Structure-Aware Distributed Backdoor Attacks in Federated Learning

TL;DR

This paper investigates how model architecture influences backdoor attack effectiveness in federated learning, introducing metrics and a framework to understand and predict attack success based on structural properties.

Contribution

It proposes the Structural Responsiveness Score and Structural Compatibility Coefficient to quantify model sensitivity and compatibility, and develops a structure-aware fractal perturbation injection framework (TFI).

Findings

Model architecture affects perturbation propagation and retention.

Networks with multi-path feature fusion amplify fractal perturbations.

SCC correlates strongly with attack success rate.

Abstract

While federated learning protects data privacy, it also makes the model update process vulnerable to long-term stealthy perturbations. Existing studies on backdoor attacks in federated learning mainly focus on trigger design or poisoning strategies, typically assuming that identical perturbations behave similarly across different model architectures. This assumption overlooks the impact of model structure on perturbation effectiveness. From a structure-aware perspective, this paper analyzes the coupling relationship between model architectures and backdoor perturbations. We introduce two metrics, Structural Responsiveness Score (SRS) and Structural Compatibility Coefficient (SCC), to measure a model's sensitivity to perturbations and its preference for fractal perturbations. Based on these metrics, we develop a structure-aware fractal perturbation injection framework (TFI) to study the role of architectural properties in the backdoor injection process. Experimental results show that model architecture significantly influences the propagation and aggregation of perturbations. Networks with multi-path feature fusion can amplify and retain fractal perturbations even under low poisoning ratios, while models with low structural compatibility constrain their effectiveness. Further analysis reveals a strong correlation between SCC and attack success rate, suggesting that SCC can predict perturbation survivability. These findings highlight that backdoor behaviors in federated learning depend not only on perturbation design or poisoning intensity but also on the interaction between model architecture and aggregation mechanisms, offering new insights for structure-aware defense design.