Partner in Crime: Boosting Targeted Poisoning Attacks against Federated Learning

TL;DR

This paper introduces BoTPA, a novel pre-training approach that significantly enhances the success rate of targeted poisoning attacks on federated learning models, even under strong defense mechanisms.

Contribution

We propose BoTPA, a generalized pre-training stage that leverages all data points to boost targeted poisoning attacks against federated learning, demonstrating substantial improvements over baseline methods.

Findings

BoTPA increases attack success rate by up to 36.9% in data poisoning scenarios.

BoTPA achieves up to 94.7% relative increase under model poisoning with defenses.

BoTPA is compatible with various targeted poisoning attack methods.

Abstract

Federated Learning (FL) exposes vulnerabilities to targeted poisoning attacks that aim to cause misclassification specifically from the source class to the target class. However, using well-established defense frameworks, the poisoning impact of these attacks can be greatly mitigated. We introduce a generalized pre-training stage approach to Boost Targeted Poisoning Attacks against FL, called BoTPA. Its design rationale is to leverage the model update contributions of all data points, including ones outside of the source and target classes, to construct an Amplifier set, in which we falsify the data labels before the FL training process, as a means to boost attacks. We comprehensively evaluate the effectiveness and compatibility of BoTPA on various targeted poisoning attacks. Under data poisoning attacks, our evaluations reveal that BoTPA can achieve a median Relative Increase in Attack Success Rate (RI-ASR) between 15.3% and 36.9% across all possible source-target class combinations, with varying percentages of malicious clients, compared to its baseline. In the context of model poisoning, BoTPA attains RI-ASRs ranging from 13.3% to 94.7% in the presence of the Krum and Multi-Krum defenses, from 2.6% to 49.2% under the Median defense, and from 2.9% to 63.5% under the Flame defense.