Existing research primarily focuses on backdoor attacks and defenses within the generic federated learning scenario, where all clients collaborate to train a single global model. A recent study conducted by Qin et al. (2023) marks the initial exploration of backdoor attacks within the personalized federated learning (pFL) scenario, where each client constructs a personalized model based on its local data. Notably, the study demonstrates that pFL methods with \textit{parameter decoupling} can significantly enhance robustness against backdoor attacks. However, in this paper, we whistleblow that pFL methods with parameter decoupling are still vulnerable to backdoor attacks. The resistance of pFL methods with parameter decoupling is attributed to the heterogeneous classifiers between malicious clients and benign counterparts. We analyze two direct causes of the heterogeneous classifiers: (1) data heterogeneity inherently exists among clients and (2) poisoning by malicious clients further exacerbates the data heterogeneity. To address these issues, we propose a two-pronged attack method, BapFL, which comprises two simple yet effective strategies: (1) poisoning only the feature encoder while keeping the classifier fixed and (2) diversifying the classifier through noise introduction to simulate that of the benign clients. Extensive experiments on three benchmark datasets under varying conditions demonstrate the effectiveness of our proposed attack. Additionally, we evaluate the effectiveness of six widely used defense methods and find that BapFL still poses a significant threat even in the presence of the best defense, Multi-Krum. We hope to inspire further research on attack and defense strategies in pFL scenarios. The code is available at: https://github.com/BapFL/code.

翻译：现有研究主要关注通用联邦学习场景中的后门攻击与防御，在该场景中所有客户端协作训练单个全局模型。Qin等人（2023）近期开展的研究标志着对个性化联邦学习（pFL）场景中后门攻击的初步探索，在此场景中每个客户端基于其本地数据构建个性化模型。值得注意的是，该研究表明采用参数解耦的pFL方法能显著增强对后门攻击的鲁棒性。然而，本文揭露采用参数解耦的pFL方法仍然易受后门攻击。参数解耦型pFL方法的抗攻击性得益于恶意客户端与良性客户端之间的异构分类器。我们分析了导致分类器异构的两个直接原因：（1）客户端之间固有的数据异质性，（2）恶意客户端的投毒行为进一步加剧了数据异质性。为解决这些问题，我们提出双管齐下的攻击方法BapFL，该方法包含两个简单而有效的策略：（1）仅投毒特征编码器而保持分类器固定，（2）通过引入噪声使分类器多样化以模拟良性客户端的分类器。在三个基准数据集上不同条件下的广泛实验证明了所提攻击的有效性。此外，我们评估了六种广泛使用防御方法的效果，发现即使面对最佳防御方法Multi-Krum，BapFL仍构成显著威胁。我们期望能启发pFL场景中攻击与防御策略的进一步研究。代码已开源：https://github.com/BapFL/code。