Go to NeurIPS 2025 Workshop Reliable ML homepagePersistent and Stealthy Backdoor Attacks in Federated Learning via Layerwise Model Poisoning
Keywords: federated learning, backdoor attack, model poisoning
TL;DR: Federated learning's privacy constraints make it vulnerable to stealthy poisoning. We introduce a layerwise backdoor injection strategy that creates persistent and undetectable backdoors, overcoming the short-lived nature of prior attacks.
Abstract: Federated Learning (FL) enables collaborative model training without data centralization, but this very advantage creates blind spots for security, enabling adversaries to manipulate model behavior. FL privacy-preserving design introduces unique security challenges. In particular, the inability to inspect local data or training processes renders many conventional defenses, such as data sanitization or anomaly detection, ineffective. Among the most concerning threats are backdoor attacks, where an adversary aims to embed hidden behaviors into the global model. These behaviors cause targeted misclassifications on specific inputs while leaving the model’s performance on the primary task largely unaffected, allowing the attack to evade detection. Previous work has demonstrated the feasibility of injecting backdoors into FL models, but such attacks often lack durability. As FL training proceeds over many rounds, the influence of a single or intermittent attacker tends to diminish, causing the backdoor to fade. To address this limitation, we propose a novel layerwise backdoor injection strategy that systematically poisons specific layers of the model to improve both stealth and persistence. Our method allows even a short-lived attacker to implant a lasting backdoor that survives successive training rounds. We conduct comprehensive experiments on both image classification and natural language processing tasks across standard benchmarks (CIFAR-10, EMNIST, Reddit) to validate the effectiveness of our approach. Our attack consistently achieves high, persistent backdoor success rates while evading advanced defenses. This exposes a critical, underexplored vulnerability in FL and calls for a rethink of current defense paradigms.
Submission Number: 62
Loading