Coordinated Backdoor Attacks against Federated Learning with Model-Dependent Triggers

Gong, Xueluan; Chen, Yanjiao; Huang, Huayang; Liao, Yuqing; Wang, Shuai; Wang, Qian

doi:10.1109/mnet.011.2000783

Cited by 33 publications

(33 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The focus of these attacks is to misclassify client samples by injecting poisoned local models, rather than reconstructing samples from shared models. Poisoning attacks on FL are usually mounted via manipulating either training data [11], [12], [13], [6], [23] or local training process [6], [14], [15], [16] of an edge client. We briefly review related research efforts of poisoning attacks on FL in the following.…”

Section: A Poisoning Attacksmentioning

confidence: 99%

Attacking Distance-aware Attack: Semi-targeted Model Poisoning on Federated Learning

Sun¹,

Ochiai²,

Sakuma³

2023

Preprint

View full text Add to dashboard Cite

<p>Existing model poisoning attacks on federated learning (FL) assume that an adversary has access to the full data distribution. In reality, an adversary usually has limited prior knowledge about clients' data distributions. In such a case, a poorly chosen target class renders an attack less effective. In particular, we considered a semi-targeted situation where the source class is predetermined but the target class is not. The goal is to cause the global classifier to misclassify data of the source class. Approaches such as label flipping have been adopted to inject poisoned parameters into FL. Nevertheless, it has shown that their performances are usually class-sensitive, varying with different target classes applied. Typically, an attack can become less effective when shifting to a different target class. To overcome this challenge, we propose the Attacking Distance-aware Attack (ADA) that enhances a poisoning attack by finding the optimized target class in the feature space. ADA deduces pair-wise distances between classes in the latent feature space using the Fast LAyer gradient MEthod (FLAME). We performed extensive evaluations, varying the attacking frequency in five benchmark image classification tasks with three model architectures. Furthermore, ADA's efficacy was studied under different defense strategies in FL. ADA succeeded in increasing attack performance to 2.8 times in the most challenging case with an attacking frequency of 0.01 and bypassed existing defenses, where differential privacy that was the most effective defense still could not reduce the attack performance to below 50%.</p>

show abstract

Section: A Poisoning Attacksmentioning

confidence: 99%

Attacking Distance-aware Attack: Semi-targeted Model Poisoning on Federated Learning

Sun¹,

Ochiai²,

Sakuma³

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Distributed-trigger: [18] Coordinated-trigger: [59] Model Poisoning Fully poisoning Scaling based: [16] [22] Constraint based: [16] The backdoor attack is first introduced in FL by Bagdasaryan et al [16]. Since then, backdoor attacks have received widespread attention and became the primary security threat in FL.…”

Section: Single-trigger: [65][16][22][66]mentioning

confidence: 99%

“…In this category of attack, no modification is conducted to modify the features of backdoored samples. On the other hand, artificial backdoor attacks [16,18,59] aim to misclassify any poisoned input containing a backdoor trigger. Note that, these backdoored samples are created by artificially inserting triggers into the clean inputs.…”

Section: Techniques For Data Poisoning Attacksmentioning

confidence: 99%

“…In prior techniques, the adversary's chosen trigger is frequently produced independently of the learning model and the learning procedure (e.g., a logo, a sticker, or a pixel perturbation). Therefore, such backdoor attacks do not fully exploit the collaboration between multiple malicious users during the training phase [59]. To address this shortage, [59] newly introduced coordinatedtrigger backdoor attack, in which the adversary leverages a model-dependent trigger to inject the backdoor more efficiently.…”

Section: Artificial Backdoor Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Backdoor Attacks and Defenses in Federated Learning: Survey, Challenges and Future Research Directions

Nguyen¹,

Nguyen²,

Nguyen³

et al. 2023

Preprint

View full text Add to dashboard Cite

Federated learning (FL) is a machine learning (ML) approach that allows the use of distributed data without compromising personal privacy. However, the heterogeneous distribution of data among clients in FL can make it difficult for the orchestration server to validate the integrity of local model updates, making FL vulnerable to various threats, including backdoor attacks. Backdoor attacks involve the insertion of malicious functionality into a targeted model through poisoned updates from malicious clients. These attacks can cause the global model to misbehave on specific inputs while appearing normal in other cases. Backdoor attacks have received significant attention in the literature due to their potential to impact real-world deep learning applications. However, they have not been thoroughly studied in the context of FL. In this survey, we provide a comprehensive survey of current backdoor attack strategies and defenses in FL, including a comprehensive analysis of different approaches. We also discuss the challenges and potential future directions for attacks and defenses in the context of FL.

show abstract

“…For example, adversarial examples 10,11 trick the model into generating false predictions by adding small perturbations to clean training examples. Backdoor attacks, 12,13 which are more stealthy than adversarial attacks, manipulate training data by injecting samples with backdoor triggers. The model will make incorrect predictions on samples with backdoor triggers but will not affect model performance on otherwise normal data.…”

Section: Introductionmentioning

confidence: 99%

Active forgetting via influence estimation for neural networks

Meng

Yang

Liu

et al. 2022

Int J of Intelligent Sys

View full text Add to dashboard Cite

The rapidly exploding of user data, especially applications of neural networks, involves analyzing data collected from individuals, which brings convenience to life. Meanwhile, privacy leakage in the applications 1% and 3% accuracy drop with more than 80% forgetting rate on average for logistic regression models and convolutional neural networks. The accuracy drop is reduced by 2%-3% compared to most state-of-the-art methods.

show abstract

Coordinated Backdoor Attacks against Federated Learning with Model-Dependent Triggers

Cited by 33 publications

References 10 publications

Attacking Distance-aware Attack: Semi-targeted Model Poisoning on Federated Learning

Attacking Distance-aware Attack: Semi-targeted Model Poisoning on Federated Learning

Backdoor Attacks and Defenses in Federated Learning: Survey, Challenges and Future Research Directions

Active forgetting via influence estimation for neural networks

Contact Info

Product

Resources

About