pith. sign in

arxiv: 2411.03926 · v3 · submitted 2024-11-06 · 💻 cs.CV

Act in Collusion: Distributed Multi-Target Backdoor Attacks in Federated Learning

Tao Liu , Dapeng Man , Jiguang Lv , Chen Xu , Weiye Xi , Huanran Wang , Yuhang Zhang , Tianming Zhao
show 1 more author
Wu Yang
This is my paper

Pith reviewed 2026-05-23 17:20 UTC · model grok-4.3

classification 💻 cs.CV
keywords federated learningbackdoor attacksmulti-target attacksdistributed attacksIoT securitygradient aggregationtrigger design
0
0 comments X

The pith

One attacker controlling multiple clients can implant several distinct backdoors in federated learning that all retain high success rates after aggregation.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines federated learning where one adversary controls several distributed clients and assigns each a unique trigger paired with a different target label. Standard backdoor methods lose power because the malicious updates conflict when the server averages them. DMBA counters this with a Backdoor Replay step that reduces differences among the malicious gradients and a Channel-Frequency Composite Trigger that keeps the triggers distinct on each client. Experiments on several datasets show every backdoor still reaches above 80 percent success while many earlier approaches fall below 50 percent or to zero. This setting matches real IoT deployments where coordinated but differentiated attacks could remain hidden.

Core claim

DMBA ensures attack success rates above 80 percent for all implanted backdoors by using Backdoor Replay to reduce discrepancies among malicious gradients and Channel-Frequency Composite Trigger to improve trigger distinguishability and reduce local interference, whereas baseline distributed backdoor methods often see rates drop below 50 percent or approach zero under the same multi-target aggregation.

What carries the argument

Distributed Multi-Target Backdoor Attack (DMBA) that combines Backdoor Replay to align malicious updates and Channel-Frequency Composite Trigger to preserve distinguishability.

If this is right

  • Malicious clients can pursue different target labels at once without their updates cancelling during aggregation.
  • Existing single-target or centralized multi-target defenses may leave federated systems open to coordinated distributed attacks.
  • Attack success stays high even when the server mixes updates from many benign clients.
  • The same client-control model can be extended to other distributed training settings that use gradient averaging.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Detection systems may need to watch for coordinated but non-identical update patterns across multiple clients rather than looking for one repeated trigger.
  • The approach could be tested on networks with hundreds of clients to check whether the alignment steps remain stable at larger scale.
  • Similar replay and composite-trigger ideas might transfer to other aggregation-based learning protocols beyond the federated case examined here.

Load-bearing premise

A single adversarial entity can control multiple distributed malicious clients, assign them distinct triggers and targets, and run Backdoor Replay and Channel-Frequency Composite Trigger without the server detecting the pattern or the triggers losing effectiveness under real aggregation.

What would settle it

In a federated learning run that applies the proposed Backdoor Replay and Channel-Frequency Composite Trigger, if the attack success rate for any one backdoor falls below 80 percent after server aggregation, the central effectiveness claim is refuted.

Figures

Figures reproduced from arXiv: 2411.03926 by Chen Xu, Dapeng Man, Huanran Wang, Jiguang Lv, Tao Liu, Tianming Zhao, Weiye Xi, Wu Yang, Yuhang Zhang.

Figure 1
Figure 1. Figure 1: ASRs for multiple backdoors in complex attack scenarios. Additionally, we empirically validated the lim￾itations of existing backdoor methods, which struggle in complex scenarios to maintain high Attack Success Rates (ASRs) for multiple back￾doors, as demonstrated in [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Distributed multi-target trigger strategy. Different attackers convert pixel matrices of various channels into the frequency domain and then perturb different frequency blocks to serve as triggers, activating backdoors with distinct target labels. limited communication rounds. θ ∗ n = argθn min   X xi∈Dcln n l [f (xi ; θn), yi ] + X xi ′∈D poi n l [f (b (xi ′ ; ϕn) ; θn), τn]   (1) θ ∗ GM = argθGM min(… view at source ↗
Figure 3
Figure 3. Figure 3: Workflow of DMBA. (1)Multi-target trigger generation; (2)Local backdoor training; (3)Global model poisoning; (4)Backdoored global model inference [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Comparing stealth performances of different attacks on CIFAR-10. [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Impact of three key factors on DMBA attack performance on CIFAR-10. The three key [PITH_FULL_IMAGE:figures/full_fig_p009_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Performance of DMBA on different defence methods on CIFAR-10. [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
read the original abstract

