Backdoor Attacks in Federated Learning by Poisoned Word Embeddings
Keywords: Federated learning, model poisoning, backdoor
TL;DR: We demonstrate the feasibility of backdoor attack in federated learning through poisoned word embedding. In text classification, one client out of a hundred suffices to backdoor the global model.
Abstract: Recent advances in federated learning have demonstrated its promising capability to learn on decentralized datasets. However, a considerable amount of work has raised concerns due to the potential risks of adversaries participating in the framework to poison the global model for an adversarial purpose. This paper investigates the feasibility of model poisoning for backdoor attacks through \textit{word embeddings of NLP models} in text classification and sequence-to-sequence tasks. In text classification, only one adversary client out of 100 suffices to classify a backdoored input to a target class without any drop in the performance of clean sentences. In Seq2Seq, five adversary clients out of 100 can poison the global model to generate a pre-chosen target sequence such as a fake news headline.
4 Replies
Loading