Papers
Topics
Authors
Recent
Search
2000 character limit reached

A3FL Attack in Federated Learning

Updated 10 July 2026
  • A3FL Attack is a trigger-optimization backdoor method that adapts its trigger over rounds to align with the global model trajectory.
  • The attack reveals that benign hyperparameters critically influence backdoor effectiveness, persistence, and stealth in horizontal federated learning.
  • Tuning benign parameters combined with robust aggregation strategies can significantly reduce backdoor accuracy and lifespan while preserving main task performance.

Searching arXiv for the original A3FL paper and closely related HFL backdoor/defense work. arXiv.search(query="A3FL Adaptive Attack Against Federated Learning Zhang federated learning backdoor", max_results=10, sort_by="relevance") arXiv.search(query="A3FL Adaptive Attack Against Federated Learning Zhang", max_results=10, sort_by="relevance") search_arxiv(query="A3FL Adaptive Attack Against Federated Learning Zhang", max_results=10) A3FL, introduced in the context of horizontal federated learning (HFL) as “Adaptive Attack Against Federated Learning,” is a trigger-optimization backdoor attack whose defining property is explicit modeling of how the global model moves under continuing benign training. Rather than relying on a fixed patch, A3FL updates the trigger over rounds so that the backdoor remains aligned with the global model trajectory, and it is designed under a “worst-case defense” assumption in which the server actively tries to unlearn the current trigger pattern. In the robustness study of benign-client hyperparameters conducted in “On Hyperparameters and Backdoor-Resistance in Horizontal Federated Learning,” A3FL is treated as one of four state-of-the-art attacks and as the strongest and most persistent baseline (Lachnit et al., 5 Sep 2025).

1. Placement in horizontal federated learning

The A3FL attack is studied in a standard HFL setup coordinated by a central server SS and a set of clients C={C1,,CN}C=\{C_1,\dots,C_N\}. Each client CkC_k has a local dataset DCk\mathcal{D}_{C_k} of size nkn_k and local loss

Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).

The global objective is

θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).

Training is synchronous and round-based. At round tt, the server selects a subset CtCC^t\subset C, broadcasts the current global model θt\theta^t, each selected client performs local training for C={C1,,CN}C=\{C_1,\dots,C_N\}0 epochs with its own optimizer and hyperparameters, returns C={C1,,CN}C=\{C_1,\dots,C_N\}1, and the server aggregates via corrected FedAvg: C={C1,,CN}C=\{C_1,\dots,C_N\}2 The data distribution is non-IID across clients, typically via label-wise Dirichlet partitioning; for CIFAR-10 in the main experiments, the parameter is C={C1,,CN}C=\{C_1,\dots,C_N\}3 (Lachnit et al., 5 Sep 2025).

Within this setting, A3FL is not a generic poisoning label but a specific adaptive backdoor construction. Its role in (Lachnit et al., 5 Sep 2025) is methodological as well as empirical: it functions as the principal case study for how benign-client hyperparameters alter both the peak success and the persistence of a strong HFL backdoor.

2. Threat model, attacker objective, and evaluation criteria

The server is benign. A fraction C={C1,,CN}C=\{C_1,\dots,C_N\}4 of clients, set to C={C1,,CN}C=\{C_1,\dots,C_N\}5 by default, are Byzantine or malicious and fully compromised. These malicious clients control their local training procedure, optimizer, and malicious hyperparameters C={C1,,CN}C=\{C_1,\dots,C_N\}6; they can arbitrarily poison local data by adding triggers and flipping labels, and they can arbitrarily manipulate their final model updates. They know the benign hyperparameters because the server broadcasts them globally, but they do not see benign clients’ data or updates, nor the exact aggregation rule beyond FedAvg in the baseline, with defenses treated as unknown (Lachnit et al., 5 Sep 2025).

The attacker’s goal is to maximize backdoor performance while keeping degradation of main-task accuracy low so that the attack remains stealthy. The paper evaluates this through three quantities. Main Task Accuracy (MTA) is the accuracy on clean test data. Backdoor Accuracy (BDA) is the probability that backdoored inputs are classified as the attacker-chosen target C={C1,,CN}C=\{C_1,\dots,C_N\}7. C={C1,,CN}C=\{C_1,\dots,C_N\}8-lifespan, especially at C={C1,,CN}C=\{C_1,\dots,C_N\}9, measures persistence after the attack ends: CkC_k0 where CkC_k1 is the last attack round. The “50%-lifespan” in the paper is CkC_k2 (Lachnit et al., 5 Sep 2025).