Federated learning (FL) is widely used in Internet-of-Things (IoT) systems, but its distributed training process also exposes it to backdoor attacks. Existing studies mainly consider single-target or centralized multi-target settings, while coordinated distributed multi-target attacks remain underexplored. In practical IoT scenarios, one adversarial entity may control multiple distributed malicious clients and assign each client distinct triggers and target labels. Under this setting, existing distributed backdoor methods often fail to preserve the effectiveness of all backdoors because malicious updates conflict during aggregation. To address this issue, we propose a Distributed Multi-Target Backdoor Attack (DMBA) for FL. DMBA introduces a Backdoor Replay (BR) mechanism to reduce discrepancies among malicious gradients and a Channel-Frequency Composite Trigger (CFCT) strategy to improve trigger distinguishability and alleviate local interference. Experiments on multiple datasets show that DMBA ensures attack success rates above 80% for all implanted backdoors, whereas some baseline backdoors fall below 50% and may even approach 0.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 2 minor

Summary. The manuscript proposes DMBA, a distributed multi-target backdoor attack for federated learning. Under a threat model where one adversarial entity controls multiple malicious clients each assigned distinct triggers and targets, DMBA uses a Backdoor Replay (BR) mechanism to reduce malicious gradient discrepancies during aggregation and a Channel-Frequency Composite Trigger (CFCT) strategy to improve trigger distinguishability. Experiments on multiple datasets report that DMBA maintains attack success rates above 80% for all implanted backdoors under standard FedAvg, while baseline distributed backdoor methods often fall below 50% or approach 0.

Significance. If the empirical results hold under the stated threat model, the work demonstrates a practical coordinated attack that preserves effectiveness across multiple distinct backdoors, filling a gap between single-target and centralized multi-target settings in FL security literature. The explicit empirical demonstration of BR + CFCT under FedAvg provides a concrete, falsifiable baseline for future defense research in IoT-oriented federated systems.

minor comments (2)
  1. [Abstract] Abstract and experimental sections should include at least one table or paragraph summarizing dataset names, number of clients, fraction of malicious clients, and key hyperparameters (e.g., learning rate, trigger size) to support the reported ASR numbers.
  2. [Experiments] Clarify whether statistical significance (e.g., standard deviation over multiple runs) is reported for the >80% ASR figures or whether single-run results are presented.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive summary, significance assessment, and recommendation of minor revision. No specific major comments were listed in the report.

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper is an empirical study proposing DMBA (with BR and CFCT mechanisms) and reporting measured attack success rates from experiments on standard datasets under FedAvg. No derivation chain, first-principles model, or predictive equations are present; results are presented as observed outcomes rather than outputs computed from the paper's own fitted parameters or self-referential definitions. No load-bearing self-citations or uniqueness theorems are invoked to force the central claims.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides no explicit free parameters, axioms, or invented entities. The method relies on standard FL aggregation assumptions and empirical tuning of triggers and replay mechanisms that are not detailed here.

pith-pipeline@v0.9.0 · 5738 in / 1012 out tokens · 31650 ms · 2026-05-23T17:20:55.138435+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

60 extracted references · 60 canonical work pages · 6 internal anchors

  1. [1]

    Alharbi, S., Guo, Y ., and Yu, W. (2024). Collusive backdoor attacks in federated learning frameworks for iot systems. IEEE Internet of Things Journal

    work page 2024

  2. [2]

    Bagdasaryan, E., Veit, A., Hua, Y ., Estrin, D., and Shmatikov, V . (2020). How to backdoor federated learning. In International conference on artificial intelligence and statistics, pages 2938–2948. PMLR

    work page 2020

  3. [3]

    Barni, M., Kallas, K., and Tondi, B. (2019). A new backdoor attack in cnns by training set corruption without label poisoning. In 2019 IEEE International Conference on Image Processing (ICIP), pages 101–105. IEEE

    work page 2019

  4. [4]

    Baruch, G., Baruch, M., and Goldberg, Y . (2019). A little is enough: Circumventing defenses for distributed learning. Advances in Neural Information Processing Systems, 32

    work page 2019

  5. [5]

    N., Chakraborty, S., Mittal, P., and Calo, S

    Bhagoji, A. N., Chakraborty, S., Mittal, P., and Calo, S. (2019). Analyzing federated learning through an adversarial lens. In International Conference on Machine Learning, pages 634–643. PMLR

    work page 2019

  6. [6]

    P., Yuan, L.,˙Zak, S

    Chellapandi, V . P., Yuan, L.,˙Zak, S. H., and Wang, Z. (2023). A survey of federated learning for connected and automated vehicles. In 2023 IEEE 26th International Conference on Intelligent Transportation Systems (ITSC), pages 2485–2492. IEEE

    work page 2023

  7. [7]

