Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (11): 434-443.doi: 10.11896/jsjkx.250100146

• Information Security • Previous Articles     Next Articles

Backdoor Attack Method for Federated Learning Based on Knowledge Distillation

ZHAO Tong, CHEN Xuebin, WANG Liu, JING Zhongrui, ZHONG Qi   

  1. College of Science,North China University of Science and Technology,Tangshan,Hebei 063210,China
    Hebei Province Key Laboratory of Data Science and Application(North China University of Science and Technology),Tangshan,Hebei 063210,China
    Tangshan Key Laboratory of Data Science(North China University of Science and Technology),Tangshan,Hebei 063210,China
  • Received:2025-01-23 Revised:2025-04-28 Online:2025-11-15 Published:2025-11-06
  • About author:ZHAO Tong,born in 1998,postgra-duate,is a member of CCF(No.W0214G).His main research interests include data security and federated learning.
    CHEN Xuebin,born in 1970,Ph.D,professor,is a outstanding member of CCF(No.13654D).His main research in-terests include big data security,Internet of security and network security.
  • Supported by:
    National Natural Science Foundation of China(U20A20179).

PDF (PC)

23

Abstract: Federated learning enables different participants to jointly train a global model using their private datasets.However,the distributed nature of federated learning also provides room for backdoor attacks.The attacker of the backdoor attack poisons the global model causing the global model misleads to targeted incorrect predictions when encountering samples with specific backdoor triggers.This paper proposes a backdoor attack method for federated learning based on knowledge distillation.Firstly,the teacher model is trained using the concentrated poison dataset generated by distillation,and the “dark knowledge” of the teacher model is transferred to the student model to refine the maliciousneurons.Then,the neurons with backdoors are embedded into the global model through Z-scoreranking and mixing of neurons .The experiment is evaluated the performance of KDFLBD in iid and non-iid scenarios on common datasets.Compared with pixel attacks and label flipping attacks,KDFLBD significantly improves the attack success rate(ASR) while ensuring that the main task accuracy(MTA) is not affected.

Key words: Federated learning, Backdoor attack, Knowledge distillation, Trigger, Privacy protection

CLC Number: 

