Backdoor Attack for Federated Learning with Fake Clients

Pei Fang; Bochuan Cao; Jinyuan Jia; Jinghui Chen

Backdoor Attack for Federated Learning with Fake Clients

Pei Fang, Bochuan Cao, Jinyuan Jia, Jinghui Chen

23 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX

Keywords: Backdoor Atttack;Federated Learning

Abstract: Federated Learning (FL) is a popular distributed machine learning paradigm that enables joint model training without sharing clients’ data. Recent studies show that federated learning can be vulnerable to potential backdoor attacks from malicious clients: such attacks aim to mislead the global model into a targeted misprediction when a specific trigger pattern is presented. Although various types of federated backdoor attacks are proposed, most of them rely on the malicious client's local data to inject the backdoor trigger into the model. In this paper, we consider a new and more challenging scenario that the attacker can only control the fake clients, who do not possess any real data at all. Such a threat model sets a higher standard for the attacker that the attack must be conducted without relying on any real client data (only knowing the target class label). Meanwhile, the resulting malicious update should not be easily detected by the potential defenses. Specifically, we first simulate the normal client updates via modeling the historical global model trajectory. Then we simultaneously optimize the backdoor trigger and manipulate the model parameters in a data-free manner to achieve our attacking goal. Extensive experiments on multiple benchmark datasets show the effectiveness of the proposed attack in the fake client setting under state-of-the-art defenses.

Primary Area: societal considerations including fairness, safety, privacy

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 7864

Loading