These definitions matter because A3FL is characterized not only by high attack-time BDA but by post-attack persistence. In (Lachnit et al., 5 Sep 2025), the attack’s “strength” is therefore treated as a joint property of high CkC_k3, high CkC_k4, and large CkC_k5, rather than attack success alone.

3. Attack mechanics and adaptive trigger optimization

A3FL is described as a trigger-optimization backdoor attack. The original paper is said to supply full pseudocode, while (Lachnit et al., 5 Sep 2025) gives a concise description. The adversary maintains a parameterized trigger, such as a trainable mask or pattern in image space. At each attack round, the attacker trains a local model with poisoned data consisting of triggered inputs paired with the target label and simultaneously optimizes the trigger parameters themselves with respect to a loss that anticipates the global model update. The trigger is updated to “follow” or “pre-compensate for” how benign FedAvg and potential server-side “trigger unlearning” will move the global decision boundary (Lachnit et al., 5 Sep 2025).

A3FL therefore augments a standard badnets-style attack with an extra inner loop optimizing the trigger given a model of the global dynamics. Each malicious client receives CkC_k6, runs local SGD with its own hyperparameters CkC_k7 on a mixture of clean data for utility and stealth and backdoor data generated with the current optimized trigger, and then submits the resulting update vector CkC_k8 to the server (Lachnit et al., 5 Sep 2025).

The paper identifies three features that make A3FL “strong.” First, it uses an adaptive trigger rather than a fixed patch. Second, it is defense-aware: it explicitly assumes a server that tries to unlearn current triggers and optimizes against this. Third, prior evaluations used benign hyperparameters that unintentionally favored the attacker. A concrete example is the original A3FL benign learning-rate schedule, which ramps up and then sharply drops exactly at the start of the attack window. Replacing this schedule by a constant learning rate causes A3FL’s effectiveness to collapse: CkC_k9 drops by about DCk\mathcal{D}_{C_k}0 percentage points, 50%-lifespan drops by about DCk\mathcal{D}_{C_k}1, and MTA decreases by only about DCk\mathcal{D}_{C_k}2 percentage points (Lachnit et al., 5 Sep 2025).

This suggests that A3FL’s reported persistence is not solely an intrinsic property of the trigger-optimization mechanism. In the evaluation of (Lachnit et al., 5 Sep 2025), persistence is also highly contingent on the benign optimization regime.

4. Hyperparameter dependence and analytical characterization

The analytical model in (Lachnit et al., 5 Sep 2025) studies how benign and malicious hyperparameters affect a generic backdoor attack, with A3FL used as the main instantiation of the malicious loss DCk\mathcal{D}_{C_k}3 and benign loss DCk\mathcal{D}_{C_k}4. Under one global FedAvg step with malicious fraction DCk\mathcal{D}_{C_k}5,

DCk\mathcal{D}_{C_k}6

with

DCk\mathcal{D}_{C_k}7

where DCk\mathcal{D}_{C_k}8 is the benign learning rate and DCk\mathcal{D}_{C_k}9 is the malicious rate (Lachnit et al., 5 Sep 2025).

The geometric intuition given in the paper is that, if benign and malicious gradients point in opposing directions, the direction of the global update is governed by nkn_k0 versus nkn_k1. For large nkn_k2, A3FL can dominate; for large nkn_k3, benign updates become large and wash out the malicious ones more quickly. In the diagonal linear network toy model, increasing nkn_k4 increases average malicious loss nkn_k5, which corresponds to decreasing BDA, while increasing nkn_k6 helps the attacker initially but quickly saturates. The authors interpret this as showing that larger benign learning rates both give benign updates more weight in the FedAvg combination and act as an implicit regularizer that discourages overfitting to small backdoor patterns (Lachnit et al., 5 Sep 2025).