  • TP391
[1]MOORE I N,SNYDER S L,MILLER C,et al.Confidentialityand Privacy in Health Care from the Patient's Perspective:Does HIPPA Help?[J].Health Matrix,2007,17:215.
[2]VOIGT P,VON DEM BUSSCHE A.The eu general data protection regulation(gdpr):A Practical Guide(1st Ed.)[M].Cham:Springer International Publishing,2017.
[3]CHENG X.On the personal information processing rules in our country's personal information protection law [J].Tsinghua Law,2021,15(3):55-73.
[4]MCMAHAN B,MOORE E,RAMAGE D,et al.Communica-tion-efficient learning of deep networks from decentralized data[C]//Artificial Intelligence and Statistics.PMLR,2017:1273-1282.
[5]BAGDASARYAN E,VEIT A,HUA Y,et al.How to backdoor federated learning[C]//International Conference on Artificial Intelligence and Statistics.PMLR,2020:2938-2948.
[6]XUE M,NI S,WU Y,et al.Imperceptible and multi-channelbackdoor attack[J].Applied Intelligence,2024,54(1):1099-1116.
[7]BAGDASARYAN E,SHMATIKOV V.Blind backdoors in deep learning models[C]//30th USENIX Security Symposium(USENIX Security 21).2021:1505-1521.
[8]RAWAT A,LEVACHER K,SINN M.The devil is in theGAN:backdoor attacks and defenses in deep generative models[C]//European Symposium on Research in Computer Security.Cham:Springer Nature Switzerland,2022:776-783.
[9]NGUYEN T D,RIEGER P,MIETTINEN M,et al.Poisoningattacks on federated learning-based IoT intrusion detection system[C]//Proc.Workshop Decentralized IoT Syst.Secur.(DISS).2020:1-7.
[10]LIU Y,GARG S,NIE J,et al.Deep anomaly detection for time-series data in industrial iot:A communication-efficient on-device federated learning approach[J].IEEE Internet of Things Journal,2021(8):6348-6358.
[11]CHEN M,SURESH A T,MATHEWS R,et al.Federatedlearning of n-gram language models[J].arXiv:1910.03432,2019.
[12]LI T,SAHU A K,ZAHEER M,et al.Federated optimization in heterogeneous networks[C]//Proceedings of Machine Learning and Systems.2020:429-450.
[13]LI X,JIANG M,ZHANG X,et al.Fedbn:Federated learning on non-iid features via local batch normalization[J].arXiv:2102.07623,2021.
[14]LI Q,HE B,SONG D.Model-contrastive federated learning[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2021:10713-10722.
[15]GU T,DOLAN-GAVITT B,GARG S.Badnets:Identifying vulnerabilities in the machine learning model supply chain[J].ar-Xiv:1708.06733,2017.
[16]ALBERTI M,PONDENKANDATH V,WURSCH M,et al.Are you tampering with my data?[C]//Proceedings of the Euro-pean Conference on Computer Vision(ECCV).2018.
[17]BARNI M,KALLAS K,TONDI B.A new backdoor attack in cnns by training set corruption without label poisoning[C]//2019 IEEE International Conference on Image Processing(ICIP).IEEE,2019:101-105.
[18]XIAO Q,CHEN Y,SHEN C,et al.Seeing is not believing:Camouflage attacks on image scaling algorithms[C]//28th USENIX Security Symposium(USENIX Security 19).2019:443-460.
[19]LI Y,LI Y,WU B,et al.Invisible backdoor attack with sample-specific triggers[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision.2021:16463-16472.
[20]SHAFAHI A,HUANG W R,NAJIBI M,et al.Poison frogs! targeted clean-label poisoning attacks on neural networks[J].arXiv:1804.00792,2018.
[21]GAO Y,LI Y,ZHU L,et al.Not all samples are born equal:Towards effective clean-label backdoor attacks[J].Pattern Recognition,2023,139:109512.
[22]LIN J,XU L,LIU Y,et al.Composite backdoor attack for deep neural network by mixing existing benign features[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security.2020:113-131.
[23]WANG H,SREENIVASAN K,RAJPUT S,et al.Attack of the tails:Yes,you really can backdoor federated learning[J].Advances in Neural Information Processing Systems,2020,33:16070-16084.
[24]YOO K Y,KWAK N.Backdoor attacks in federated learning by rare embeddings and gradient ensembling[J].arXiv:2204.14017,2022.
[25]ZHANG J,CHEN B,CHENG X,et al.PoisonGAN:Generative poisoning attacks against federated learning in edge computing systems[J].IEEE Internet of Things Journal,2020,8(5):3310-3322.
[26]GONG X,CHEN Y,HUANG H,et al.Coordinated backdoor attacks against federated learning with model-dependent triggers[J].IEEE Network,2022,36(1):84-90.
[27]XIE C,HUANG K,CHEN P Y,et al.Dba:Distributed backdoor attacks against federated learning[C]//International Conference on Learning Representations.2019.
[28]SUN Z,KAIROUZ P,SURESH A T,et al.Can you really backdoor federated learning?[J].arXiv:1911.07963,2019.
[29]LIU Y,YI Z,CHEN T.Backdoor attacks and defenses in feature-partitioned collaborative learning[J].arXiv:2007.03608,2020.
[30]ZHOU X,XU M,WU Y,et al.Deep model poisoning attack on federated learning[J].Future Internet,2021,13(3):73.
[31]ZHANG Z,PANDA A,SONG L,et al.Neurotoxin:Durable backdoors in federated learning[C]//International Conference on Machine Learning.PMLR,2022:26429-26446.
[32]BUCILUĂ C,CARUANA R,NICULESCU-MIZIL A.Model compression[C]//Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mi-ning.2006:535-541.
