, CrowdGuard withstands adaptive adversaries while preserving the original performance of protected models. To ensure confidentiality, CrowdGuard uses a secure and privacy-preserving architecture leveraging Trusted Execution Environments (TEEs) on both client and server sides.

Cryptography and Security,Machine Learning

Hanchi Ren,Jingjing Deng,Xianghua Xie,Xiaoke Ma,Jianfeng Ma

DOI: https://doi.org/10.48550/arXiv.2305.04095

2023-05-07

Abstract:Federated Learning (FL) is a widely adopted privacy-preserving machine learning approach where private data remains local, enabling secure computations and the exchange of local model gradients between local clients and third-party parameter servers. However, recent findings reveal that privacy may be compromised and sensitive information potentially recovered from shared gradients. In this study, we offer detailed analysis and a novel perspective on understanding the gradient leakage problem. These theoretical works lead to a new gradient leakage defense technique that secures arbitrary model architectures using a private key-lock module. Only the locked gradient is transmitted to the parameter server for global model aggregation. Our proposed learning method is resistant to gradient leakage attacks, and the key-lock module is designed and trained to ensure that, without the private information of the key-lock module: a) reconstructing private training data from the shared gradient is infeasible; and b) the global model's inference performance is significantly compromised. We discuss the theoretical underpinnings of why gradients can leak private information and provide theoretical proof of our method's effectiveness. We conducted extensive empirical evaluations with a total of forty-four models on several popular benchmarks, demonstrating the robustness of our proposed approach in both maintaining model performance and defending against gradient leakage attacks.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition

Rong Wang,Guichen Zhou,Mingjun Gao,Yunpeng Xiao

2024-04-22

Abstract:In recent years, the neural network backdoor hidden in the parameters of the federated learning model has been proved to have great security risks. Considering the characteristics of trigger generation, data poisoning and model training in backdoor attack, this paper designs a backdoor attack method based on federated learning. Firstly, aiming at the concealment of the backdoor trigger, a TrojanGan steganography model with encoder-decoder structure is designed. The model can encode specific attack information as invisible noise and attach it to the image as a backdoor trigger, which improves the concealment and data transformations of the backdoor trigger.Secondly, aiming at the problem of single backdoor trigger mode, an image poisoning attack method called combination trigger attack is proposed. This method realizes multi-backdoor triggering by multiplexing combined triggers and improves the robustness of backdoor attacks. Finally, aiming at the problem that the local training mechanism leads to the decrease of the success rate of backdoor attack, a dual model replacement backdoor attack algorithm based on federated learning is designed. This method can improve the success rate of backdoor attack while maintaining the performance of the federated learning aggregation model. Experiments show that the attack strategy in this paper can not only achieve high backdoor concealment and diversification of trigger forms under federated learning, but also achieve good attack success rate in multi-target attacks.door concealment and diversification of trigger forms but also achieve good results in multi-target attacks.

Machine Learning

Lu Li,Jiwei Qin,Jintao Luo

DOI: https://doi.org/10.3390/electronics12112500

IF: 2.9

2023-06-02

Electronics

Abstract:Federated learning (FL) is a technique that involves multiple participants who update their local models with private data and aggregate these models using a central server. Unfortunately, central servers are prone to single-point failures during the aggregation process, which leads to data leakage and other problems. Although many studies have shown that a blockchain can solve the single-point failure of servers, blockchains cannot identify or mitigate the effect of backdoor attacks. Therefore, this paper proposes a blockchain-based FL framework for defense against backdoor attacks. The framework utilizes blockchains to record transactions in an immutable distributed ledger network and enables decentralized FL. Furthermore, by incorporating the reverse layer-wise relevance (RLR) aggregation strategy into the participant's aggregation algorithm and adding gradient noise to limit the effectiveness of backdoor attacks, the accuracy of backdoor attacks is substantially reduced. Furthermore, we designed a new proof-of-stake mechanism that considers the historical stakes of participants and the accuracy for selecting the miners of the local model, thereby reducing the stake rewards of malicious participants and motivating them to upload honest model parameters. Our simulation results confirm that, for 10% of malicious participants, the success rate of backdoor injection is reduced by nearly 90% compared to Vanilla FL, and the stake income of malicious devices is the lowest.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zijie Pan,Zuobin Ying,Yajie Wang,Chuan Zhang,Chunhai Li,Liehuang Zhu

DOI: https://doi.org/10.1109/jiot.2024.3438150

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning is a distributed machine learning approach that enables multiple participants to collaboratively train a model without sharing their data, thus preserving privacy. However, the decentralized nature of federated learning also makes it susceptible to backdoor attacks, where malicious participants can embed hidden vulnerabilities within the model. Addressing these threats efficiently and effectively is crucial, especially given the impracticality of iterative and resource-intensive detection methods in federated learning environments. This paper presents a novel framework for one-shot backdoor removal in federated learning. Our approach integrates advanced anomaly detection techniques with a unique model update aggregation strategy, allowing for the identification and neutralization of backdoor influences in a single update cycle without the need for extensive data access or communication between participants. Extensive experiments across various federated architectures and data distributions demonstrate that our method effectively mitigates backdoor threats while maintaining model performance and scalability. This work not only enhances the security of federated models but also contributes to the broader applicability of federated learning in sensitive and critical domains.

Wei Yu,Saier Alharbi,Yifan Guo

DOI: https://doi.org/10.1109/JIOT.2024.3368754

IF: 10.6

2024-06-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) devices generate massive amounts of data from local devices, making federated learning (FL) a viable distributed machine learning paradigm to learn a global model while keeping private data locally in various IoT systems. However, recent studies show that FL’s decentralized nature makes it susceptible to backdoor attacks. Existing defenses like robust aggregation defenses have reduced attack success rates (ASRs) by identifying significant statistical differences between normal and backdoored models individually. However, these defenses fail to consider the potential collusion among attackers to bypass statistical measures utilized in defenses. In this article, we propose a novel attack approach, called collusive backdoor attacks (CBAs), which bypasses robust aggregation defense by considering both local backdoor training and post-training model manipulations among collusive attackers. Particularly, we introduce a nontrivial perturbation estimation scheme to add manipulations over model update vectors after local backdoor training and use the Gram-Schmidt process to speed up the estimation process. This makes the magnitude of the perturbed poisoned model to the same level as normal models, evading robust aggregation-based defense while maintaining attack efficacy. After that, we provide a pilot study to verify the feasibility of our perturbation estimation scheme, followed by its convergence analysis. By evaluating the attack performance on four representative data sets, our CBA approach maintains high ASRs under benchmark robust aggregation defenses in both independent and identically distributed (IID) and non-IID local data settings. Particularly, it increases the ASR by 126% on average compared to individual backdoor attacks.

Engineering,Computer Science