Mind the Cost of Scaffold! Benign Clients May Even Become Accomplices of Backdoor Attack

TL;DR

This paper reveals that the Scaffold algorithm in federated learning, while improving performance, introduces security vulnerabilities by enabling backdoor attacks that covertly involve benign clients, leading to persistent malicious effects.

Contribution

The paper introduces BadSFL, the first backdoor attack targeting Scaffold, which exploits control variates to covertly turn benign clients into attack accomplices, enhancing attack persistence.

Findings

BadSFL maintains attack effectiveness over 60 rounds.

It outperforms existing baselines by up to three times in longevity.

The attack remains stealthy while achieving high accuracy on backdoored samples.

Abstract

By using a control variate to calibrate the local gradient of each client, Scaffold has been widely known as a powerful solution to mitigate the impact of data heterogeneity in Federated Learning. Although Scaffold achieves significant performance improvements, we show that this superiority is at the cost of increased security vulnerabilities. Specifically, this paper presents BadSFL, the first backdoor attack targeting Scaffold, which turns benign clients into accomplices to amplify the attack effect. The core idea of BadSFL is to uniquely tamper with the control variate to subtly steer benign clients' local gradient updates towards the attacker's poisoned direction, effectively turning them into unwitting accomplices and significantly enhancing the backdoor persistence. Additionally, BadSFL leverages a GAN-enhanced poisoning strategy to enrich the attacker's dataset, maintaining high accuracy on both benign and backdoored samples while remaining stealthy. Extensive experiments demonstrate that BadSFL achieves superior attack durability, maintaining effectiveness for over 60 global rounds, lasting up to three times longer than existing baselines even after ceasing malicious model injections.