Attack of the Tails: Yes, You Really Can Backdoor Federated Learning

TL;DR

This paper demonstrates that federated learning models are vulnerable to backdoor attacks, especially edge-case backdoors that exploit tail inputs, and shows that defending against such attacks is theoretically and practically challenging.

Contribution

The work introduces a new class of edge-case backdoor attacks in federated learning and provides theoretical evidence that detecting or defending against them is computationally hard.

Findings

Edge-case backdoors can cause misclassification on unlikely inputs.

Robustness to backdoors implies vulnerability to adversarial examples.

Detecting backdoors is computationally infeasible under certain assumptions.

Abstract

Due to its decentralized nature, Federated Learning (FL) lends itself to adversarial attacks in the form of backdoors during training. The goal of a backdoor is to corrupt the performance of the trained model on specific sub-tasks (e.g., by classifying green cars as frogs). A range of FL backdoor attacks have been introduced in the literature, but also methods to defend against them, and it is currently an open question whether FL systems can be tailored to be robust against backdoors. In this work, we provide evidence to the contrary. We first establish that, in the general case, robustness to backdoors implies model robustness to adversarial examples, a major open problem in itself. Furthermore, detecting the presence of a backdoor in a FL model is unlikely assuming first order oracles or polynomial time. We couple our theoretical results with a new family of backdoor attacks, which we refer to as edge-case backdoors. An edge-case backdoor forces a model to misclassify on seemingly easy inputs that are however unlikely to be part of the training, or test data, i.e., they live on the tail of the input distribution. We explain how these edge-case backdoors can lead to unsavory failures and may have serious repercussions on fairness, and exhibit that with careful tuning at the side of the adversary, one can insert them across a range of machine learning tasks (e.g., image classification, OCR, text prediction, sentiment analysis).