Papers
Topics
Authors
Recent
Search
2000 character limit reached

Chameleon Poisoning in Federated Learning

Updated 4 July 2026
  • Chameleon Poisoning (CHAMP) is an adaptive poisoning strategy in federated learning that implants targeted backdoors while mimicking benign updates to avoid detection.
  • It employs a composite loss combining backdoor and proximity terms, adaptively weighted using a Backdoor Side-Channel Inference model to balance attack strength and stealth.
  • Empirical results demonstrate near-perfect attack success rates against robust aggregation defenses, underscoring the method’s effectiveness and evasiveness.

Searching arXiv for CHAMP / Chameleon Poisoning in federated learning and related "Chameleon" usages. Chameleon Poisoning (CHAMP) denotes an adaptive poisoning strategy for federated learning in which a Byzantine client seeks to implant a targeted backdoor while keeping its update within the main distribution of benign updates, thereby evading robust aggregation. In its most explicit usage, the term refers to the method introduced in "Stealth by Conformity: Evading Robust Aggregation through Adaptive Poisoning," where the adversary exploits side-channel feedback from the aggregation process to infer whether its malicious contribution has been incorporated into the global model and dynamically balances a malicious component with a camouflaging component (McGaughey et al., 3 Sep 2025). The "Chameleon" label also appears in earlier work on durable backdoors in federated learning and on label-only membership inference, but those methods optimize different objectives and operate under different threat models.

1. Definition and conceptual basis

CHAMP is built around a direct challenge to the standard assumption behind robust aggregation: that malicious updates are inherently out-of-distribution and can therefore be identified and excluded before aggregation. The method instead aims to poison the global model while keeping malicious updates close in norm to benign updates, similar in direction, and statistically similar enough that robust aggregators cannot reliably separate them as outliers (McGaughey et al., 3 Sep 2025).

The attack is adaptive rather than static. Instead of sending a fixed or pre-optimized poisoned update each round, the adversary observes the current global model, probes it on backdoor samples, estimates how much of the backdoor has already been absorbed, and then reweights its local objective accordingly. This produces what the source describes as a closed loop balancing stealth and attack strength. A central implication is that robust aggregation grounded purely in detecting statistical outliers in parameter space can fail against in-distribution attacks that leverage behavioral feedback (McGaughey et al., 3 Sep 2025).

2. Federated-learning setting and adversary model

The method is formulated in a standard synchronous federated learning system with a central server and NN clients C1,,CNC_1,\dots,C_N. In the reported experiments, all 10 clients participate in every round, exactly 1 client is malicious, the Byzantine rate is therefore 10%10\%, and the attacker is present and active in all rounds. The training horizon is T=50T=50 for Fashion-MNIST and T=100T=100 for CIFAR-10; clients train for 5 local epochs per round with batch size 64, using η=0.1\eta=0.1 on Fashion-MNIST and η=0.01\eta=0.01 on CIFAR-10 (McGaughey et al., 3 Sep 2025).

The poisoning objective is a targeted backdoor. For source class ysy^s and target class yτy^\tau, the malicious client modifies its local dataset DmD_m into C1,,CNC_1,\dots,C_N0 by adding a trigger pattern and relabeling source-class samples to the target class: C1,,CNC_1,\dots,C_N1 with

C1,,CNC_1,\dots,C_N2

In the image experiments, the trigger is a white square in the top-left corner of size C1,,CNC_1,\dots,C_N3, C1,,CNC_1,\dots,C_N4, or C1,,CNC_1,\dots,C_N5, with C1,,CNC_1,\dots,C_N6 used in the default experiments (McGaughey et al., 3 Sep 2025).

The server is assumed to apply robust aggregation schemes intended to tolerate one Byzantine client. The evaluated defenses are Median, Trimmed Mean, Krum, Multi-Krum, Bulyan, RFA, AlignIns / DAI, RLR, and FoolsGold. CHAMP is designed for a black-box robust-aggregation setting: the attacker observes the global model C1,,CNC_1,\dots,C_N7, its own local data, and the performance of the global model on its local backdoor test samples, but does not observe other clients’ updates, the exact aggregation rule, or server-side diagnostics (McGaughey et al., 3 Sep 2025).

