Can You Really Backdoor Federated Learning?

TL;DR

This paper investigates backdoor attacks in federated learning, analyzing their effectiveness and defenses on real-world datasets, and introduces mitigation strategies like norm clipping and differential privacy.

Contribution

It provides a comprehensive study of backdoor attacks and defenses in federated learning, including implementation and open-sourcing of tools for further research.

Findings

Attack success depends on adversary fraction and task complexity

Norm clipping and differential privacy mitigate backdoor attacks

Defense methods do not significantly impair overall model performance

Abstract

The decentralized nature of federated learning makes detecting and defending against adversarial attacks a challenging task. This paper focuses on backdoor attacks in the federated learning setting, where the goal of the adversary is to reduce the performance of the model on targeted tasks while maintaining good performance on the main task. Unlike existing works, we allow non-malicious clients to have correctly labeled samples from the targeted tasks. We conduct a comprehensive study of backdoor attacks and defenses for the EMNIST dataset, a real-life, user-partitioned, and non-iid dataset. We observe that in the absence of defenses, the performance of the attack largely depends on the fraction of adversaries present and the "complexity'' of the targeted task. Moreover, we show that norm clipping and "weak'' differential privacy mitigate the attacks without hurting the overall performance. We have implemented the attacks and defenses in TensorFlow Federated (TFF), a TensorFlow framework for federated learning. In open-sourcing our code, our goal is to encourage researchers to contribute new attacks and defenses and evaluate them on standard federated datasets.