Federated learning (FL) has been widely deployed to enable machine learning training on sensitive data across distributed devices. However, the decentralized learning paradigm and heterogeneity of FL further extend the attack surface for backdoor attacks. Existing FL attack and defense methodologies typically focus on the whole model. None of them recognizes the existence of backdoor-critical (BC) layers-a small subset of layers that dominate the model vulnerabilities. Attacking the BC layers achieves equivalent effects as attacking the whole model but at a far smaller chance of being detected by state-of-the-art (SOTA) defenses. This paper proposes a general in-situ approach that identifies and verifies BC layers from the perspective of attackers. Based on the identified BC layers, we carefully craft a new backdoor attack methodology that adaptively seeks a fundamental balance between attacking effects and stealthiness under various defense strategies. Extensive experiments show that our BC layer-aware backdoor attacks can successfully backdoor FL under seven SOTA defenses with only 10% malicious clients and outperform the latest backdoor attack methods.

翻译：联邦学习（FL）已被广泛部署，以支持跨分布式设备对敏感数据进行机器学习训练。然而，去中心化的学习范式与FL的异质性进一步扩展了后门攻击的攻击面。现有FL攻击与防御方法通常聚焦于整个模型，均未识别后门关键（BC）层的存在——即主导模型脆弱性的少数子层。攻击BC层可达到与攻击整个模型相同的效果，但被最先进（SOTA）防御机制检测到的概率显著更低。本文提出一种通用的原位方法，从攻击者角度识别并验证BC层。基于所识别的BC层，我们精心设计了一种新型后门攻击策略，该策略能自适应地在各种防御机制下寻求攻击效果与隐蔽性的根本平衡。大量实验表明，我们的BC层感知后门攻击在仅使用10%恶意客户端的情况下，即可成功突破七种SOTA防御机制，并优于最新的后门攻击方法。