计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (4): 343-351.doi: 10.11896/jsjkx.240800043

所属专题: 联邦学习

• 信息安全 • 上一篇    下一篇

基于触发差异优化的联邦学习持久后门攻击

蒋雨霏, 田育龙, 赵彦超   

  1. 南京航空航天大学计算机科学与技术学院 南京 211106
  • 收稿日期:2024-08-06 修回日期:2024-09-26 出版日期:2025-04-15 发布日期:2025-04-14
  • 通讯作者: 赵彦超(yczhao@nuaa.edu.cn)
  • 作者简介:(2216075@nuaa.edu.cn)
  • 基金资助:
    国家自然科学基金(62172215);国家自然科学基金A3国际项目(62061146002)

Persistent Backdoor Attack for Federated Learning Based on Trigger Differential Optimization

JIANG Yufei, TIAN Yulong, ZHAO Yanchao   

  1. School of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106,China
  • Received:2024-08-06 Revised:2024-09-26 Online:2025-04-15 Published:2025-04-14
  • About author:JIANG Yufei,born in 2000,postgra-duate.Her main research interests include backdoor attack and federated learning.
    ZHAO Yanchao,born in 1985,Ph.D supervisor,is a member of CCF(No.24833S).His main research interests include edge computing and processing,wireless sensing and optimization.
  • Supported by:
    National Natural Science Foundation of China(62172215) and A3 Foresight Program of NSFC(62061146002).

PDF (PC)

165

摘要: 联邦学习分布式的特性使其允许各客户端在保持数据独立性的同时进行模型训练,但这也使得攻击者可以控制或模仿部分客户端来发起后门攻击,通过植入精心设计的固定触发器操纵模型输出。触发器的有效性和持久性是衡量攻击效果的重要标准,有效性即攻击成功率,持久性即停止攻击后维持高攻击成功率的能力。目前针对有效性的研究已经相对深入,但如何维持触发器的持久性仍然是一个有挑战性的问题。为延长触发器的持久性,提出了一种基于动态优化触发器的后门攻击方法。首先,在联邦学习动态更新时同步优化触发器,将触发器特征在攻击时模型与攻击后模型的潜在表示的差异最小化,以此训练全局模型对触发器特征的记忆能力。其次,使用冗余神经元作为植入后门是否成功的指标,通过自适应添加噪声来增强攻击的有效性。在MNIST,CIFAR-10和CIFAR-100数据集上进行广泛实验,结果表明,所提方案有效延长了联邦学习环境下触发器的持久性。在具有代表性的5种防御体系下攻击成功率高于98%,特别是在针对CIFAR-10数据集的攻击停止超过600轮后,攻击成功率仍然高于90%。

关键词: 联邦学习, 后门攻击, 动态触发器, 攻击持久性, 模型安全

Abstract: The distributed nature of federated learning allows each client to train the model while maintaining data independence,but this also allows attackers to control or mimic some clients to launch backdoor attacks by implanting carefully designed fixed triggers to manipulate the model output.The effectiveness and persistence of triggers are important criteria for measuring attack effectiveness.Effectiveness pertains to the rate of successful breaches,while persistence embodies the capability to sustain a high success rate even after the cessation of the attack.At present,research on effectiveness has been relatively in-depth,but maintaining the persistence of triggers remains a challenging issue.A backdoor attack method based on dynamic optimization triggers is proposed to extend the persistence of triggers.Firstly,during dynamic updates in federated learning,triggers are synchronously optimized to minimize the difference between the potential representations of trigger features during and after attacks,thereby training the global model's ability to remember trigger features.Secondly,using redundant neurons as an indicator of the success of implanting backdoors to adaptively add noise and enhance the effectiveness of attacks.Extensive experiments on the MNIST,CIFAR-10,and CIFAR-100 datasets have shown that the proposed scheme effectively extends the persistence of triggers in fede-rated learning environments.Under five kind of representative defense systems,the success rate of attacks is higher than 98%,especially after more than 600 rounds of attacks on the CIFAR-10,the success rate of attacks still exceeds 90%.

