How to Backdoor HyperNetwork in Personalized Federated Learning?

TL;DR

This paper uncovers backdoor vulnerabilities in HyperNet-based personalized federated learning and introduces a novel attack method, HNTroj, which effectively infects models with minimal compromised clients while remaining stealthy.

Contribution

It presents the first model transferring backdoor attack (HNTroj) for HyperNetFL and evaluates defenses against it, advancing understanding of security risks in personalized federated learning.

Findings

HNTroj outperforms existing poisoning attacks in effectiveness.

HNTroj remains stealthy without degrading model utility.

Robust training algorithms are bypassed by HNTroj even with few compromised clients.

Abstract

This paper explores previously unknown backdoor risks in HyperNet-based personalized federated learning (HyperNetFL) through poisoning attacks. Based upon that, we propose a novel model transferring attack (called HNTroj), i.e., the first of its kind, to transfer a local backdoor infected model to all legitimate and personalized local models, which are generated by the HyperNetFL model, through consistent and effective malicious local gradients computed across all compromised clients in the whole training process. As a result, HNTroj reduces the number of compromised clients needed to successfully launch the attack without any observable signs of sudden shifts or degradation regarding model utility on legitimate data samples making our attack stealthy. To defend against HNTroj, we adapted several backdoor-resistant FL training algorithms into HyperNetFL. An extensive experiment that is carried out using several benchmark datasets shows that HNTroj significantly outperforms data poisoning and model replacement attacks and bypasses robust training algorithms even with modest numbers of compromised clients.