Venomancer: Towards Imperceptible and Target-on-Demand Backdoor Attacks in Federated Learning

TL;DR

Venomancer introduces an imperceptible, target-on-demand backdoor attack in federated learning, capable of bypassing advanced defenses by using visual loss functions and conditional adversarial training.

Contribution

The paper presents Venomancer, a novel backdoor attack in federated learning that is both imperceptible and target-specific, overcoming limitations of prior methods.

Findings

Effective against multiple state-of-the-art defenses

Imperceptible poison data indistinguishable from original data

Allows attacker to select arbitrary target classes

Abstract

Federated Learning (FL) is a distributed machine learning approach that maintains data privacy by training on decentralized data sources. Similar to centralized machine learning, FL is also susceptible to backdoor attacks, where an attacker can compromise some clients by injecting a backdoor trigger into local models of those clients, leading to the global model's behavior being manipulated as desired by the attacker. Most backdoor attacks in FL assume a predefined target class and require control over a large number of clients or knowledge of benign clients' information. Furthermore, they are not imperceptible and are easily detected by human inspection due to clear artifacts left on the poison data. To overcome these challenges, we propose Venomancer, an effective backdoor attack that is imperceptible and allows target-on-demand. Specifically, imperceptibility is achieved by using a visual loss function to make the poison data visually indistinguishable from the original data. Target-on-demand property allows the attacker to choose arbitrary target classes via conditional adversarial training. Additionally, experiments showed that the method is robust against state-of-the-art defenses such as Norm Clipping, Weak DP, Krum, Multi-Krum, RLR, FedRAD, Deepsight, and RFLBAT. The source code is available at https://github.com/nguyenhongson1902/Venomancer.