BadSFL: Backdoor Attack against Scaffold Federated Learning (2411.16167v2)

Abstract: Federated learning (FL) enables the training of deep learning models on distributed clients to preserve data privacy. However, this learning paradigm is vulnerable to backdoor attacks, where malicious clients can upload poisoned local models to embed backdoors into the global model, leading to attacker-desired predictions. Existing backdoor attacks mainly focus on FL with independently and identically distributed (IID) scenarios, while real-world FL training data are typically non-IID. Current strategies for non-IID backdoor attacks suffer from limitations in maintaining effectiveness and durability. To address these challenges, we propose a novel backdoor attack method, BadSFL, specifically designed for the FL framework using the scaffold aggregation algorithm in non-IID settings. BadSFL leverages a Generative Adversarial Network (GAN) based on the global model to complement the training set, achieving high accuracy on both backdoor and benign samples. It utilizes a specific feature as the backdoor trigger to ensure stealthiness, and exploits the Scaffold's control variate to predict the global model's convergence direction, ensuring the backdoor's persistence. Extensive experiments on three benchmark datasets demonstrate the high effectiveness, stealthiness, and durability of BadSFL. Notably, our attack remains effective over 60 rounds in the global model and up to 3 times longer than existing baseline attacks after stopping the injection of malicious updates.

• The paper introduces BadSFL, a method that uses GAN-based data supplementation to overcome non-IID challenges in federated learning.
• It optimizes the backdoor injection via control variate alignment, ensuring the attack persists without degrading primary model accuracy.
• Experimental results on datasets like CIFAR-10, CIFAR-100, and MNIST confirm enhanced durability and stealth against various defense mechanisms.

Backdoor Attack against Scaffold Federated Learning: An Analysis of BadSFL

The paper "BadSFL: Backdoor Attack against Scaffold Federated Learning" addresses a critical security problem in federated learning (FL)—the vulnerability to backdoor attacks, particularly in scenarios where data distribution across clients is non-IID. The authors introduce a method called BadSFL, specifically targeting Scaffold Federated Learning (SFL), which uses a control variate to correct update drifts caused by data heterogeneity.

Overview of BadSFL

Federated learning allows multiple clients to collaboratively train a model while maintaining data privacy. One of the significant challenges in FL involves non-IID data distributions, where data variability among clients can lead to convergence issues or performance degradation. SFL attempts to mitigate such issues using control variates, which help align the direction of model updates towards global convergence more effectively.

Backdoors in machine learning models are hidden triggers inserted into the training process to cause specific misclassifications. Traditional backdoor attacks in federated learning have been devised mainly for IID data scenarios, but they falter in non-IID settings where attackers lack complete knowledge of the dataset distribution. BadSFL addresses this gap by using a Generative Adversarial Network (GAN) to generate representative samples for training, simulating a complete dataset knowledge for the attacker.

Methodological Approach

1. GAN-based Data Supplementation: The method begins by utilizing GANs to synthesize training samples mimicking the data distributions of other clients. This step allows attackers to compensate for the non-IID nature of the environment, achieving higher alignment between the poisoned and global models.
2. Trigger Selection and Injection: With the augmented dataset, attackers implement backdoor triggers through methods such as label flipping, pattern trigger injection, or using a distinctive feature of a class as a trigger. Feature-based triggers are notably stealthier, minimizing detectable alterations in data.
3. Optimizing with Control Variate Alignments: The method involves an optimization process leveraging the control variate provided by SFL to direct the update’s influence on backdooring efficacy. This step ensures the backdoor's persistence in future model aggregations and enhances long-term stealthiness.
4. Evaluation Metrics: The effectiveness of BadSFL is measured using backdoor task accuracy (BTA) and primary task accuracy (PTA), with extended evaluation on latency and robustness under various defense mechanisms such as differential privacy and model pruning.

Experimental Validation

The paper provides a comprehensive experimental setup, highlighting the efficacy of BadSFL compared to conventional baseline attacks across datasets like CIFAR-10, CIFAR-100, and MNIST. Key results show that BadSFL achieves superior backdoor durability, maintaining functionality over significantly more rounds of model updates than baseline methods. The approach also successfully avoids noticeable degradation in primary task performance, a crucial aspect when bypassing anomaly-based defense mechanisms.

Implications and Future Developments

The significant implication of this research lies in understanding the potential consequences of adversarial attacks within federated learning frameworks, especially as these systems are increasingly adopted in applications requiring high security and privacy assurance. The findings underscore the necessity to develop more robust defense mechanisms that can reliably detect or neutralize backdoor attacks in non-IID FL environments.

Furthermore, as federated learning technology evolves, it will be essential to consider integrated security strategies that involve both detection and prevention, addressing vulnerabilities at different stages of the training process. Future research could extend this work by exploring adaptive defense techniques leveraging real-time anomaly detection or enhancements in federated model architectures to intrinsically resist backdoor influences.

In conclusion, the introduction of BadSFL highlights a sophisticated approach to exploiting the nuances of federated learning frameworks, pointing to a critical area of focus for advancing secure machine learning systems in decentralized settings.