    Chen, X., Liu, C., Li, B., Lu, K., and Song, D. (2017). Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  8. [8]

    Chen, Z., Badrinarayanan, V ., Lee, C.-Y ., and Rabinovich, A. (2018). Gradnorm: Gradient normalization for adaptive loss balancing in deep multitask networks. In International conference on machine learning, pages 794–803. PMLR

    work page 2018

  9. [9]

    Feng, Y ., Ma, B., Zhang, J., Zhao, S., Xia, Y ., and Tao, D. (2022). Fiba: Frequency-injection based backdoor attack in medical image analysis. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 20876–20885

    work page 2022

  10. [10]

    Mitigating sybils in federated learning poisoning,

    Fung, C., Yoon, C. J., and Beschastnikh, I. (2018). Mitigating sybils in federated learning poisoning. arXiv preprint arXiv:1808.04866

    work page arXiv 2018

  11. [11]

    Differentially Private Federated Learning: A Client Level Perspective

    Geyer, R. C., Klein, T., and Nabi, M. (2017). Differentially private federated learning: A client level perspective. arXiv preprint arXiv:1712.07557

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  12. [12]

    Gong, X., Chen, Y ., Wang, Q., and Kong, W. (2022). Backdoor attacks and defenses in federated learning: State-of-the-art, taxonomy, and future directions. IEEE Wireless Communications, 30(2):114–121. 10

    work page 2022

  13. [13]

    Gu, T., Dolan-Gavitt, B., and Garg, S. (2017). Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  14. [14]

    He, K., Zhang, X., Ren, S., and Sun, J. (2016). Deep residual learning for image recognition. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778

    work page 2016

  15. [15]

    Hessel, M., Modayil, J., Van Hasselt, H., Schaul, T., Ostrovski, G., Dabney, W., Horgan, D., Piot, B., Azar, M., and Silver, D. (2018). Rainbow: Combining improvements in deep reinforcement learning. In Proceedings of the AAAI conference on artificial intelligence, volume 32

    work page 2018

  16. [16]

    Hou, L., Hua, Z., Li, Y ., and Zhang, L. Y . (2022). M-to-n backdoor paradigm: A stealthy and fuzzy attack to deep learning models. arXiv preprint arXiv:2211.01875

    work page arXiv 2022

  17. [17]

    Jiang, W., Li, H., Xu, G., and Zhang, T. (2023). Color backdoor: A robust poisoning attack in color space. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 8133–8142

    work page 2023

  18. [18]

    Kendall, A., Gal, Y ., and Cipolla, R. (2018). Multi-task learning using uncertainty to weigh losses for scene geometry and semantics. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 7482–7491

    work page 2018

  19. [19]

    Federated Learning: Strategies for Improving Communication Efficiency

    Konecn`y, J., McMahan, H. B., Yu, F. X., Richtárik, P., Suresh, A. T., and Bacon, D. (2016). Federated learning: Strategies for improving communication efficiency. arXiv preprint arXiv:1610.05492, 8

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  20. [20]

    Krizhevsky, A., Hinton, G., et al. (2009). Learning multiple layers of features from tiny images

    work page 2009

  21. [21]

    Kwon, H. (2022). Multi-model selective backdoor attack with different trigger positions. IEICE TRANS- ACTIONS on Information and Systems, 105(1):170–174

    work page 2022

  22. [22]

    Kwon, H., Roh, J., Yoon, H., and Park, K.-W. (2020a). Targetnet backdoor: attack on deep neural network with use of different triggers. In Proceedings of the 2020 5th International Conference on Intelligent Information Technology, pages 140–145

    work page 2020

  23. [23]

    Kwon, H., Yoon, H., and Park, K.-W. (2020b). Multi-targeted backdoor: Indentifying backdoor attack for multiple deep neural networks. IEICE TRANSACTIONS on Information and Systems, 103(4):883–887

    work page

  24. [24]

    Lesort, T. (2020). Continual learning: Tackling catastrophic forgetting in deep neural networks with replay processes. arXiv preprint arXiv:2007.00487

    work page arXiv 2020

  25. [25]

    C.-H., and V oigt, T

    Li, S., Ngai, E. C.-H., and V oigt, T. (2023). An experimental study of byzantine-robust aggregation schemes in federated learning. IEEE Transactions on Big Data

    work page 2023

  26. [26]

    Li, Y . (2023). Poisoning-based backdoor attacks in computer vision. InProceedings of the AAAI Conference on Artificial Intelligence, volume 37, pages 16121–16122

    work page 2023

  27. [27]