The analysis is extended to momentum nkn_k7, local epochs nkn_k8, batch sizes nkn_k9, and weight decay Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).0. The qualitative conclusions are consistent across the analytical and CIFAR-10 experiments. Higher benign momentum amplifies benign gradient directions and suppresses misaligned malicious directions, but the effect is weaker and narrower than that of the learning rate. Larger benign Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).1 or smaller benign Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).2 imply more SGD steps per round and higher gradient noise, making backdoor patterns harder to implant and easier to forget. Larger Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).3 pulls weights toward zero and penalizes the large localized feature weights often exploited by backdoors (Lachnit et al., 5 Sep 2025).

A central claim of the paper is that properly chosen benign hyperparameters cap A3FL’s effectiveness independently of A3FL’s own tuning. The malicious hyperparameters are controlled by the attacker and can be tuned aggressively, but the benign hyperparameters are controlled by the system and chosen once, pre-deployment. A plausible implication is that, in this formulation, backdoor resistance is partly a property of the training dynamics rather than exclusively of the aggregation rule or a dedicated defense module.

5. Experimental behavior, persistence, and interaction with defenses

The main HFL environment for A3FL uses CIFAR-10 with non-IID Dirichlet partition Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).4, ResNet-20, Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).5 clients, Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).6 selected per round, malicious fraction Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).7, FedAvg aggregation, and a benign learning rate decayed each round by factor Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).8. The attack window is rounds Fk(θ)=1nk(x,y)DCk(θ,x,y).F_k(\theta)=\frac{1}{n_k}\sum_{(x,y)\in\mathcal{D}_{C_k}} \ell(\theta,x,y).9–θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).0, followed by θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).1 benign-only rounds to observe forgetting. Unless being swept, the default benign hyperparameters are θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).2, θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).3, θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).4, θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).5, and θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).6 (Lachnit et al., 5 Sep 2025).

The reported measurements show that A3FL is especially sensitive in its post-attack persistence. The most important observed changes are summarized below.

Benign hyperparameter change Reported A3FL effect
θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).7 θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).8 down by about θ=argminθF(θ),F(θ)=kCnkcCncFk(θ).\theta^*=\arg\min_\theta F(\theta),\qquad F(\theta)=\sum_{k\in C}\frac{n_k}{\sum_{c\in C}n_c}\,F_k(\theta).9 p.p.; tt0 down by tt1 p.p.; 50%-lifespan down by tt2
Original A3FL LR schedule tt3 constant LR tt4 down by about tt5 p.p.; tt6 down by about tt7; MTA down by tt8 p.p.
tt9 CtCC^t\subset C0 down by CtCC^t\subset C1 p.p.; CtCC^t\subset C2 down by CtCC^t\subset C3 p.p.; 50%-lifespan down by CtCC^t\subset C4; MTA within about CtCC^t\subset C5 p.p.
CtCC^t\subset C6 CtCC^t\subset C7 down by CtCC^t\subset C8 p.p.; CtCC^t\subset C9 down by θt\theta^t0 p.p.; 50%-lifespan down by θt\theta^t1; MTA degradation θt\theta^t2 p.p.
θt\theta^t3 θt\theta^t4 down by θt\theta^t5 p.p.; θt\theta^t6 down by θt\theta^t7 p.p.; 50%-lifespan down by θt\theta^t8; MTA can drop by up to θt\theta^t9 p.p. across attacks
C={C1,,CN}C=\{C_1,\dots,C_N\}00 For A3FL, C={C1,,CN}C=\{C_1,\dots,C_N\}01 down by C={C1,,CN}C=\{C_1,\dots,C_N\}02 p.p.; C={C1,,CN}C=\{C_1,\dots,C_N\}03 down by C={C1,,CN}C=\{C_1,\dots,C_N\}04 p.p.; 50%-lifespan down by C={C1,,CN}C=\{C_1,\dots,C_N\}05; MTA degrades by at most about C={C1,,CN}C=\{C_1,\dots,C_N\}06 p.p.

These results support the paper’s conclusion that learning rate, epochs, batch size, and weight decay are highly influential for both A3FL’s peak success and its persistence, whereas momentum is weaker and comes with a harsher MTA trade-off (Lachnit et al., 5 Sep 2025).