Key words: Federated learning, Backdoor attack, Dynamic trigger, Attack persistence, Model security

中图分类号: 

  • TP309
[1]ZENG X,CAO K,ZHANG M.MobileDeepPill:A small-foot-print mobile deep learning system for recognizing unconstrained pill images[C]//Proceedings of the 15th Annual Internation Conference on Mobile Systems,Applications,and Services.New York:ACM,2017:56-67.
[2]RAN X K,CHEN H L,ZHU X D,et al.Deepdecision:A mobile deep learning framework for edge video analytics[C]//Procee-dings of the 37th IEEE Conference on Computer Communications.Piscataway,NJ:IEEE,2018:1421-1429.
[3]LIU L Y,LI H Y,MARCO G.Edge assisted real-time object de-tection for mobile augmented reality[C]//Proceedings of the 25th Annual Internation Conference on Mobile Computing and Networking.New York:ACM,2019:1-16.
[4]KONECˇNY′ J,MCMAHAN B,RAMAGE D.Federated optimization:Distributed optimization beyond the datacenter[J].ar-Xiv:1511.03575,2015.
[5]MCMAHAN B,MOORE E,RAMAGE D,et al.Communica-tion-efficient learning of deep networks from decentralized data[C]// Proceedings of the 20th Internation Conference on Artificial Intelligence and Statistics.New York:PMLR,2017:1273-1282.
[6]BONAWITZ K,EICHNER H,GRIESKAMP W,et al.Towards federated learning at scale:system design[J].arXiv:1902.01046,2019.
[7]LIU Y,FAN T,CHEN T J,et al.FATE:an industrial gradeplatform for collaborative learning with data protection[J].Journal of Machine Learning Research,2021,22(226):1-6.
[8]SONG M K,WANG Z B,ZHANG Z F,et al.Analyzing user-level privacy attack against federated learning[J].IEEE Journal on Selected Areas in Communications,2020,38(10):2430-2444.
[9]BAGDASARYAN E,VEIT A,HUA Y Q,et al.How to backdoor federated learning[C]//Proceedings of Internation Confe-rence on Artificial Intelligence and Statistics.Cambridge,MA:MIT Press,2020:2938-2948.
[10]LI H Y,YE Q Q,HU H B,et al.3dfed:Adaptive and extensible framework for covert backdoor attack in federated learning[C]//Proceedings of the 44th IEEE Symp on Security and Privacy.Piscataway,NJ:IEEE,2023:1893-1907.
[11]BHAGOJI A,CHAKRABORTY S,MITTAL P,et al.Analy-zing federated learning through an adversarial lens[C]//Proceedings of Internation Conference on Artificial Intelligence and Statistics.Cambridge,MA:MIT Press,2019:634-643.
[12]XIE C L,HUANG K L,CHEN P Y,et al.DBA:Distributed backdoor attacks against federated learning[C]//Proceedings of the 7th Internation Conference on Learning Representations.2019.
[13]WANG H Y,SREENIVASAN K,RAJPUT S,et al.Attack of the tails:Yes,you really can backdoor federated learning [C]//Proceeding of the 34th Annual Conference on Neural Information Prosessing Systems.Massachusetts:MIT Press,2020:16070-6084.
[14]FANG P,CHEN J H.On the Vulnerability of Backdoor Defenses for Federated Learning[C]//Proceedings of the 37th AAAI Conference on Artificial Intelligence.Palo Alto,CA:AAAI Press,2023:11800-11808.
[15]ZHANG H F,JIA J Y,CHRN J H,et al.A3fl:Adversariallyadaptive backdoor attacks to federated learning[C]//Proceedings of the 36th Annual Conference on Neural Information Prosessing Systems.Massachusetts:MIT Press,2023:61213-61233.
[16]QIAO Y Q,LIU D Z,CHEN C W,et al.FTA:Stealthy andAdaptive Backdoor Attack with Flexible Triggers on Federated Learning[J].arXiv:2309.00127,2023.
[17]LIU T,ZHANG Y H,FENG Z,et al.Beyond traditionalthreats:A persistent backdoor attack on federated learning [C]//Proceedings of the 38th AAAI Conference on Artificial Intelligence.Palo Alto,CA:AAAI Press,2024:21359-21367.
[18]RIEGER P,NGUYEN D,MIETTINEN M,et al.Deepsight:Mitigating backdoor attacks in federated learning through deep model inspection[J].arXiv:2201.00763,2022.
[19]WANG Y K,ZHAI D H,ZHAN Y G,et al.Rflbat:A robust federated learning algorithm against backdoor attack[J].arXiv:2201.03772,2022.
[20]SUN Z T,PETER K,ANANDA T,et al.Can you really backdoor federated learning?[J].arXiv:1911.07963,2019.
[21]FUNG C,YOON C J M,BESCHASTNIKH I.The limitations of federated learning in sybil settings [C]//Proceedings of the 23rd Internation Symposium on Research in Attacks,Intrusions and Defenses.Berlin:Springer,2020:301-316.
[22]ZHOU X C,XU M,WU Y M,et al.Deep model poisoning attack on federated learning[J].Future Internet,2021,13(3):73.
[23]HSU T,QI H,BROWN M.Measuring the effects of non-identical data distribution for federated visual classification[J].arXiv:1909.06335,2019.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发