In federated learning (FL), profiling and verifying each client is inherently difficult, which introduces a significant security vulnerability: malicious clients, commonly referred to as Byzantines, can degrade the accuracy of the global model by submitting poisoned updates during training. To mitigate this, the aggregation process at the parameter server must be robust against such adversarial behaviour. Most existing defences approach the Byzantine problem from an outlier detection perspective, treating malicious updates as statistical anomalies and ignoring the internal structure of the trained neural network (NN). Motivated by this, this work highlights the potential of leveraging side information tied to the NN architecture to design stronger, more targeted attacks. In particular, inspired by insights from sparse NNs, we introduce a hybrid sparse Byzantine attack. The attack consists of two coordinated components: (i) A sparse attack component that selectively manipulates parameters with higher sensitivity in the NN, aiming to cause maximum disruption with minimal visibility; (ii) A slow-accumulating attack component that silently poisons parameters over multiple rounds to evade detection. Together, these components create a strong but imperceptible attack strategy that can bypass common defences. We evaluate the proposed attack through extensive simulations and demonstrate its effectiveness against eight state-of-the-art defence mechanisms.

翻译：在联邦学习（FL）中，对每个客户端进行特征分析与验证本身就十分困难，这引入了一个显著的安全漏洞：恶意客户端（通常称为拜占庭节点）能够在训练过程中提交被毒化的更新，从而降低全局模型的准确率。为缓解这一问题，参数服务器上的聚合过程必须对这种对抗行为具有鲁棒性。现有的大多数防御方法都是从异常检测的角度处理拜占庭问题，将恶意更新视为统计异常值，而忽略了所训练神经网络（NN）的内部结构。受此启发，本文强调了利用与NN架构相关的辅助信息来设计更强、更具针对性的攻击的潜力。具体而言，受稀疏NN研究的启发，我们引入了一种混合稀疏拜占庭攻击。该攻击由两个协同组件构成：（i）一个稀疏攻击组件，它选择性地操纵NN中敏感度较高的参数，旨在以最小的可见性造成最大的破坏；（ii）一个缓慢累积的攻击组件，它通过多轮训练悄悄毒化参数以逃避检测。这些组件共同构成了一种强大但隐蔽的攻击策略，能够绕过常见的防御机制。我们通过大量仿真评估了所提出的攻击方法，并展示了其对八种最先进防御机制的有效性。