FTA: Stealthy and Adaptive Backdoor Attack with Flexible Triggers on Federated Learning

Download PDF

Yanqi Qiao, Dazhuang Liu, Congwen Chen, Rui Wang, Kaitai Liang

16 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Keywords: federated learning, backdoor attack, trigger generator, robustness
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Abstract: Current backdoor attacks against federated learning (FL) strongly rely on universal triggers or semantic patterns, which can be easily detected and filtered by certain defense mechanisms such as norm clipping, trigger inversion and etc. In this work, we propose a novel generator-assisted backdoor attack, FTA, against FL defenses. In this method, we build a generative trigger function that can learn to manipulate the benign samples with naturally imperceptible trigger patterns (stealthy) and simultaneously make poisoned samples include similar hidden features of the attacker-chosen label. Moreover, our trigger generator repeatedly produces triggers for each sample (flexibility) in each FL iteration (adaptivity), allowing it to adjust to changes of hidden features between global models of different rounds. Instead of using universal and predefined triggers of existing works, we break this wall by providing three desiderate (i.e., stealthy, flexibility and adaptivity), which helps our attack avoid the presence of backdoor-related hidden features or backdoor routing. Extensive experiments confirmed the effectiveness (above 98\% attack success rate) and stealthiness of our attack compared to prior attacks on decentralized learning frameworks with eight well-studied defenses.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
Supplementary Material: zip
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 727