Beyond Corner Patches: Semantics-Aware Backdoor Attack in Federated Learning

TL;DR

This paper introduces SABLE, a semantics-aware backdoor attack in federated learning that uses natural, meaningful triggers, demonstrating high success rates across various settings and challenging existing robustness assumptions.

Contribution

The paper presents SABLE, a novel semantics-aware backdoor method for federated learning that constructs natural triggers and maintains attack effectiveness across multiple aggregation rules.

Findings

Semantic triggers achieve high attack success rates.

Backdoors remain effective despite different aggregation rules.

Synthetic patch triggers may overestimate robustness.

Abstract

Backdoor attacks on federated learning (FL) are most often evaluated with synthetic corner patches or out-of-distribution (OOD) patterns that are unlikely to arise in practice. In this paper, we revisit the backdoor threat to standard FL (a single global model) under a more realistic setting where triggers must be semantically meaningful, in-distribution, and visually plausible. We propose SABLE, a Semantics-Aware Backdoor for LEarning in federated settings, which constructs natural, content-consistent triggers (e.g., semantic attribute changes such as sunglasses) and optimizes an aggregation-aware malicious objective with feature separation and parameter regularization to keep attacker updates close to benign ones. We instantiate SABLE on CelebA hair-color classification and the German Traffic Sign Recognition Benchmark (GTSRB), poisoning only a small, interpretable subset of each malicious client's local data while otherwise following the standard FL protocol. Across heterogeneous client partitions and multiple aggregation rules (FedAvg, Trimmed Mean, MultiKrum, and FLAME), our semantics-driven triggers achieve high targeted attack success rates while preserving benign test accuracy. These results show that semantics-aligned backdoors remain a potent and practical threat in federated learning, and that robustness claims based solely on synthetic patch triggers can be overly optimistic.