（翻译）DBA: DISTRIBUTED BACKDOOR ATTACKS AGAINST FEDERATED LEARNING

摘要

后门攻击旨在通过注入对抗性触发器来操纵训练数据的子集，从而使在受篡改数据集上训练的机器学习模型将在嵌入了相同触发器的测试集上进行任意（目标）错误预测。尽管联邦学习（FL）能够汇总由不同方面提供的信息以训练更好的模型，但其分布式学习方法和各方之间固有的异构数据分布可能会带来新的漏洞。除了最近针对FL的集中式后门攻击（各方在培训期间都在其中嵌入相同的全局触发器）之外，我们还提出了分布式后门攻击(DBA)-一种通过充分利用FL的分布式特性而开发的新颖威胁评估框架。 DBA将全局触发模式分解为单独的局部模式，并将其分别嵌入到不同对抗方的训练集中。与标准的集中式后门程序相比，我们显示DBA在金融和图像数据等各种数据集上对FL的持久性和隐秘性更高。我们进行了广泛的实验，表明在不同设置下，DBA的攻击成功率明显高于集中式后门。此外，我们发现分布式攻击确实更加隐蔽，因为DBA可以针对集中式后门规避两种最先进的健壮FL算法。我们还通过特征视觉解释和特征重要性排名为DBA的有效性提供了解释。为了进一步探索DBA的属性，我们通过改变不同的触发因素来测试攻击性能，这些触发因素包括局部触发变化（大小，间隙和位置），FL中的缩放因子，数据分布以及中毒率和间隔。我们提出的DBA和全面的评估结果为表征FL的鲁棒性提供了启示。

1. 介绍

Federated learning (FL) has been recently proposed to address the problems for training machine learning models without direct access to diverse training data, especially for privacy-sensitive tasks (Smith et al., 2017; McMahan et al., 2017; Zhao et al., 2018). Utilizing local training data of participants (i.e., parties), FL helps train a shared global model with improved performance. There have been prominent applications and ever-growing trends in deploying FL in practice, such as loan status prediction, health situation assessment (e.g. potential cancer risk assessment), and next-word prediction while typing (Hard et al., 2018; Yang et al., 2018; 2019).

Although FL is capable of aggregating dispersed (and often restricted) information provided by different parties to train a better model, its distributed learning methodology as well as inherently heterogeneous (i.e., non-i.i.d.) data distribution across different parties may unintentionally provide a venue to new attacks. In particular, the fact of limiting access to individual party’s data due to privacy concerns or regulation constraints may facilitate backdoor attacks on the shared model trained with FL. Backdoor attack is a type of data poisoning attacks that aim to manipulate a subset of training data such that machine learning models trained on the tampered dataset will be vulnerable to the test set with similar trigger embedded (Gu et al., 2019). and next-word prediction while typing (Hard et al., 2018; Yang et al., 2018; 2019).

Figure 1: Overview of centralized and distributed backdoor attacks (DBA) on FL. The aggregator at round t + 1 combines information from local parties (benign and adversarial) in the previous round t, and update the shared model Gt+1. When implementing backdoor attacks, centralized attacker uses a global trigger while distributed attacker uses a local trigger which is part of the global one.

Backdoor attacks on FL have been recently studied in (Bagdasaryan et al., 2018; Bhagoji et al., 2019). However, current attacks do not fully exploit the distributed learning methodology of FL, as they embed the same global trigger pattern to all adversarial parties. We call such attacking scheme centralized backdoor attack. Leveraging the power of FL in aggregating dispersed information from local parties to train a shared model, in this paper we propose distributed backdoor attack (DBA) against FL. Given the same global trigger pattern as the centralized attack, DBA decomposes it into local patterns and embed them to different adversarial parties respectively. A schematic comparison between the centralized and distributed backdoor attacks is illustrated in Fig.1.

Through extensive experiments on several financial and image datasets and in-depth analysis, we summarize our main contributions and findings as follows.
• We propose a novel distributed backdoor attack strategy DBA on FL and show that DBA is more persistent and effective than centralized backdoor attack. Based on extensive experiments, we report a prominent phenomenon that although each adversarial party is only implanted with a local trigger pattern via DBA, their assembled pattern (i.e., global trigger) attains significantly better attack performance on the global model compared with the centralized attack. The results are consistent across datasets and under different attacking scenarios such as one-time (single-shot) and continuous (multiple-shot) poisoning settings. To the best of our knowledge, this paper is the first work studying distributed backdoor attacks.
• When evaluating the robustness of two recent robust FL methods against centralized backdoor attack (Fung et al., 2018; Pillutla et al., 2019), we find that DBA is more effective and stealthy, as its local trigger pattern is more insidious and hence easier to bypass the robust aggregation rules.
• We provide in-depth explanations for the effectiveness of DBA from different perspectives, including feature visual interpretation and feature importance ranking.
• We perform comprehensive analysis and ablation studies on several trigger factors in DBA, including the size, gap, and location of local triggers, scaling effect in FL, poisoning interval, data poisoning ratio, and data distribution.

