DOPA: Stealthy and Generalizable Backdoor Attacks from a Single Client under Challenging Federated Constraints

TL;DR

DOPA introduces a novel backdoor attack framework for federated learning that remains effective under real-world constraints like heterogeneity, limited control, and diverse defenses, by simulating divergent training paths.

Contribution

It presents the first backdoor attack method that works under strict federated constraints by leveraging heterogeneous local training dynamics and consensus seeking.

Findings

Achieves high attack success across multiple defenses and datasets.

Maintains minimal impact on model accuracy.

Operates efficiently under single-client, black-box conditions.

Abstract

Federated Learning (FL) is increasingly adopted for privacy-preserving collaborative training, but its decentralized nature makes it particularly susceptible to backdoor attacks. Existing attack methods, however, often rely on idealized assumptions and fail to remain effective under real-world constraints, such as limited attacker control, non-IID data distributions, and the presence of diverse defense mechanisms. To address this gap, we propose DOPA (Divergent Optimization Path Attack), a novel framework that simulates heterogeneous local training dynamics and seeks consensus across divergent optimization trajectories to craft universally effective and stealthy backdoor triggers. By leveraging consistency signals across simulated paths to guide optimization, DOPA overcomes the challenge of heterogeneity-induced instability and achieves practical attack viability under stringent federated constraints. We validate DOPA on a comprehensive suite of 12 defense strategies, two model architectures (ResNet18/VGG16), two datasets (CIFAR-10/TinyImageNet), and both mild and extreme non-IID settings. Despite operating under a single-client, black-box, and sparsely participating threat model, DOPA consistently achieves high attack success, minimal accuracy degradation, low runtime, and long-term persistence. These results demonstrate a more practical attack paradigm, offering new perspectives for designing robust defense strategies in federated learning systems