How To Backdoor Federated Learning
This exposes a critical vulnerability in federated learning systems, which are widely used for privacy-preserving collaborative training, making it a significant security concern for applications like smartphone keyboards and image classifiers.
The paper tackles the security problem of hidden backdoor attacks in federated learning, demonstrating that a single participant can poison the global model to achieve 100% accuracy on a backdoor task, outperforming data poisoning methods.
Federated learning enables thousands of participants to construct a deep learning model without sharing their private training data with each other. For example, multiple smartphones can jointly train a next-word predictor for keyboards without revealing what individual users type. We demonstrate that any participant in federated learning can introduce hidden backdoor functionality into the joint global model, e.g., to ensure that an image classifier assigns an attacker-chosen label to images with certain features, or that a word predictor completes certain sentences with an attacker-chosen word. We design and evaluate a new model-poisoning methodology based on model replacement. An attacker selected in a single round of federated learning can cause the global model to immediately reach 100% accuracy on the backdoor task. We evaluate the attack under different assumptions for the standard federated-learning tasks and show that it greatly outperforms data poisoning. Our generic constrain-and-scale technique also evades anomaly detection-based defenses by incorporating the evasion into the attacker's loss function during training.