Learning to Backdoor Federated Learning

TL;DR

This paper introduces a reinforcement learning-based backdoor attack framework for federated learning that outperforms existing defenses by being adaptive, flexible, and durable against state-of-the-art mitigation methods.

Contribution

It presents a novel RL-based attack method that learns a non-myopic policy using a simulator, significantly advancing the effectiveness of backdoor attacks in federated learning.

Findings

The attack outperforms existing methods against defenses.

The attack remains effective under various defense strategies.

The framework demonstrates high adaptability and durability.

Abstract

In a federated learning (FL) system, malicious participants can easily embed backdoors into the aggregated model while maintaining the model's performance on the main task. To this end, various defenses, including training stage aggregation-based defenses and post-training mitigation defenses, have been proposed recently. While these defenses obtain reasonable performance against existing backdoor attacks, which are mainly heuristics based, we show that they are insufficient in the face of more advanced attacks. In particular, we propose a general reinforcement learning-based backdoor attack framework where the attacker first trains a (non-myopic) attack policy using a simulator built upon its local data and common knowledge on the FL system, which is then applied during actual FL training. Our attack framework is both adaptive and flexible and achieves strong attack performance and durability even under state-of-the-art defenses.