Federated learning (FL) has been widely deployed to enable machine learning training on sensitive data across distributed devices. However, the decentralized learning paradigm and heterogeneity of FL further extend the attack surface for backdoor attacks. Existing FL attack and defense methodologies typically focus on the whole model. None of them recognizes the existence of backdoor-critical (BC) layers-a small subset of layers that dominate the model vulnerabilities. Attacking the BC layers achieves equivalent effects as attacking the whole model but at a far smaller chance of being detected by state-of-the-art (SOTA) defenses. This paper proposes a general in-situ approach that identifies and verifies BC layers from the perspective of attackers. Based on the identified BC layers, we carefully craft a new backdoor attack methodology that adaptively seeks a fundamental balance between attacking effects and stealthiness under various defense strategies. Extensive experiments show that our BC layer-aware backdoor attacks can successfully backdoor FL under seven SOTA defenses with only 10% malicious clients and outperform the latest backdoor attack methods.

翻译：联邦学习（FL）已广泛应用，使机器学习训练能够在分布式设备上的敏感数据中进行。然而，去中心化学习范式及FL的异构性进一步扩展了后门攻击的攻击面。现有FL攻击与防御方法通常关注整个模型，均未认识到后门关键（BC）层的存在——即主导模型漏洞的一小部分子层。攻击BC层可实现与攻击整个模型等效的效果，但被最先进（SOTA）防御检测到的概率却低得多。本文提出一种通用的原位方法，能够从攻击者视角识别并验证BC层。基于识别出的BC层，我们精心设计了一种新的后门攻击方法，能够自适应地在不同防御策略下寻求攻击效果与隐蔽性之间的基本平衡。大量实验表明，我们的BC层感知后门攻击仅需10%的恶意客户端，即可在七种SOTA防御下成功攻击FL，且性能优于最新后门攻击方法。