Backdoor Attacks in Federated Transfer Learning
A look into focused backdoor attacks within federated machine learning systems.
― 5 min read
Table of Contents
Federated Transfer Learning (FTL) is a way for different parties to work together on creating machine learning models without exchanging their private data. Imagine a bank and an invoice agency collaborating on a financial risk model while keeping their respective data safe. FTL is an advanced form of Federated Learning (FL), which allows users to train models collaboratively without exposing their data.
The Structure of Federated Learning
In a typical federated setting, a central server collects updates from different clients who have trained their models on their private datasets. The server then combines these updates to form a global model. This process helps maintain privacy since users do not need to share their raw data.
In Horizontal Federated Learning (HFL), clients have data that share the same features but come from different locations or individuals. In Vertical Federated Learning (VFL), clients have data of the same individuals but with different features. FTL, however, is even more general, allowing clients to have diverse datasets in terms of both features and samples.
Understanding Backdoor Attacks
A backdoor attack is a malicious tactic used in machine learning, where an attacker introduces a hidden trigger into a model. When specific inputs containing this trigger are presented to the model, it behaves in a way that the attacker intends. This can lead to serious security issues, especially if the model is being used in sensitive areas like finance or healthcare.
The Challenge of Backdoor Attacks in FTL
In traditional FL scenarios, it is easier to introduce backdoor attacks because the model can learn new features during training. However, in FTL, the situation is different. The feature learning part is done by the server first, and this part remains unchanged when the clients train their models on their local data. This unique setup makes it complicated for attackers to craft effective backdoor triggers.
The Focused Backdoor Attack (FB-FTL)
The concept of a focused backdoor attack (FB-FTL) is introduced as a way to exploit vulnerabilities in FTL. This attack combines techniques from explainable artificial intelligence (XAI) and dataset distillation.
Identify Important Areas: Using XAI, attackers can find out which parts of an image are most important for the model's decision-making.
Create a Trigger: By using a method called dataset distillation, attackers can create a trigger that contains essential features of the target class and blends it into high-attention areas of the image.
Inject the Trigger: The final step involves modifying the original image to include this trigger in such a way that the model's behavior is altered when it sees the altered image.
Testing FB-FTL
To test how well the FB-FTL works, experiments are conducted in a controlled environment. The researchers simulate a situation where multiple clients work together while one of them acts maliciously by injecting a backdoor trigger into their local training process.
Results of the Attack
The results show that FB-FTL can achieve a high success rate in tricking the model into misclassifying inputs when the trigger is present. This effectiveness persists even against various defenses that are meant to protect federated models from such attacks.
Importance of Visual Features
One of the keys to the success of FB-FTL is the positioning of the trigger. By placing it in areas of the image that the model finds essential for its decision-making, attackers can significantly increase the chances of their attack succeeding. This method of focusing the attack makes it much more effective than traditional approaches that do not consider the model's workings.
Strategies for Blending Triggers
A notable aspect of the FB-FTL is how it blends the trigger with the original image. Using perceptual similarity metrics, the researchers can ensure that the modifications made by the trigger remain subtle and are not easily detectable.
Defenses Against FB-FTL
Despite the effectiveness of the FB-FTL, studies also examine various defense mechanisms. These defenses aim to protect federated models from potential backdoor attacks by identifying and filtering out malicious updates that could influence the model's training.
Horizontal Federated Learning Defenses: Techniques such as Krum and Trimmed Mean are explored. These defenses aim to filter out unusual updates based on certain criteria, which can often be effective but not foolproof.
Vertical Federated Learning Defenses: Some strategies adapted from VFL are also assessed. These methods add a layer of uncertainty to the model's training through the use of noisy labels, potentially making it harder for attacks like FB-FTL to succeed.
Summary and Future Directions
In conclusion, the FB-FTL represents a new and effective method for injecting backdoor attacks within Federated Transfer Learning systems. Its success lies in its ability to focus the attack in high-importance areas of the input data while blending the trigger smoothly into the original content.
As technology advances, understanding such vulnerabilities becomes crucial, leading to the development of better protective measures. Future work could be directed towards enhancing defenses specific to FTL scenarios and exploring additional avenues for safeguarding data privacy in collaborative machine learning environments.
Title: Let's Focus: Focused Backdoor Attack against Federated Transfer Learning
Abstract: Federated Transfer Learning (FTL) is the most general variation of Federated Learning. According to this distributed paradigm, a feature learning pre-step is commonly carried out by only one party, typically the server, on publicly shared data. After that, the Federated Learning phase takes place to train a classifier collaboratively using the learned feature extractor. Each involved client contributes by locally training only the classification layers on a private training set. The peculiarity of an FTL scenario makes it hard to understand whether poisoning attacks can be developed to craft an effective backdoor. State-of-the-art attack strategies assume the possibility of shifting the model attention toward relevant features introduced by a forged trigger injected in the input data by some untrusted clients. Of course, this is not feasible in FTL, as the learned features are fixed once the server performs the pre-training step. Consequently, in this paper, we investigate this intriguing Federated Learning scenario to identify and exploit a vulnerability obtained by combining eXplainable AI (XAI) and dataset distillation. In particular, the proposed attack can be carried out by one of the clients during the Federated Learning phase of FTL by identifying the optimal local for the trigger through XAI and encapsulating compressed information of the backdoor class. Due to its behavior, we refer to our approach as a focused backdoor approach (FB-FTL for short) and test its performance by explicitly referencing an image classification scenario. With an average 80% attack success rate, obtained results show the effectiveness of our attack also against existing defenses for Federated Learning.
Authors: Marco Arazzi, Stefanos Koffas, Antonino Nocera, Stjepan Picek
Last Update: 2024-04-30 00:00:00
Language: English
Source URL: https://arxiv.org/abs/2404.19420
Source PDF: https://arxiv.org/pdf/2404.19420
Licence: https://creativecommons.org/licenses/by/4.0/
Changes: This summary was created with assistance from AI and may have inaccuracies. For accurate information, please refer to the original source documents linked here.
Thank you to arxiv for use of its open access interoperability.