[33]HINTON G,VINYALS O,DEAN J.Distilling the knowledge in a neural network[J].arXiv:1503.02531,2015.
[34]CAZENAVETTE G,WANG T,TORRALBA A,et al.Dataset distillation by matching training trajectories[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2022:4750-4759.
[35]NGUYEN T,CHEN Z,LEE J.Dataset meta-learning from kernel ridge-regression[J].arXiv:2011.00050,2020.
[36]NGUYEN T,NOVAK R,XIAO L,et al.Dataset distillationwith infinitely wide convolutional networks[J].Advances in Neural Information Processing Systems,2021,34:5186-5198.
[37]ZHAO B,BILEN H.Dataset condensation with differentiable siamese augmentation[C]//International Conference on Machine Learning.PMLR,2021:12674-12685.
[38]ZHAO B,MOPURI K R,BILEN H.Datasetcondensation with gradient matching[J].arXiv:2006.05929,2020.
[39]WANG T,ZHU J Y,TORRALBA A,et al.Dataset distillation[J].arXiv:1811.10959,2018.
[40]RUBINSTEIN R.The cross-entropy method for combinatorial and continuous optimization[J].Methodology and Computing in Applied Probability,1999,1(2):127-190.
[41]LECUN Y,BOTTOU L,BENGIO Y,et al.Gradient-basedlearning applied to document recognition[C]//Proceedings of the IEEE.2002:2278-2324.
[42]XIAO H,RASUL K,VOLLGRAF R.Fashion-mnist:a novel image dataset for benchmarking machine learning algorithms[J].arXiv:1708.07747,2017.
[43]KRIZHEVSKY A,HINTON G.Learning multiple layers of features from tiny images[J/OL].https://www.cs.utoronto.ca/~kriz/learning-features-2009-TR.pdf.
[44]CAO X,JIA J,GONG N Z.Provably secure federated learning against malicious clients[C]//Proceedings of the AAAI Confe-rence on Artificial Intelligence.2021:6885-6893.
[45]KRIZHEVSKY A,SUTSKEVER I,HINTON G E.Imagenetclassification with deep convolutional neural networks[J/OL].https://proceedings.neurips.cc/paper_files/paper/2012/file/c399862d3b9d6b76c8436e924a68c45b-Paper.pdf.
[46]NGUYEN T D,NGUYEN T,LE NGUYEN P,et al.Backdoor attacks and defenses in federated learning:Survey,challenges and future research directions[J].Engineering Applications of Artificial Intelligence,2024,127:107166.
[1] WU Jiagao, YI Jing, ZHOU Zehui, LIU Linfeng. Personalized Federated Learning Framework for Long-tailed Heterogeneous Data [J]. Computer Science, 2025, 52(9): 232-240.
[2] DENG Jiayan, TIAN Shirui, LIU Xiangli, OUYANG Hongwei, JIAO Yunjia, DUAN Mingxing. Trajectory Prediction Method Based on Multi-stage Pedestrian Feature Mining [J]. Computer Science, 2025, 52(9): 241-248.
[3] JIANG Yunliang, JIN Senyang, ZHANG Xiongtao, LIU Kaining, SHEN Qing. Multi-scale Multi-granularity Decoupled Distillation Fuzzy Classifier and Its Application inEpileptic EEG Signal Detection [J]. Computer Science, 2025, 52(9): 37-46.
[4] FENG Yimeng, FENG Yan, XIE Sijiang, ZHANG Qing. Proxy-based Bidirectional Coin Mixing Mechanism of Blockchain [J]. Computer Science, 2025, 52(8): 385-392.
[5] DAI Xiangguang, HE Chenglong, GUAN Mingyu, ZHANG Wei, ZHOU Yang, LIU Jianfeng, LYU Qingguo. State-decomposition Distributed Dual Averaging Algorithm for Privacy Online ConstrainedOptimization over Directed Networks [J]. Computer Science, 2025, 52(8): 411-420.
[6] LIU Le, XIAO Rong, YANG Xiao. Application of Decoupled Knowledge Distillation Method in Document-level RelationExtraction [J]. Computer Science, 2025, 52(8): 277-287.
[7] ZHANG Hang, WEI Shoulin, YIN Jibin. TalentDepth:A Monocular Depth Estimation Model for Complex Weather Scenarios Based onMultiscale Attention Mechanism [J]. Computer Science, 2025, 52(6A): 240900126-7.
[8] WANG Chundong, ZHANG Qinghua, FU Haoran. Federated Learning Privacy Protection Method Combining Dataset Distillation [J]. Computer Science, 2025, 52(6A): 240500132-7.
[9] LIU Runjun, XIAO Fengjun, HU Weitong, WANG Xu. Reversible Data Hiding in Fully Encrypted Images Based on Pixel Interval Partitioning andPrediction Recovery [J]. Computer Science, 2025, 52(6A): 240900030-8.
[10] YUAN Lin, HUANG Ling, HAO Kaile, ZHANG Jiawei, ZHU Mingrui, WANG Nannan, GAO Xinbo. Adversarial Face Privacy Protection Based on Makeup Style Patch Activation [J]. Computer Science, 2025, 52(6): 405-413.
[11] SI Yuehang, CHENG Qing, HUANG Jincai. Multi-assistant Dynamic Setting Method for Knowledge Distillation [J]. Computer Science, 2025, 52(5): 241-247.
[12] CAO Tengfei, YIN Runtian, ZHU Liang, XU Changqiao. Survey of Personalized Location Privacy Protection Technologies [J]. Computer Science, 2025, 52(5): 307-321.
[13] ZHENG Xu, HUANG Xiangjie, YANG Yang. Reversible Facial Privacy Protection Method Based on “Invisible Masks” [J]. Computer Science, 2025, 52(5): 384-391.
[14] WANG Yifei, ZHANG Shengjie, XUE Dizhan, QIAN Shengsheng. Self-supervised Backdoor Attack Defence Method Based on Poisoned Classifier [J]. Computer Science, 2025, 52(4): 336-342.
[15] JIANG Yufei, TIAN Yulong, ZHAO Yanchao. Persistent Backdoor Attack for Federated Learning Based on Trigger Differential Optimization [J]. Computer Science, 2025, 52(4): 343-351.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.