Sample-Independent Federated Learning Backdoor Attack in Speaker Recognition

TL;DR

This paper presents GhostB, a novel backdoor attack method for federated learning in speaker recognition that does not modify samples or rely on dropout, achieving high success rates and analyzing factors affecting its effectiveness.

Contribution

GhostB introduces a sample-independent backdoor attack leveraging neuronal behavior, enhancing stealth and applicability in real-world federated learning scenarios.

Findings

GhostB achieves 100% success rate in speaker recognition backdoor activation.

The attack remains effective across 1 to 50 ghost neurons.

Neuron dispersion and depth influence attack success, with increased dispersion reducing effectiveness.

Abstract

In federated learning, backdoor attacks embed triggers in the adversarial client's data to inject a backdoor into the model. In order to enhance the stealth, an attack method based on the dropout layer has been proposed, which can implant the backdoor without modifying the sample. However, these methods struggle to covertly utilize dropout in evaluation mode, thus hindering their deployment in real-world scenarios. To address these, this paper introduces GhostB, a novel approach to federated learning backdoor attacks in speaker recognition that neither alters samples nor relies on dropout. This method employs the behavior of neurons producing specific values as triggers. By mapping these neuronal values to categories specified by the adversary, the backdoor is implanted and activated when particular feature values are detected at designated neurons. Our experiments conducted on TIMIT, LibriSpeech, and VoxCeleb2 databases in both Closed Set Identification (CSI) and Open Set Identification (OSI) scenarios demonstrate that GhostB achieves a 100% success rate upon activation in speaker recognition, with this rate maintained across experiments involving 1 to 50 ghost neurons. This paper investigates how the dispersion of neurons and their depth within hidden layers affect the success rate, revealing that increased dispersion and positioning of neurons can significantly decrease effectiveness, potentially rendering the attack unsuccessful.