Chameleon: Adapting to Peer Images for Planting Durable Backdoors in Federated Learning
This addresses a security vulnerability in federated learning systems, offering a more durable backdoor attack, but it is incremental as it builds on existing poisoning methods.
The paper tackles the problem of backdoors in federated learning being non-durable by proposing Chameleon, an attack that uses contrastive learning to amplify relationships between benign and poisoned images, resulting in a backdoor lifespan extended by 1.2× to 4× across various datasets and models.
In a federated learning (FL) system, distributed clients upload their local models to a central server to aggregate into a global model. Malicious clients may plant backdoors into the global model through uploading poisoned local models, causing images with specific patterns to be misclassified into some target labels. Backdoors planted by current attacks are not durable, and vanish quickly once the attackers stop model poisoning. In this paper, we investigate the connection between the durability of FL backdoors and the relationships between benign images and poisoned images (i.e., the images whose labels are flipped to the target label during local training). Specifically, benign images with the original and the target labels of the poisoned images are found to have key effects on backdoor durability. Consequently, we propose a novel attack, Chameleon, which utilizes contrastive learning to further amplify such effects towards a more durable backdoor. Extensive experiments demonstrate that Chameleon significantly extends the backdoor lifespan over baselines by $1.2\times \sim 4\times$, for a wide range of image datasets, backdoor types, and model architectures.