Partner in Crime: Boosting Targeted Poisoning Attacks against Federated Learning
This addresses security vulnerabilities in Federated Learning for applications requiring robust model training, but it is incremental as it builds on existing attack methods.
The paper tackles the problem of targeted poisoning attacks in Federated Learning being mitigated by existing defenses, and introduces BoTPA, a pre-training stage approach that boosts attack success rates by falsifying labels in an Amplifier set; evaluations show median relative increases in attack success rate ranging from 15.3% to 94.7% across various attacks and defenses.
Federated Learning (FL) exposes vulnerabilities to targeted poisoning attacks that aim to cause misclassification specifically from the source class to the target class. However, using well-established defense frameworks, the poisoning impact of these attacks can be greatly mitigated. We introduce a generalized pre-training stage approach to Boost Targeted Poisoning Attacks against FL, called BoTPA. Its design rationale is to leverage the model update contributions of all data points, including ones outside of the source and target classes, to construct an Amplifier set, in which we falsify the data labels before the FL training process, as a means to boost attacks. We comprehensively evaluate the effectiveness and compatibility of BoTPA on various targeted poisoning attacks. Under data poisoning attacks, our evaluations reveal that BoTPA can achieve a median Relative Increase in Attack Success Rate (RI-ASR) between 15.3% and 36.9% across all possible source-target class combinations, with varying percentages of malicious clients, compared to its baseline. In the context of model poisoning, BoTPA attains RI-ASRs ranging from 13.3% to 94.7% in the presence of the Krum and Multi-Krum defenses, from 2.6% to 49.2% under the Median defense, and from 2.9% to 63.5% under the Flame defense.