3. Side-channel feedback and adaptive loss design

The local objective on the malicious client is a composite loss: C1,,CNC_1,\dots,C_N8 where C1,,CNC_1,\dots,C_N9 is the backdoor loss on poisoned samples and 10%10\%0 is a proximity or camouflage term that keeps the malicious local model close to the previous global model 10%10\%1 (McGaughey et al., 3 Sep 2025). The paper instantiates 10%10\%2 as Euclidean distance, cosine dissimilarity, or Huber loss between parameters: 10%10\%3 or

10%10\%4

The adaptive coefficient 10%10\%5 is driven by a Backdoor Side-Channel Inference (BSCI) model. BSCI is trained as a binary SVM with polynomial kernel and tolerance 10%10\%6. The attacker constructs 10%10\%7 reference datasets, poisons them with fractions

10%10\%8

trains reference models, and records their output vectors on backdoor samples. Models trained with 10%10\%9 are labeled “In,” and models trained with T=50T=500 are labeled “Out.” The resulting attack model T=50T=501 is then applied to the current global model’s outputs on backdoor samples to estimate a scalar likelihood T=50T=502 that the global model already contains the backdoor: T=50T=503 The camouflage weight is updated from the most recent T=50T=504 rounds as

T=50T=505

with T=50T=506 for CIFAR-10 and T=50T=507 for Fashion-MNIST (McGaughey et al., 3 Sep 2025).

This mechanism makes the attack self-regulating. If the backdoor appears absent, T=50T=508 becomes large and the proximity term dominates, pushing the update toward the benign region so that robust aggregation is more likely to include it. If the backdoor appears present, T=50T=509 decreases, permitting more aggressive poisoning. The paper also explores an alternative based on observed ASR rather than BSCI, but reports that BSCI yields earlier and more fine-grained feedback and converges faster to an “optimal” value for each robust-aggregation scheme (McGaughey et al., 3 Sep 2025).

4. Robust-aggregation evasion and empirical behavior

The attack is evaluated on Fashion-MNIST and CIFAR-10, using a small CNN for Fashion-MNIST and an AlexNet-style CNN for CIFAR-10. Across these settings, the abstract reports an average increase of T=100T=1000 in attack success rate against nine robust aggregation defenses (McGaughey et al., 3 Sep 2025).

The largest gains occur against defenses whose filtering logic depends on distance, direction, or centrality. On Fashion-MNIST with a T=100T=1001 trigger, Krum reduced a vanilla backdoor attack to T=100T=1002 ASR at T=100T=1003 Benign-ACC, whereas CHAMP achieved T=100T=1004 ASR at T=100T=1005 Benign-ACC. Under Multi-Krum, vanilla poisoning yielded T=100T=1006 ASR and CHAMP reached T=100T=1007; under Bulyan, vanilla poisoning yielded T=100T=1008 ASR and CHAMP reached T=100T=1009; under DAI, vanilla poisoning yielded η=0.1\eta=0.10 ASR and CHAMP reached η=0.1\eta=0.11; under RLR, vanilla poisoning yielded η=0.1\eta=0.12 ASR and CHAMP reached η=0.1\eta=0.13 (McGaughey et al., 3 Sep 2025).

The same pattern appears on CIFAR-10. Under Krum, vanilla poisoning gave η=0.1\eta=0.14 ASR with η=0.1\eta=0.15 Benign-ACC, whereas CHAMP achieved η=0.1\eta=0.16 ASR with η=0.1\eta=0.17 Benign-ACC. Under Multi-Krum, ASR increased from η=0.1\eta=0.18 to η=0.1\eta=0.19; under Bulyan, from η=0.01\eta=0.010 to η=0.01\eta=0.011; under DAI, from η=0.01\eta=0.012 to η=0.01\eta=0.013; under RLR, from η=0.01\eta=0.014 to η=0.01\eta=0.015 (McGaughey et al., 3 Sep 2025). The paper states that in 5 of the 9 robust-aggregation schemes, CHAMP achieves near-perfect ASR.

The mechanistic explanation is geometric rather than purely numerical. Krum score plots show that a vanilla backdoor attack remains farther from benign clients, whereas under CHAMP the malicious client’s Krum score becomes among the lowest, allowing it to be selected by Krum or Multi-Krum. Distance plots and t-SNE visualizations similarly show the malicious update moving into the benign cluster over training. Trigger-size ablations indicate that larger triggers yield higher ASR for both baseline and CHAMP, while proximity-metric ablations indicate that Euclidean and Huber often show similar trends, Huber is slightly better against some defenses such as Bulyan and DAI, Euclidean is better against others such as Multi-Krum and RLR, and cosine similarity can excel against some defenses while failing to improve against others (McGaughey et al., 3 Sep 2025).

