Due to the distributed nature of Federated Learning (FL), researchers have uncovered that FL is vulnerable to backdoor attacks, which aim at injecting a sub-task into the FL without corrupting the performance of the main task. Single-shot backdoor attack achieves high accuracy on both the main task and backdoor sub-task when injected at the FL model convergence. However, the early-injected single-shot backdoor attack is ineffective because: (1) the maximum backdoor effectiveness is not reached at injection because of the dilution effect from normal local updates; (2) the backdoor effect decreases quickly as the backdoor will be overwritten by the newcoming normal local updates. In this paper, we strengthen the early-injected single-shot backdoor attack utilizing FL model information leakage. We show that the FL convergence can be expedited if the client trains on a dataset that mimics the distribution and gradients of the whole population. Based on this observation, we proposed a two-phase backdoor attack, which includes a preliminary phase for the subsequent backdoor attack. In the preliminary phase, the attacker-controlled client first launches a whole population distribution inference attack and then trains on a locally crafted dataset that is aligned with both the gradient and inferred distribution. Benefiting from the preliminary phase, the later injected backdoor achieves better effectiveness as the backdoor effect will be less likely to be diluted by the normal model updates. Extensive experiments are conducted on MNIST dataset under various data heterogeneity settings to evaluate the effectiveness of the proposed backdoor attack. Results show that the proposed backdoor outperforms existing backdoor attacks in both success rate and longevity, even when defense mechanisms are in place.
翻译:由于联邦学习联合会(FL)的分布性质,研究人员发现FL很容易受到后门攻击,而后门攻击的目的是在不腐蚀主要任务性能的情况下向FL注入子任务。在FL模式趋同时,单向后门攻击在主任务和后门小任务上都达到很高的精确度。然而,早期注入单向后门攻击是无效的,因为:(1) 由于正常当地更新的稀释效应,在注入后门攻击时没有达到最大的后门攻击效果;(2) 后门影响迅速减少,因为新的正常当地更新将超过后门的后门攻击。在本文件中,我们利用FL模式信息渗漏,加强早期注入单向后门攻击的单向后门攻击。我们表明,如果客户在模拟数据集上显示整个人口的分布和梯度,FLL会加快其趋同速度。基于这一观察,我们提议在后门攻击时,包括后门攻击的初步阶段。在初始阶段,攻击者控制的客户第一次推出的后门攻击后门攻击后门攻击将产生更好的后门攻击更新,同时进行更精确的汇率分配。