Backdoor Attacks on Federated Meta-Learning

TL;DR

This paper investigates backdoor attacks on federated meta-learning, revealing their high success rate even with minimal data, and proposes a defense mechanism based on similarity matching to mitigate these vulnerabilities.

Contribution

It provides a novel analysis of backdoor attack effects on federated meta-learning and introduces a defense method inspired by matching networks to reduce attack success.

Findings

1-shot backdoor attacks are highly successful and persistent.

The proposed similarity-based defense significantly reduces attack success.

Federated meta-learning remains vulnerable despite adaptation capabilities.

Abstract

Federated learning allows multiple users to collaboratively train a shared classification model while preserving data privacy. This approach, where model updates are aggregated by a central server, was shown to be vulnerable to poisoning backdoor attacks: a malicious user can alter the shared model to arbitrarily classify specific inputs from a given class. In this paper, we analyze the effects of backdoor attacks on federated meta-learning, where users train a model that can be adapted to different sets of output classes using only a few examples. While the ability to adapt could, in principle, make federated learning frameworks more robust to backdoor attacks (when new training examples are benign), we find that even 1-shot~attacks can be very successful and persist after additional training. To address these vulnerabilities, we propose a defense mechanism inspired by matching networks, where the class of an input is predicted from the similarity of its features with a support set of labeled examples. By removing the decision logic from the model shared with the federation, success and persistence of backdoor attacks are greatly reduced.