TY - JOUR
T1 - Efficient and persistent backdoor attack by boundary trigger set constructing against federated learning
AU - Yang, Deshan
AU - Luo, Senlin
AU - Zhou, Jinjie
AU - Pan, Limin
AU - Yang, Xiaonan
AU - Xing, Jiyuan
N1 - Publisher Copyright:
© 2023 Elsevier Inc.
PY - 2023/12
Y1 - 2023/12
N2 - Federated learning systems encounter various security risks, including backdoor, inference and adversarial attacks. Backdoor attacks within this context generally require careful trigger sample design involving candidate selection and automated optimization. Previous methods randomly selected trigger candidates from training dataset, disrupting sample distribution and blurring boundaries among them, which adversely affected the main task accuracy. Moreover, these methods employed non-optimized handcrafted triggers, resulting in a weakened backdoor mapping relationship and lower attack success rates. In this work, we propose a flexible backdoor attack approach, Trigger Sample Selection and Optimization (TSSO), motivated by neural network classification patterns. TSSO employs autoencoders and locality-sensitive hashing to select trigger candidates at class boundaries for precise injection. Furthermore, it iteratively refines trigger representations via the global model and historical outcomes, establishing a robust mapping relationship. TSSO is evaluated on four classical datasets with non-IID settings, outperforming state-of-the-art methods by achieving higher attack success rate in fewer rounds, prolonging the backdoor effect. In scalability tests, even with the defense deployed, TSSO achieved the attack success rate of over 80% with only 4% malicious clients (a poisoning rate of 1/640).
AB - Federated learning systems encounter various security risks, including backdoor, inference and adversarial attacks. Backdoor attacks within this context generally require careful trigger sample design involving candidate selection and automated optimization. Previous methods randomly selected trigger candidates from training dataset, disrupting sample distribution and blurring boundaries among them, which adversely affected the main task accuracy. Moreover, these methods employed non-optimized handcrafted triggers, resulting in a weakened backdoor mapping relationship and lower attack success rates. In this work, we propose a flexible backdoor attack approach, Trigger Sample Selection and Optimization (TSSO), motivated by neural network classification patterns. TSSO employs autoencoders and locality-sensitive hashing to select trigger candidates at class boundaries for precise injection. Furthermore, it iteratively refines trigger representations via the global model and historical outcomes, establishing a robust mapping relationship. TSSO is evaluated on four classical datasets with non-IID settings, outperforming state-of-the-art methods by achieving higher attack success rate in fewer rounds, prolonging the backdoor effect. In scalability tests, even with the defense deployed, TSSO achieved the attack success rate of over 80% with only 4% malicious clients (a poisoning rate of 1/640).
KW - Backdoor attack
KW - Deep learning
KW - Federated learning
KW - Poisoning attack
KW - Sample selection
KW - Trigger optimization
UR - http://www.scopus.com/inward/record.url?scp=85173169009&partnerID=8YFLogxK
U2 - 10.1016/j.ins.2023.119743
DO - 10.1016/j.ins.2023.119743
M3 - Article
AN - SCOPUS:85173169009
SN - 0020-0255
VL - 651
JO - Information Sciences
JF - Information Sciences
M1 - 119743
ER -