What problem does this paper attempt to address?

The problem that this paper attempts to solve is: in the personalized federated learning (pFL) scenario, the existing pFL methods with parameter decoupling are still vulnerable to backdoor attacks. Although previous research has shown that these methods have a certain resistance to backdoor attacks, this paper points out that this resistance is not sufficient and proposes a new attack method to verify this weakness. ### Problem Background In Federated Learning (FL), malicious clients can manipulate the prediction results of the training model through backdoor attacks, thus posing a significant threat to the security of the FL system. Existing research mainly focuses on backdoor attacks and defenses in the general FL scenario, where all clients collaborate to train a single global model. A recent study has shown that in the personalized federated learning (pFL) scenario, pFL methods with parameter decoupling can significantly enhance the robustness against backdoor attacks. However, this paper points out that even in this case, pFL methods are still vulnerable to backdoor attacks. ### Main Problem The main problem of this paper is to reveal and verify the security issues of pFL methods with parameter decoupling when facing backdoor attacks. Specifically: 1. **Identifying Vulnerabilities**: Point out that although pFL methods with parameter decoupling show a certain anti - attack ability in some cases, there are actually still security vulnerabilities. 2. **Proposing an Attack Method**: Design a new backdoor attack method named BapFL to prove the vulnerability of these methods. 3. **Evaluating Defense Measures**: Evaluate the effectiveness of existing defense methods when facing BapFL attacks, further revealing the security challenges in the pFL scenario. ### Solution To address this problem, the author proposes a two - stage attack method BapFL, which mainly includes the following two strategies: 1. **Poisoning Only the Feature Encoder**: By poisoning only the feature encoder while keeping the classifier unchanged, bypass the classifier differences brought by data heterogeneity. 2. **Introducing Noise - Diversified Classifiers**: By introducing noise to the classifier to simulate the classifier behavior of benign clients, thereby improving the generalization ability of the attack. ### Experimental Verification The author conducted extensive experiments on three benchmark datasets (MNIST, Fashion - MNIST, and CIFAR - 10) to verify the effectiveness of BapFL. The experimental results show that BapFL can achieve a high attack success rate (ASR) under different conditions and is still effective in the presence of multiple defense mechanisms. ### Conclusion This paper reveals the vulnerability of pFL methods with parameter decoupling when facing backdoor attacks by proposing the BapFL attack method and provides a new direction for future research. It is hoped that this finding can inspire more research on attack and defense strategies in the pFL scenario. ### Related Formulas Some formulas involved in the article include: - Model optimization objective: \[ \min_{\theta} \sum_{i = 1}^N\frac{1}{|D_i|}L_i(\theta) \] where \(L_i(\theta)\) is the empirical risk of client \(i\), and \(\theta\) is the global parameter. - Optimization objective of BapFL: \[ \min_{\theta_1}\sum_{i = 1}^N\tilde{L}_i(\theta,\theta_i+\delta_i),\quad\text{where }\delta_i\sim N(0,\sigma^2) \] where \(\tilde{L}_i(\theta,\theta_i + \delta_i)\) represents the loss of model parameters on the poisoned dataset, and \(\delta_i\) is the noise sampled from an isotropic Gaussian distribution. Through these formulas, the article describes in detail how to achieve effective backdoor attacks by optimizing the objective function.