The paper also studies server-side defenses: Krum, Multi-Krum, Bulyan, and FoolsGold. Under the original benign hyperparameters used in A3FL’s own evaluation, A3FL without defense reaches very high C={C1,,CN}C=\{C_1,\dots,C_N\}07 of about C={C1,,CN}C=\{C_1,\dots,C_N\}08–C={C1,,CN}C=\{C_1,\dots,C_N\}09 and long lifespans. Krum and Multi-Krum often degrade MTA significantly and sometimes reduce BDA, but not always enough to neutralize A3FL. Bulyan reduces BDA more than Krum, while FoolsGold appears only modestly effective in some setups. Under tuned benign hyperparameters, however, the picture changes markedly. Hyperparameter tuning alone causes C={C1,,CN}C=\{C_1,\dots,C_N\}10 and 50%-lifespan to plummet, and adding a robust aggregator, especially FoolsGold or Bulyan, yields further improvements (Lachnit et al., 5 Sep 2025).

Using NSGA-II and grid search, the paper recommends the benign configuration

C={C1,,CN}C=\{C_1,\dots,C_N\}11

Under these recommended benign hyperparameters and no defense, A3FL’s 50%-lifespan decreases by C={C1,,CN}C=\{C_1,\dots,C_N\}12, C={C1,,CN}C=\{C_1,\dots,C_N\}13 decreases by C={C1,,CN}C=\{C_1,\dots,C_N\}14 percentage points, C={C1,,CN}C=\{C_1,\dots,C_N\}15 decreases by about C={C1,,CN}C=\{C_1,\dots,C_N\}16 percentage points, and MTA drops by only C={C1,,CN}C=\{C_1,\dots,C_N\}17 percentage points relative to A3FL’s original benign configuration. With FoolsGold added, the 50%-lifespan reduction is about C={C1,,CN}C=\{C_1,\dots,C_N\}18, C={C1,,CN}C=\{C_1,\dots,C_N\}19 shrinks by about C={C1,,CN}C=\{C_1,\dots,C_N\}20 percentage points compared to the original, C={C1,,CN}C=\{C_1,\dots,C_N\}21 shrinks by about C={C1,,CN}C=\{C_1,\dots,C_N\}22 percentage points, and MTA improves slightly compared to the original (Lachnit et al., 5 Sep 2025).

6. Interpretation, misconceptions, and open questions

A recurrent misconception addressed by (Lachnit et al., 5 Sep 2025) is that the security of HFL against A3FL-like attacks is determined primarily by the chosen defense algorithm. The empirical record in that paper points in a different direction: benign hyperparameters and defenses interact, poor benign hyperparameters can make sophisticated defenses look weak, and hyperparameter tuning alone can already push A3FL close to irrelevance in the sense of short lifespan and low C={C1,,CN}C=\{C_1,\dots,C_N\}23 (Lachnit et al., 5 Sep 2025).

A second misconception is terminological. A3FL, in the form studied in HFL, is a training-stage backdoor attack based on poisoned local training and adaptive trigger optimization over rounds. It should not be conflated with deployment-stage weight attacks that modify model parameters directly in memory via bit flips. The deployment-stage paradigm studied in “Versatile Weight Attack via Flipping Limited Bits” modifies a deployed DNN’s parameters directly in memory at the deployment stage, “does not touch” the training data, the inference inputs, or the training process, and is formulated under a bit-budget constraint on quantized weights (Bai et al., 2022). The two paradigms both target malicious model behavior, but they operate at different points in the lifecycle and under different attacker capabilities.

The broader implication drawn in (Lachnit et al., 5 Sep 2025) is that benign hyperparameters should be treated as first-class security controls. This suggests that reported attack strength cannot be interpreted independently of the benign optimization regime under which it was measured. The paper identifies several open questions: extension to other ML domains such as NLP, multimodal, and generative models; automated hyperparameter search for robustness under adaptive attackers; better theoretical characterization of the interaction between generalization, implicit regularization, and backdoor vulnerability in federated optimization; and the design of new attacks that explicitly exploit aggressively tuned benign hyperparameters together with new defenses that jointly consider hyperparameter tuning, aggregation rules, and anomaly detection (Lachnit et al., 5 Sep 2025).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (2)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to A3FL Attack.