A Knowledge Distillation-Based Backdoor Attack in Federated Learning
- URL: http://arxiv.org/abs/2208.06176v1
- Date: Fri, 12 Aug 2022 08:52:56 GMT
- Title: A Knowledge Distillation-Based Backdoor Attack in Federated Learning
- Authors: Yifan Wang, Wei Fan, Keke Yang, Naji Alhusaini, Jing Li
- Abstract summary: Adversarial Knowledge Distillation(ADVKD) is a method combine knowledge distillation with backdoor attack in Federated Learning (FL)
We show that ADVKD can not only reach a higher attack success rate, but also successfully bypass the defenses when other methods fails.
- Score: 9.22321085045949
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Federated Learning (FL) is a novel framework of decentralized machine
learning. Due to the decentralized feature of FL, it is vulnerable to
adversarial attacks in the training procedure, e.g. , backdoor attacks. A
backdoor attack aims to inject a backdoor into the machine learning model such
that the model will make arbitrarily incorrect behavior on the test sample with
some specific backdoor trigger. Even though a range of backdoor attack methods
of FL has been introduced, there are also methods defending against them. Many
of the defending methods utilize the abnormal characteristics of the models
with backdoor or the difference between the models with backdoor and the
regular models. To bypass these defenses, we need to reduce the difference and
the abnormal characteristics. We find a source of such abnormality is that
backdoor attack would directly flip the label of data when poisoning the data.
However, current studies of the backdoor attack in FL are not mainly focus on
reducing the difference between the models with backdoor and the regular
models. In this paper, we propose Adversarial Knowledge Distillation(ADVKD), a
method combine knowledge distillation with backdoor attack in FL. With
knowledge distillation, we can reduce the abnormal characteristics in model
result from the label flipping, thus the model can bypass the defenses.
Compared to current methods, we show that ADVKD can not only reach a higher
attack success rate, but also successfully bypass the defenses when other
methods fails. To further explore the performance of ADVKD, we test how the
parameters affect the performance of ADVKD under different scenarios. According
to the experiment result, we summarize how to adjust the parameter for better
performance under different scenarios. We also use several methods to visualize
the effect of different attack and explain the effectiveness of ADVKD.
Related papers
- Mitigating Backdoor Attack by Injecting Proactive Defensive Backdoor [63.84477483795964]
Data-poisoning backdoor attacks are serious security threats to machine learning models.
In this paper, we focus on in-training backdoor defense, aiming to train a clean model even when the dataset may be potentially poisoned.
We propose a novel defense approach called PDB (Proactive Defensive Backdoor)
arXiv Detail & Related papers (2024-05-25T07:52:26Z) - Concealing Backdoor Model Updates in Federated Learning by Trigger-Optimized Data Poisoning [20.69655306650485]
Federated Learning (FL) is a decentralized machine learning method that enables participants to collaboratively train a model without sharing their private data.
Despite its privacy and scalability benefits, FL is susceptible to backdoor attacks.
We propose DPOT, a backdoor attack strategy in FL that dynamically constructs backdoor objectives by optimizing a backdoor trigger.
arXiv Detail & Related papers (2024-05-10T02:44:25Z) - Does Few-shot Learning Suffer from Backdoor Attacks? [63.9864247424967]
We show that few-shot learning can still be vulnerable to backdoor attacks.
Our method demonstrates a high Attack Success Rate (ASR) in FSL tasks with different few-shot learning paradigms.
This study reveals that few-shot learning still suffers from backdoor attacks, and its security should be given attention.
arXiv Detail & Related papers (2023-12-31T06:43:36Z) - Backdoor Attack with Sparse and Invisible Trigger [57.41876708712008]
Deep neural networks (DNNs) are vulnerable to backdoor attacks.
backdoor attack is an emerging yet threatening training-phase threat.
We propose a sparse and invisible backdoor attack (SIBA)
arXiv Detail & Related papers (2023-05-11T10:05:57Z) - Mitigating Backdoors in Federated Learning with FLD [7.908496863030483]
Federated learning allows clients to collaboratively train a global model without uploading raw data for privacy preservation.
This feature has recently been found responsible for federated learning's vulnerability in the face of backdoor attacks.
We propose Federated Layer Detection (FLD), a novel model filtering approach for effectively defending against backdoor attacks.
arXiv Detail & Related papers (2023-03-01T07:54:54Z) - Backdoor Defense via Suppressing Model Shortcuts [91.30995749139012]
In this paper, we explore the backdoor mechanism from the angle of the model structure.
We demonstrate that the attack success rate (ASR) decreases significantly when reducing the outputs of some key skip connections.
arXiv Detail & Related papers (2022-11-02T15:39:19Z) - FLIP: A Provable Defense Framework for Backdoor Mitigation in Federated
Learning [66.56240101249803]
We study how hardening benign clients can affect the global model (and the malicious clients)
We propose a trigger reverse engineering based defense and show that our method can achieve improvement with guarantee robustness.
Our results on eight competing SOTA defense methods show the empirical superiority of our method on both single-shot and continuous FL backdoor attacks.
arXiv Detail & Related papers (2022-10-23T22:24:03Z) - A Statistical Difference Reduction Method for Escaping Backdoor
Detection [11.226288436817956]
Recent studies show that Deep Neural Networks (DNNs) are vulnerable to backdoor attacks.
Several detection methods have been developed to distinguish inputs to defend against such attacks.
We propose a Statistical Difference Reduction Method (SDRM) by adding a multi-level MMD constraint to the loss function.
arXiv Detail & Related papers (2021-11-09T12:09:18Z) - Backdoor Learning Curves: Explaining Backdoor Poisoning Beyond Influence
Functions [26.143147923356626]
We study the process of backdoor learning under the lens of incremental learning and influence functions.
We show that the success of backdoor attacks inherently depends on (i) the complexity of the learning algorithm and (ii) the fraction of backdoor samples injected into the training set.
arXiv Detail & Related papers (2021-06-14T08:00:48Z) - Black-box Detection of Backdoor Attacks with Limited Information and
Data [56.0735480850555]
We propose a black-box backdoor detection (B3D) method to identify backdoor attacks with only query access to the model.
In addition to backdoor detection, we also propose a simple strategy for reliable predictions using the identified backdoored models.
arXiv Detail & Related papers (2021-03-24T12:06:40Z) - Defending against Backdoors in Federated Learning with Robust Learning
Rate [25.74681620689152]
Federated learning (FL) allows a set of agents to collaboratively train a model without sharing their potentially sensitive data.
In a backdoor attack, an adversary tries to embed a backdoor functionality to the model during training that can later be activated to cause a desired misclassification.
We propose a lightweight defense that requires minimal change to the FL protocol.
arXiv Detail & Related papers (2020-07-07T23:38:35Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.