5. Other Chameleon methods and terminological ambiguity

The expression "Chameleon" is not unique to the robust-aggregation attack. In the literature summarized here, it names several adaptive poisoning methods with distinct objectives, and the acronym CHAMP is not uniformly official across them.

Paper Setting Defining mechanism
"Stealth by Conformity: Evading Robust Aggregation through Adaptive Poisoning" (McGaughey et al., 3 Sep 2025) Federated learning under robust aggregation BSCI-guided balance between η=0.01\eta=0.016 and η=0.01\eta=0.017
"Chameleon: Adapting to Peer Images for Planting Durable Backdoors in Federated Learning" (Dai et al., 2023) Durable FL backdoors supervised contrastive learning over poisoned images, interferers, and facilitators
"Chameleon: Increasing Label-Only Membership Leakage with Adaptive Poisoning" (Chaudhari et al., 2023) Label-only membership inference adaptive per-point number of label-flipped replicas plus a membership neighborhood
"Instantly Obsoleting the Address-code Associations: A New Principle for Defending Advanced Code Reuse Attack" (Chen et al., 2015) Code-reuse defense, not ML poisoning runtime re-randomization of code page mappings

The durable-backdoor federated-learning paper of 2023 studies a different problem: how long a backdoor persists after the attacker stops poisoning. It defines poisoned images, interferers, and facilitators; argues that interferers create update conflicts that erase the backdoor, whereas facilitators re-introduce the target label’s representation; and proposes a two-stage malicious training pipeline in which supervised contrastive learning pushes poisoned embeddings away from interferers and toward facilitators. The paper reports η=0.01\eta=0.018–η=0.01\eta=0.019 longer lifespan than baselines across datasets, triggers, and architectures, using the ysy^s0-Lifespan metric rather than the robust-aggregation ASR focus of the later CHAMP paper (Dai et al., 2023).

The label-only membership-inference paper likewise uses adaptive poisoning, but its object is privacy leakage rather than federated backdoor insertion. There the attacker injects exactly enough label-flipped replicas of a challenge point to cause OUT shadow models to misclassify it while IN models remain more robust, then performs label-only inference through a neighborhood-based misclassification score. On CIFAR-10, it reports TPR@ysy^s1 FPR of ysy^s2 for Chameleon versus ysy^s3 for the Decision-Boundary attack, with 64 queries per challenge point rather than roughly 2500; on CIFAR-100, the corresponding figures are ysy^s4 and ysy^s5 (Chaudhari et al., 2023).

The 2015 CHAMELEON system is unrelated to machine-learning poisoning. It is a defense against ROP/JOP that periodically re-randomizes the locations of code pages on-the-fly so that address-code associations quickly become obsolete; the shared name reflects adaptivity and obsolescence rather than a common attack model (Chen et al., 2015).

6. Assumptions, limitations, and research implications

The robust-aggregation CHAMP paper makes several assumptions explicit. The attacker is present in all rounds and is always selected as a client; experiments are under IID data; the focus is on a single malicious client; BSCI requires training multiple reference models and an SVM; and the attacker must retain access to its backdoor data and trigger pattern across rounds (McGaughey et al., 3 Sep 2025). These assumptions do not invalidate the threat model, but they delimit the experimental regime.

The method also sharpens a broader research point. Robust aggregation schemes such as Median, Trimmed Mean, Krum, Multi-Krum, Bulyan, RFA, DAI, RLR, and FoolsGold are usually motivated by a geometry in which malicious updates occupy a separable outlier region. CHAMP shows that this geometry can be strategically manipulated. The paper therefore argues for new robust-aggregation schemes that reason about behavior rather than only parameters, suggests combining aggregation with backdoor detection on special test inputs, and proposes that BSCI-like tools might themselves be used defensively to distinguish benign and malicious updates (McGaughey et al., 3 Sep 2025). This suggests that the central issue is not merely whether poisoning occurs, but whether the server’s observables are rich enough to detect adaptive, in-distribution manipulation once the attacker begins to conform to the benign update distribution.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Chameleon Poisoning (CHAMP).