    Liu, S., Johns, E., and Davison, A. J. (2019). End-to-end multi-task learning with attention. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 1871–1880

    work page 2019

  28. [28]

    Liu, T., Wang, Z., He, H., Shi, W., Lin, L., An, R., and Li, C. (2023). Efficient and secure federated learning for financial applications. Applied Sciences, 13(10):5877

    work page 2023

  29. [29]

    Liu, T., Zhang, Y ., Feng, Z., Yang, Z., Xu, C., Man, D., and Yang, W. (2024). Beyond traditional threats: A persistent backdoor attack on federated learning. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 38, pages 21359–21367

    work page 2024

  30. [30]

    Mamba Kabala, D., Hafiane, A., Bobelin, L., and Canals, R. (2023). Image-based crop disease detection with federated learning. Scientific Reports, 13(1):19220

    work page 2023

  31. [31]

    McMahan, B., Moore, E., Ramage, D., Hampson, S., and y Arcas, B. A. (2017a). Communication-efficient learning of deep networks from decentralized data. In Artificial intelligence and statistics, pages 1273–1282. PMLR

    work page

  32. [32]

    Learning Differentially Private Recurrent Language Models

    McMahan, H. B., Ramage, D., Talwar, K., and Zhang, L. (2017b). Learning differentially private recurrent language models. arXiv preprint arXiv:1710.06963

    work page internal anchor Pith review Pith/arXiv arXiv

  33. [33]

    A., Veness, J., Bellemare, M

    Mnih, V ., Kavukcuoglu, K., Silver, D., Rusu, A. A., Veness, J., Bellemare, M. G., Graves, A., Riedmiller, M., Fidjeland, A. K., Ostrovski, G., et al. (2015). Human-level control through deep reinforcement learning. nature, 518(7540):529–533. 11

    work page 2015

  34. [34]

    D., Nguyen, T., Le Nguyen, P., Pham, H

    Nguyen, T. D., Nguyen, T., Le Nguyen, P., Pham, H. H., Doan, K. D., and Wong, K.-S. (2024). Backdoor attacks and defenses in federated learning: Survey, challenges and future research directions. Engineering Applications of Artificial Intelligence, 127:107166

    work page 2024

  35. [35]

    Paszke, A., Gross, S., Massa, F., Lerer, A., Bradbury, J., Chanan, G., Killeen, T., Lin, Z., Gimelshein, N., Antiga, L., et al. (2019). Pytorch: An imperative style, high-performance deep learning library. Advances in neural information processing systems, 32

    work page 2019

  36. [36]

    Salem, A., Wen, R., Backes, M., Ma, S., and Zhang, Y . (2022). Dynamic backdoor attacks against machine learning models. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P), pages 703–718. IEEE

    work page 2022

  37. [37]

    Schaul, T., Quan, J., Antonoglou, I., and Silver, D. (2015). Prioritized experience replay. arXiv preprint arXiv:1511.05952

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  38. [38]

    R., Najibi, M., Suciu, O., Studer, C., Dumitras, T., and Goldstein, T

    Shafahi, A., Huang, W. R., Najibi, M., Suciu, O., Studer, C., Dumitras, T., and Goldstein, T. (2018). Poison frogs! targeted clean-label poisoning attacks on neural networks. Advances in neural information processing systems, 31

    work page 2018

  39. [39]

    Shannon, C. E. (1949). Communication theory of secrecy systems. The Bell system technical journal, 28(4):656–715

    work page 1949

  40. [40]

    Shejwalkar, V ., Houmansadr, A., Kairouz, P., and Ramage, D. (2022). Back to the drawing board: A critical evaluation of poisoning attacks on production federated learning. In 2022 IEEE Symposium on Security and Privacy (SP), pages 1354–1371. IEEE

    work page 2022

  41. [41]

    J., Edwards, B., Reina, G

    Sheller, M. J., Edwards, B., Reina, G. A., Martin, J., Pati, S., Kotrotsou, A., Milchenko, M., Xu, W., Marcus, D., Colen, R. R., et al. (2020). Federated learning in medicine: facilitating multi-institutional collaborations without sharing patient data. Scientific reports, 10(1):12598

    work page 2020

  42. [42]

    E., Güler, B., Jiao, J., and Avestimehr, A

    So, J., Ali, R. E., Güler, B., Jiao, J., and Avestimehr, A. S. (2023). Securing secure aggregation: Mitigating multi-round privacy leakage in federated learning. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 37, pages 9864–9873

    work page 2023

  43. [43]