2. DISTRIBUTED BACKDOOR ATTACK AGAINST FEDERATED LEARNING

2.1 GENERAL FRAMEWORK

2.2 DISTRIBUTED BACKDOOR ATTACK (DBA)

We again use Fig.1 to illustrate our proposed DBA in details. Recall that current centralized attack embeds the same global trigger for all local attackers1 (Bagdasaryan et al., 2018). For example, the attacker in Fig.1.(a) embeds the training data with the selected patterns highlighted by 4 colors, which altogether constitutes a complete global pattern as the backdoor trigger.

In our DBA, as illustrated in Fig.1.(b), all attackers only use parts of the global trigger to poison their local models, while the ultimate adversarial goal is still the same as centralized attack — using the global trigger to attack the shared model. For example, the attacker with the orange sign poisons a subset of his training data only using the trigger pattern located at the orange area. Similar attacking methodology applies to green, yellow and blue signs. We define each DBA attacker’s trigger as the local trigger and the combined whole trigger as the global trigger. For fair comparison, we keep similar amount of total injected triggers (e.g., modified pixels) for both centralized attack and DBA.

In centralized attack, the attacker tries to solve the optimization problem in Eq.2 without any coordination（协调） and distributed processing. In contrast, DBA fully exploits the distributed learning and local data opacity（不透明性） in FL. Considering M attackers in DBA with M small local triggers. Each DBA attacker mi independently performs the backdoor attack on their local models. This novel mechanism breaks a centralized attack formulation into M distributed sub-attack problems aiming to solve

where φ(*,i) = {φ，O(i)} is the geometric decomposing strategy（几何分解策略） for the local trigger pattern of attacker mi and O(i) entails the trigger decomposition rule（触发分解规则） for mi based on the global trigger φ. DBA attackers will poison with the poison round interval I and use the scale factor γ to manipulate their updates before submitting to the aggregator. We will explain the related trigger factors in the next subsection. We note that although none of the adversarial party has ever been poisoned by the global trigger under DBA, we find that DBA indeed outperforms centralized attack significantly when evaluated with the global trigger.

2.3 FACTORS IN DISTRIBUTED BACKDOOR ATTACK

With the framework of DBA on FL, there are multiple new factors to be explored. Here we introduce a set of trigger factors that we find to be critical. Fig.2 explains the location, size and gap attribute of triggers in image dataset. For simplicity, we set all of our local triggers to the same rectangle shape2. Fig.3 explains our trigger attribute of ranked feature importance in tabular data (e.g., the loan dataset).

Trigger Size TS: the number of pixel columns (i.e., the width) of a local distributed trigger.

Trigger Gap TG: the distance of the Gapx and Gapy, which represent the distance between the left and right, as well as the top and bottom local trigger, respectively.

Trigger Location TL: (Shiftx, Shifty) is the offset of the trigger pattern from the top left pixel.

Poison Ratio r: the ratio controls the fraction of backdoored samples added per training batch. Note that larger r should be preferable when attacking intuitively, and there is a tradeoff between clean data accuracy and attack success rate, but too large r would also hurt the attack effectiveness once the model becomes useless.

Poison Interval I: the round intervals between two poison steps. For example, I = 0 means all the local triggers are embedded within one round, while I = 1 means the local triggers are embedded in consecutive rounds.

Data Distribution: FL often presumes non-i.i.d. data distribution across parties. Here, we use a Dirichlet distribution (Minka, 2000) with different hyperparameter α to generate different data distribution following the setups in (Bagdasaryan et al., 2018).

结论

通过对包括LOAN和不同设置的三个图像数据集在内的各种数据集进行的广泛实验，我们表明，在标准FL中，我们提出的DBA比集中式后门攻击更具持久性和有效性：DBA在单一攻击中可实现更高的攻击成功率，更快的收敛性和更好的弹性。 射击和多发攻击场景。 我们还证明了DBA更隐秘，并且可以成功规避两种可靠的FL方法。 使用特征视觉解释检查DBA在聚合中的作用来解释其有效性。 我们还对DBA特有的重要因素进行了深入分析，以探索其特性和局限性。 我们的结果表明，与当前的后门攻击相比，DBA是一种针对FL的新型且功能更强大的攻击。 我们的分析和发现可以提供新的威胁评估工具和新颖的见解，以评估FL的对抗性。