TY - GEN
T1 - 3DFed: Adaptive and Extensible Framework for Covert Backdoor Attack in Federated Learning
AU - Li, Haoyang
AU - Ye, Qingqing
AU - Hu, Haibo
AU - Li, Jin
AU - Wang, Leixia
AU - Fang, Chengfang
AU - Shi, Jie
N1 - Funding Information:
This work was supported by the National Natural Science Foundation of China (Grant No: 92270123, 62072390, and 62102334), the National Natural Science Foundation of China for Joint Fund Project (No. U1936218), and the Research Grants Council, Hong Kong SAR, China (Grant No: 15222118, 15218919, 15203120, 15226221, 15225921, 15209922 and C2004-21GF). This work was partially supported by Huawei International. We appreciate anonymous reviewers’ constructive comments on the manuscript of this paper.
Publisher Copyright:
© 2023 IEEE.
PY - 2023/7
Y1 - 2023/7
N2 - Federated Learning (FL), the de-facto distributed machine learning paradigm that locally trains datasets at individual devices, is vulnerable to backdoor model poisoning attacks. By compromising or impersonating those devices, an attacker can upload crafted malicious model updates to manipulate the global model with backdoor behavior upon attacker-specified triggers. However, existing backdoor attacks require more information on the victim FL system beyond a practical black-box setting. Furthermore, they are often specialized to optimize for a single objective, which becomes ineffective as modern FL systems tend to adopt in-depth defense that detects backdoor models from different perspectives. Motivated by these concerns, in this paper, we propose 3DFed, an adaptive, extensible, and multi-layered framework to launch covert FL backdoor attacks in a black-box setting. 3DFed sports three evasion modules that camouflage backdoor models: backdoor training with constrained loss, noise mask, and decoy model. By implanting indicators into a backdoor model, 3DFed can obtain the attack feedback in the previous epoch from the global model and dynamically adjust the hyper-parameters of these backdoor evasion modules. Through extensive experimental results, we show that when all its components work together, 3DFed can evade the detection of all state-of-the-art FL backdoor defenses, including Deepsight, Foolsgold, FLAME, FL-Detector, and RFLBAT. New evasion modules can also be incorporated in 3DFed in the future as it is an extensible framework.
AB - Federated Learning (FL), the de-facto distributed machine learning paradigm that locally trains datasets at individual devices, is vulnerable to backdoor model poisoning attacks. By compromising or impersonating those devices, an attacker can upload crafted malicious model updates to manipulate the global model with backdoor behavior upon attacker-specified triggers. However, existing backdoor attacks require more information on the victim FL system beyond a practical black-box setting. Furthermore, they are often specialized to optimize for a single objective, which becomes ineffective as modern FL systems tend to adopt in-depth defense that detects backdoor models from different perspectives. Motivated by these concerns, in this paper, we propose 3DFed, an adaptive, extensible, and multi-layered framework to launch covert FL backdoor attacks in a black-box setting. 3DFed sports three evasion modules that camouflage backdoor models: backdoor training with constrained loss, noise mask, and decoy model. By implanting indicators into a backdoor model, 3DFed can obtain the attack feedback in the previous epoch from the global model and dynamically adjust the hyper-parameters of these backdoor evasion modules. Through extensive experimental results, we show that when all its components work together, 3DFed can evade the detection of all state-of-the-art FL backdoor defenses, including Deepsight, Foolsgold, FLAME, FL-Detector, and RFLBAT. New evasion modules can also be incorporated in 3DFed in the future as it is an extensible framework.
UR - http://www.scopus.com/inward/record.url?scp=85166487446&partnerID=8YFLogxK
U2 - 10.1109/SP46215.2023.10179401
DO - 10.1109/SP46215.2023.10179401
M3 - Conference article published in proceeding or book
AN - SCOPUS:85166487446
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1893
EP - 1907
BT - Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 44th IEEE Symposium on Security and Privacy, SP 2023
Y2 - 22 May 2023 through 25 May 2023
ER -