Federated Learning is an important emerging distributed training paradigm that keeps data private on clients. It is now well understood that by controlling only a small subset of FL clients, it is possible to introduce a backdoor to a federated learning model, in the presence of certain attributes. In this paper, we present a new type of attack that compromises the fairness of the trained model. Fairness is understood to be the attribute-level performance distribution of a trained model. It is particularly salient in domains where, for example, skewed accuracy discrimination between subpopulations could have disastrous consequences. We find that by employing a threat model similar to that of a backdoor attack, an attacker is able to influence the aggregated model to have an unfair performance distribution between any given set of attributes. Furthermore, we find that this attack is possible by controlling only a single client. While combating naturally induced unfairness in FL has previously been discussed in depth, its artificially induced kind has been neglected. We show that defending against attacks on fairness should be a critical consideration in any situation where unfairness in a trained model could benefit a user who participated in its training.

翻译：联邦学习是一种重要的新兴分布式训练范式，能够将数据保留在客户端中实现隐私保护。现有研究表明，通过控制少量联邦学习客户端，攻击者可在特定属性存在的情况下向联邦学习模型植入后门。本文提出了一种新型攻击方式，旨在破坏训练模型的公平性。此处公平性指训练模型在属性层面的性能分布，在诸如子群体间准确率偏差可能导致灾难性后果的领域中尤为关键。我们发现，采用与后门攻击类似的威胁模型时，攻击者能够操控聚合模型，使其在任意给定属性集上呈现不公平的性能分布。进一步研究表明，仅需控制单个客户端即可实现该攻击。尽管联邦学习中天然不公平性的应对措施此前已被深入探讨，但人为诱导的不公平性却长期受到忽视。本工作表明，凡训练模型的不公平性可能使参与训练的用户获益的场景中，针对公平性攻击的防御都应成为关键考量。