Federated learning (FL) systems are used for collaborative model training among clients without sharing private data. However, these systems are vulnerable to backdoor attacks. These backdoor attacks embed malicious behavior into the global model of the server and are either persistent, i.e., they persist across multiple training cycles or are non-persistent, fading rapidly as the model continues to update. In this paper, we propose a framework that makes it possible for an attacker to control the removal of the persistent backdoor in a stealthy manner without degrading the model’s benign accuracy. Unlike some conventional backdoor removal methods that require prolonged interaction with the model, our framework is able to erase the backdoor in significantly fewer rounds. This capability ensures that an attacker can control the lifespan of the backdoor to be stealthy. Our empirical evaluations on benchmark datasets such as CIFAR-10, CIFAR-100, and EMNIST demonstrate the effectiveness of our approach. The backdoor accuracy of the model drops to near zero within 26 rounds of removal without degrading the general accuracy of the benign model, showcasing the effectiveness of the method. Our findings show the need for a shift in the threat model for federated learning: attackers can not only insert backdoors but also remove them on demand, posing new challenges for federated learning security.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Antitoxin: A Framework for Controlling Persistent Backdoors in Federated Learning

  • Neeraj Karamchandani,
  • Chen Wu,
  • Piyush Nagasubramaniam,
  • Dinghao Wu,
  • Sencun Zhu

摘要

Federated learning (FL) systems are used for collaborative model training among clients without sharing private data. However, these systems are vulnerable to backdoor attacks. These backdoor attacks embed malicious behavior into the global model of the server and are either persistent, i.e., they persist across multiple training cycles or are non-persistent, fading rapidly as the model continues to update. In this paper, we propose a framework that makes it possible for an attacker to control the removal of the persistent backdoor in a stealthy manner without degrading the model’s benign accuracy. Unlike some conventional backdoor removal methods that require prolonged interaction with the model, our framework is able to erase the backdoor in significantly fewer rounds. This capability ensures that an attacker can control the lifespan of the backdoor to be stealthy. Our empirical evaluations on benchmark datasets such as CIFAR-10, CIFAR-100, and EMNIST demonstrate the effectiveness of our approach. The backdoor accuracy of the model drops to near zero within 26 rounds of removal without degrading the general accuracy of the benign model, showcasing the effectiveness of the method. Our findings show the need for a shift in the threat model for federated learning: attackers can not only insert backdoors but also remove them on demand, posing new challenges for federated learning security.