SPA: Towards More Stealth and Persistent Backdoor Attacks in Federated Learning

TL;DR

This paper introduces SPA, a novel stealthy backdoor attack in federated learning that uses feature-space alignment to improve persistence and evade detection, demonstrating high success rates under various conditions.

Contribution

SPA is the first backdoor attack leveraging feature-space alignment and adaptive trigger optimization, significantly enhancing stealth and persistence in federated learning.

Findings

High attack success rates across benchmarks

Robustness against defensive FL scenarios

Persistent backdoor effects under data heterogeneity

Abstract

Federated Learning (FL) has emerged as a leading paradigm for privacy-preserving distributed machine learning, yet the distributed nature of FL introduces unique security challenges, notably the threat of backdoor attacks. Existing backdoor strategies predominantly rely on end-to-end label supervision, which, despite their efficacy, often results in detectable feature disentanglement and limited persistence. In this work, we propose a novel and stealthy backdoor attack framework, named SPA, which fundamentally departs from traditional approaches by leveraging feature-space alignment rather than direct trigger-label association. Specifically, SPA reduces representational distances between backdoor trigger features and target class features, enabling the global model to misclassify trigger-embedded inputs with high stealth and persistence. We further introduce an adaptive, adversarial trigger optimization mechanism, utilizing boundary-search in the feature space to enhance attack longevity and effectiveness, even against defensive FL scenarios and non-IID data distributions. Extensive experiments on various FL benchmarks demonstrate that SPA consistently achieves high attack success rates with minimal impact on model utility, maintains robustness under challenging participation and data heterogeneity conditions, and exhibits persistent backdoor effects far exceeding those of conventional techniques. Our results call urgent attention to the evolving sophistication of backdoor threats in FL and emphasize the pressing need for advanced, feature-level defense techniques.