SDBA: A Stealthy and Long-Lasting Durable Backdoor Attack in Federated Learning

TL;DR

This paper presents SDBA, a novel backdoor attack in federated learning for NLP, demonstrating high durability and stealth across models like LSTM, GPT-2, and T5, and bypassing defenses.

Contribution

Introduces SDBA, a new backdoor attack method for NLP in federated learning, with layer-wise gradient masking for enhanced stealth and durability.

Findings

SDBA outperforms existing backdoors in durability.

SDBA effectively bypasses defense mechanisms.

Demonstrates success across multiple NLP tasks and models.

Abstract

Federated learning is a promising approach for training machine learning models while preserving data privacy. However, its distributed nature makes it vulnerable to backdoor attacks, particularly in NLP tasks, where related research remains limited. This paper introduces SDBA, a novel backdoor attack mechanism designed for NLP tasks in federated learning environments. Through a systematic analysis across LSTM and GPT-2 models, we identify the most vulnerable layers for backdoor injection and achieve both stealth and long-lasting durability by applying layer-wise gradient masking and top-k% gradient masking. Also, to evaluate the task generalizability of SDBA, we additionally conduct experiments on the T5 model. Experiments on next-token prediction, sentiment analysis, and question answering tasks show that SDBA outperforms existing backdoors in terms of durability and effectively bypasses representative defense mechanisms, demonstrating notable performance in transformer-based models such as GPT-2. These results highlight the urgent need for robust defense strategies in NLP-based federated learning systems.