Multi-Target Federated Backdoor Attack Based on Feature Aggregation

TL;DR

This paper introduces a novel federated backdoor attack method based on feature aggregation that bypasses detection and achieves high success rates, including the first zero-shot attack in federated learning.

Contribution

The paper proposes a new federated backdoor attack framework utilizing feature aggregation, aligning trigger dimensions with images and enabling simultaneous multi-class trigger generation.

Findings

Achieves a 77.39% success rate in zero-shot backdoor attacks.

Successfully bypasses existing detection methods.

Reduces trigger production time across multiple classes.

Abstract

Current federated backdoor attacks focus on collaboratively training backdoor triggers, where multiple compromised clients train their local trigger patches and then merge them into a global trigger during the inference phase. However, these methods require careful design of the shape and position of trigger patches and lack the feature interactions between trigger patches during training, resulting in poor backdoor attack success rates. Moreover, the pixels of the patches remain untruncated, thereby making abrupt areas in backdoor examples easily detectable by the detection algorithm. To this end, we propose a novel benchmark for the federated backdoor attack based on feature aggregation. Specifically, we align the dimensions of triggers with images, delimit the trigger's pixel boundaries, and facilitate feature interaction among local triggers trained by each compromised client. Furthermore, leveraging the intra-class attack strategy, we propose the simultaneous generation of backdoor triggers for all target classes, significantly reducing the overall production time for triggers across all target classes and increasing the risk of the federated model being attacked. Experiments demonstrate that our method can not only bypass the detection of defense methods while patch-based methods fail, but also achieve a zero-shot backdoor attack with a success rate of 77.39%. To the best of our knowledge, our work is the first to implement such a zero-shot attack in federated learning. Finally, we evaluate attack performance by varying the trigger's training factors, including poison location, ratio, pixel bound, and trigger training duration (local epochs and communication rounds).