Backdoor Federated Learning by Poisoning Backdoor-Critical Layers

• URL: http://arxiv.org/abs/2308.04466v3
• Date: Mon, 15 Apr 2024 15:52:41 GMT
• Title: Backdoor Federated Learning by Poisoning Backdoor-Critical Layers
• Authors: Haomin Zhuang, Mingxian Yu, Hao Wang, Yang Hua, Jian Li, Xu Yuan,
• Abstract summary: Federated learning (FL) has been widely deployed to enable machine learning training on sensitive data across distributed devices. This paper proposes a general in-situ approach that identifies and verifies backdoor layers from the perspective of attackers. Based on the identified BC layers, we carefully craft a new backdoor attack methodology that adaptively seeks a fundamental balance between attacking effects and stealthiness under various defense strategies.
• Score: 32.510730902353224
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Federated learning (FL) has been widely deployed to enable machine learning training on sensitive data across distributed devices. However, the decentralized learning paradigm and heterogeneity of FL further extend the attack surface for backdoor attacks. Existing FL attack and defense methodologies typically focus on the whole model. None of them recognizes the existence of backdoor-critical (BC) layers-a small subset of layers that dominate the model vulnerabilities. Attacking the BC layers achieves equivalent effects as attacking the whole model but at a far smaller chance of being detected by state-of-the-art (SOTA) defenses. This paper proposes a general in-situ approach that identifies and verifies BC layers from the perspective of attackers. Based on the identified BC layers, we carefully craft a new backdoor attack methodology that adaptively seeks a fundamental balance between attacking effects and stealthiness under various defense strategies. Extensive experiments show that our BC layer-aware backdoor attacks can successfully backdoor FL under seven SOTA defenses with only 10% malicious clients and outperform the latest backdoor attack methods.

Related papers

• Efficient Backdoor Defense in Multimodal Contrastive Learning: A Token-Level Unlearning Method for Mitigating Threats [52.94388672185062]
  We propose an efficient defense mechanism against backdoor threats using a concept known as machine unlearning. This entails strategically creating a small set of poisoned samples to aid the model's rapid unlearning of backdoor vulnerabilities. In the backdoor unlearning process, we present a novel token-based portion unlearning training regime.
  arXiv  Detail & Related papers  (2024-09-29T02:55:38Z)
• Non-Cooperative Backdoor Attacks in Federated Learning: A New Threat Landscape [7.00762739959285]
  Federated Learning (FL) for privacy-preserving model training remains susceptible to backdoor attacks. This research emphasizes the critical need for robust defenses against diverse backdoor attacks in the evolving FL landscape.
  arXiv  Detail & Related papers  (2024-07-05T22:03:13Z)
• TrojFM: Resource-efficient Backdoor Attacks against Very Large Foundation Models [69.37990698561299]
  TrojFM is a novel backdoor attack tailored for very large foundation models. Our approach injects backdoors by fine-tuning only a very small proportion of model parameters. We demonstrate that TrojFM can launch effective backdoor attacks against widely used large GPT-style models.
  arXiv  Detail & Related papers  (2024-05-27T03:10:57Z)
• SEEP: Training Dynamics Grounds Latent Representation Search for Mitigating Backdoor Poisoning Attacks [53.28390057407576]
  Modern NLP models are often trained on public datasets drawn from diverse sources. Data poisoning attacks can manipulate the model's behavior in ways engineered by the attacker. Several strategies have been proposed to mitigate the risks associated with backdoor attacks.
  arXiv  Detail & Related papers  (2024-05-19T14:50:09Z)
• Does Few-shot Learning Suffer from Backdoor Attacks? [63.9864247424967]
  We show that few-shot learning can still be vulnerable to backdoor attacks. Our method demonstrates a high Attack Success Rate (ASR) in FSL tasks with different few-shot learning paradigms. This study reveals that few-shot learning still suffers from backdoor attacks, and its security should be given attention.
  arXiv  Detail & Related papers  (2023-12-31T06:43:36Z)
• BadCLIP: Dual-Embedding Guided Backdoor Attack on Multimodal Contrastive Learning [85.2564206440109]
  This paper reveals the threats in this practical scenario that backdoor attacks can remain effective even after defenses. We introduce the emphtoolns attack, which is resistant to backdoor detection and model fine-tuning defenses.
  arXiv  Detail & Related papers  (2023-11-20T02:21:49Z)
• Backdoor Attack with Sparse and Invisible Trigger [57.41876708712008]
  Deep neural networks (DNNs) are vulnerable to backdoor attacks. backdoor attack is an emerging yet threatening training-phase threat. We propose a sparse and invisible backdoor attack (SIBA)
  arXiv  Detail & Related papers  (2023-05-11T10:05:57Z)
• Mitigating Backdoors in Federated Learning with FLD [7.908496863030483]
  Federated learning allows clients to collaboratively train a global model without uploading raw data for privacy preservation. This feature has recently been found responsible for federated learning's vulnerability in the face of backdoor attacks. We propose Federated Layer Detection (FLD), a novel model filtering approach for effectively defending against backdoor attacks.
  arXiv  Detail & Related papers  (2023-03-01T07:54:54Z)
• On the Vulnerability of Backdoor Defenses for Federated Learning [8.345632941376673]
  Federated Learning (FL) is a popular distributed machine learning paradigm that enables jointly training a global model without sharing clients' data. In this paper, we study whether the current defense mechanisms truly neutralize the backdoor threats from federated learning. We propose a new federated backdoor attack method for possible countermeasures.
  arXiv  Detail & Related papers  (2023-01-19T17:02:02Z)
• WaNet -- Imperceptible Warping-based Backdoor Attack [20.289889150949836]
  A third-party model can be poisoned in training to work well in normal conditions but behave maliciously when a trigger pattern appears. In this paper, we propose using warping-based triggers to attack third-party models. The proposed backdoor outperforms the previous methods in a human inspection test by a wide margin, proving its stealthiness.
  arXiv  Detail & Related papers  (2021-02-20T15:25:36Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.