Dual Model Replacement:invisible Multi-target Backdoor Attack based on Federal Learning

TL;DR

This paper introduces a novel federated learning backdoor attack that uses invisible triggers, multiplexed multi-trigger strategies, and a dual model replacement method to enhance concealment, robustness, and attack success rate.

Contribution

It proposes a new invisible trigger encoding method, a multiplexed multi-trigger attack approach, and a dual model replacement algorithm to improve federated learning backdoor attacks.

Findings

High concealment of backdoor triggers.

Effective multi-target attack success.

Enhanced robustness and success rate.

Abstract

In recent years, the neural network backdoor hidden in the parameters of the federated learning model has been proved to have great security risks. Considering the characteristics of trigger generation, data poisoning and model training in backdoor attack, this paper designs a backdoor attack method based on federated learning. Firstly, aiming at the concealment of the backdoor trigger, a TrojanGan steganography model with encoder-decoder structure is designed. The model can encode specific attack information as invisible noise and attach it to the image as a backdoor trigger, which improves the concealment and data transformations of the backdoor trigger.Secondly, aiming at the problem of single backdoor trigger mode, an image poisoning attack method called combination trigger attack is proposed. This method realizes multi-backdoor triggering by multiplexing combined triggers and improves the robustness of backdoor attacks. Finally, aiming at the problem that the local training mechanism leads to the decrease of the success rate of backdoor attack, a dual model replacement backdoor attack algorithm based on federated learning is designed. This method can improve the success rate of backdoor attack while maintaining the performance of the federated learning aggregation model. Experiments show that the attack strategy in this paper can not only achieve high backdoor concealment and diversification of trigger forms under federated learning, but also achieve good attack success rate in multi-target attacks.door concealment and diversification of trigger forms but also achieve good results in multi-target attacks.