Concealing Backdoor Model Updates in Federated Learning by Trigger-Optimized Data Poisoning

TL;DR

This paper introduces DPOT, a novel backdoor attack in federated learning that uses trigger optimization to effectively conceal malicious updates, bypassing existing defenses and outperforming prior methods.

Contribution

The paper presents DPOT, a data-poisoning based backdoor attack that dynamically optimizes triggers to hide malicious updates in federated learning.

Findings

DPOT effectively bypasses state-of-the-art defenses.

DPOT outperforms existing backdoor attack techniques.

Theoretical analysis supports DPOT's effectiveness.

Abstract

Federated Learning (FL) is a decentralized machine learning method that enables participants to collaboratively train a model without sharing their private data. Despite its privacy and scalability benefits, FL is susceptible to backdoor attacks, where adversaries poison the local training data of a subset of clients using a backdoor trigger, aiming to make the aggregated model produce malicious results when the same backdoor condition is met by an inference-time input. Existing backdoor attacks in FL suffer from common deficiencies: fixed trigger patterns and reliance on the assistance of model poisoning. State-of-the-art defenses based on analyzing clients' model updates exhibit a good defense performance on these attacks because of the significant divergence between malicious and benign client model updates. To effectively conceal malicious model updates among benign ones, we propose DPOT, a backdoor attack strategy in FL that dynamically constructs backdoor objectives by optimizing a backdoor trigger, making backdoor data have minimal effect on model updates. We provide theoretical justifications for DPOT's attacking principle and display experimental results showing that DPOT, via only a data-poisoning attack, effectively undermines state-of-the-art defenses and outperforms existing backdoor attack techniques on various datasets.