DCInject: Persistent Backdoor Attacks via Frequency Manipulation in Personal Federated Learning

TL;DR

DCInject introduces a novel frequency-domain backdoor attack on personalized federated learning, effectively bypassing existing defenses and achieving high attack success rates while preserving model accuracy across multiple datasets.

Contribution

The paper presents DCInject, a new frequency-based backdoor attack method for PFL that outperforms existing spatial-domain attacks and demonstrates robustness against defenses like I-BAU.

Findings

DCInject achieves up to 100% attack success rate on GTSRB.

The attack maintains high clean accuracy across datasets.

DCInject remains effective under I-BAU defense, exposing vulnerabilities.

Abstract

Personalized federated learning (PFL) creates client-specific models to handle data heterogeneity. Previously, PFL has been shown to be naturally resistant to backdoor attack propagation across clients. In this work, we reveal that PFL remains vulnerable to backdoor attacks through a novel frequency-domain approach. We propose DCInject, an adaptive frequency-domain backdoor attack for PFL, which removes portions of the zero-frequency (DC) component and replaces them with Gaussian-distributed samples in the frequency domain. Our attack achieves superior attack success rates while maintaining clean accuracy across four datasets (CIFAR-10/100, GTSRB, SVHN) compared to existing spatial-domain attacks, evaluated under parameter decoupling based personalization. DCInject achieves superior performance with ASRs of 96.83% (CIFAR-10), 99.38% (SVHN), and 100% (GTSRB) while maintaining clean accuracy. Under I-BAU defense, DCInject demonstrates strong persistence, retaining 90.30% ASR vs BadNet's 58.56% on VGG-16, exposing critical vulnerabilities in PFL security assumptions. Our code is available at https://github.com/NahomMA/DCINject-PFL