Federated self-supervised learning (FSSL) has recently emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data while preserving data privacy. While FSSL offers advantages, its susceptibility to backdoor attacks, a concern identified in traditional federated supervised learning (FSL), has not been investigated. To fill the research gap, we undertake a comprehensive investigation into a backdoor attack paradigm, where unscrupulous clients conspire to manipulate the global model, revealing the vulnerability of FSSL to such attacks. In FSL, backdoor attacks typically build a direct association between the backdoor trigger and the target label. In contrast, in FSSL, backdoor attacks aim to alter the global model's representation for images containing the attacker's specified trigger pattern in favor of the attacker's intended target class, which is less straightforward. In this sense, we demonstrate that existing defenses are insufficient to mitigate the investigated backdoor attacks in FSSL, thus finding an effective defense mechanism is urgent. To tackle this issue, we dive into the fundamental mechanism of backdoor attacks on FSSL, proposing the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models. In particular, EmInspector assesses the similarity of embeddings from different local models using a small set of inspection images (e.g., ten images of CIFAR100) without specific requirements on sample distribution or labels. We discover that embeddings from backdoored models tend to cluster together in the embedding space for a given inspection image. Evaluation results show that EmInspector can effectively mitigate backdoor attacks on FSSL across various adversary settings. Our code is avaliable at https://github.com/ShuchiWu/EmInspector.

翻译：联邦自监督学习（FSSL）作为一种新兴的范式，能够在保护数据隐私的同时充分利用客户端的大量未标注数据。尽管FSSL具有诸多优势，但其对后门攻击的脆弱性——这一在传统联邦监督学习（FSL）中已被关注的问题——尚未得到充分研究。为填补这一研究空白，我们对一种后门攻击范式展开了全面调查，其中恶意客户端合谋操纵全局模型，揭示了FSSL对此类攻击的脆弱性。在FSL中，后门攻击通常在后门触发器与目标标签之间建立直接关联；而在FSSL中，后门攻击旨在改变全局模型对包含攻击者指定触发器图像的表示，使其偏向攻击者预期的目标类别，这一机制更为隐晦。基于此，我们证明了现有防御方法不足以缓解FSSL中研究的后门攻击，因此亟需寻找有效的防御机制。为解决该问题，我们深入探究了FSSL后门攻击的基本机理，提出了通过检测本地模型的嵌入空间来识别恶意客户端的嵌入检测器（EmInspector）。具体而言，EmInspector利用少量检测图像（例如CIFAR100的十张图像），在不依赖样本分布或标签特定要求的情况下，评估不同本地模型生成嵌入的相似性。我们发现，对于给定的检测图像，被植入后门的模型生成的嵌入倾向于在嵌入空间中聚集。评估结果表明，EmInspector能够在多种对抗设置下有效缓解针对FSSL的后门攻击。我们的代码公开于https://github.com/ShuchiWu/EmInspector。