Bad-PFL: Exploring Backdoor Attacks against Personalized Federated Learning

TL;DR

This paper introduces Bad-PFL, a novel backdoor attack method against personalized federated learning that uses natural data features as triggers, demonstrating its effectiveness and durability even against advanced defenses.

Contribution

We propose Bad-PFL, a backdoor attack leveraging natural data features as triggers, which remains effective in personalized federated learning settings and withstands state-of-the-art defenses.

Findings

Bad-PFL successfully embeds durable backdoors in personalized models.

The attack outperforms existing methods across multiple datasets.

It remains effective even with advanced defense mechanisms.

Abstract

Data heterogeneity and backdoor attacks rank among the most significant challenges facing federated learning (FL). For data heterogeneity, personalized federated learning (PFL) enables each client to maintain a private personalized model to cater to client-specific knowledge. Meanwhile, vanilla FL has proven vulnerable to backdoor attacks. However, recent advancements in PFL community have demonstrated a potential immunity against such attacks. This paper explores this intersection further, revealing that existing federated backdoor attacks fail in PFL because backdoors about manually designed triggers struggle to survive in personalized models. To tackle this, we design Bad-PFL, which employs features from natural data as our trigger. As long as the model is trained on natural data, it inevitably embeds the backdoor associated with our trigger, ensuring its longevity in personalized models. Moreover, our trigger undergoes mutual reinforcement training with the model, further solidifying the backdoor's durability and enhancing attack effectiveness. The large-scale experiments across three benchmark datasets demonstrate the superior performance of our attack against various PFL methods, even when equipped with state-of-the-art defense mechanisms.