    Stallkamp, J., Schlipsing, M., Salmen, J., and Igel, C. (2011). The german traffic sign recognition benchmark: a multi-class classification competition. In The 2011 international joint conference on neural networks, pages 1453–1460. IEEE

    work page 2011

  44. [44]

    E., and Liu, L

    Tolpegin, V ., Truex, S., Gursoy, M. E., and Liu, L. (2020). Data poisoning attacks against federated learning systems. In Computer Security–ESORICS 2020: 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, UK, September 14–18, 2020, Proceedings, Part I 25, pages 480–501. Springer

    work page 2020

  45. [45]

    Wang, H., Sreenivasan, K., Rajput, S., Vishwakarma, H., Agarwal, S., Sohn, J.-y., Lee, K., and Papail- iopoulos, D. (2020). Attack of the tails: Yes, you really can backdoor federated learning. Advances in Neural Information Processing Systems, 33:16070–16084

    work page 2020

  46. [46]

    Wang, R., Zhou, G., Gao, M., and Xiao, Y . (2024). Dual model replacement: invisible multi-target backdoor attack based on federal learning. arXiv preprint arXiv:2404.13946

    work page arXiv 2024

  47. [47]

    Wang, T., Yao, Y ., Xu, F., An, S., Tong, H., and Wang, T. (2022a). An invisible black-box backdoor attack through frequency domain. In European Conference on Computer Vision, pages 396–413. Springer

    work page

  48. [48]

    Wang, Y ., Zhao, M., Li, S., Yuan, X., and Ni, W. (2022b). Dispersed pixel perturbation-based imperceptible backdoor trigger for image classifier models. IEEE Transactions on Information Forensics and Security, 17:3091–3106

    work page

  49. [49]

    and Bovik, A

    Wang, Z. and Bovik, A. C. (2002). A universal image quality index. IEEE signal processing letters , 9(3):81–84

    work page 2002

  50. [50]

    C., Sheikh, H

    Wang, Z., Bovik, A. C., Sheikh, H. R., and Simoncelli, E. P. (2004). Image quality assessment: from error visibility to structural similarity. IEEE transactions on image processing, 13(4):600–612

    work page 2004

  51. [51]

    Wu, C., Yang, X., Zhu, S., and Mitra, P. (2020). Mitigating backdoor attacks in federated learning. arXiv preprint arXiv:2011.01767

    work page arXiv 2020

  52. [52]

    Wu, C., Zhu, S., and Mitra, P. (2022). Federated unlearning with knowledge distillation. arXiv preprint arXiv:2201.09441. 12

    work page arXiv 2022

  53. [53]

    Xie, C., Huang, K., Chen, P.-Y ., and Li, B. (2019). Dba: Distributed backdoor attacks against federated learning. In International conference on learning representations

    work page 2019

  54. [54]

    Xue, M., He, C., Wang, J., and Liu, W. (2020). One-to-n & n-to-one: Two advanced backdoor attacks against deep learning models. IEEE Transactions on Dependable and Secure Computing, 19(3):1562–1578

    work page 2020

  55. [55]

    Xue, M., Ni, S., Wu, Y ., Zhang, Y ., Wang, J., and Liu, W. (2022). Imperceptible and multi-channel backdoor attack against deep neural networks. arXiv preprint arXiv:2201.13164

    work page arXiv 2022

  56. [56]

    Yang, Q., Liu, Y ., Chen, T., and Tong, Y . (2019). Federated machine learning: Concept and applications. ACM Transactions on Intelligent Systems and Technology (TIST), 10(2):1–19

    work page 2019

  57. [57]

    Yu, Y ., Wang, Y ., Yang, W., Lu, S., Tan, Y .-P., and Kot, A. C. (2023). Backdoor attacks against deep image compression via adaptive frequency trigger. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 12250–12259

    work page 2023

  58. [58]

    A., Shechtman, E., and Wang, O

    Zhang, R., Isola, P., Efros, A. A., Shechtman, E., and Wang, O. (2018). The unreasonable effectiveness of deep features as a perceptual metric. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 586–595

    work page 2018

  59. [59]

    Zhang, Z., Cao, X., Jia, J., and Gong, N. Z. (2022a). Fldetector: Defending federated learning against model poisoning attacks via detecting malicious clients. InProceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, pages 2545–2555

    work page

  60. [60]

    Zhang, Z., Panda, A., Song, L., Yang, Y ., Mahoney, M., Mittal, P., Kannan, R., and Gonzalez, J. (2022b). Neurotoxin: Durable backdoors in federated learning. In International Conference on Machine Learning, pages 26429–26446. PMLR. A Details of the Experiment in Fig. 1 In the initial phase of our investigation, extensive explorations were conducted to as...

    work page 2018