How To Backdoor Federated Learning
read the original abstract
Federated learning enables thousands of participants to construct a deep learning model without sharing their private training data with each other. For example, multiple smartphones can jointly train a next-word predictor for keyboards without revealing what individual users type. We demonstrate that any participant in federated learning can introduce hidden backdoor functionality into the joint global model, e.g., to ensure that an image classifier assigns an attacker-chosen label to images with certain features, or that a word predictor completes certain sentences with an attacker-chosen word. We design and evaluate a new model-poisoning methodology based on model replacement. An attacker selected in a single round of federated learning can cause the global model to immediately reach 100% accuracy on the backdoor task. We evaluate the attack under different assumptions for the standard federated-learning tasks and show that it greatly outperforms data poisoning. Our generic constrain-and-scale technique also evades anomaly detection-based defenses by incorporating the evasion into the attacker's loss function during training.
This paper has not been read by Pith yet.
Forward citations
Cited by 1 Pith paper
-
HADES: Privacy-Preserving Federated Learning via Selective Feature Encryption and Hybrid Model Fusion
HADES selectively encrypts privacy-sensitive features identified by PCA in federated learning, trains hybrid encrypted and plaintext networks, and fuses them to match vanilla FL accuracy with reduced overhead and bett...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.