Current backdoor attacks against federated learning (FL) strongly rely on universal triggers or semantic patterns, which can be easily detected and filtered by certain defense mechanisms such as norm clipping, comparing parameter divergences among local updates. In this work, we propose a new stealthy and robust backdoor attack with flexible triggers against FL defenses. To achieve this, we build a generative trigger function that can learn to manipulate the benign samples with an imperceptible flexible trigger pattern and simultaneously make the trigger pattern include the most significant hidden features of the attacker-chosen label. Moreover, our trigger generator can keep learning and adapt across different rounds, allowing it to adjust to changes in the global model. By filling the distinguishable difference (the mapping between the trigger pattern and target label), we make our attack naturally stealthy. Extensive experiments on real-world datasets verify the effectiveness and stealthiness of our attack compared to prior attacks on decentralized learning framework with eight well-studied defenses.

翻译：当前针对联邦学习（FL）的后门攻击强烈依赖于通用触发器或语义模式，这些方法容易被某些防御机制（如范数裁剪、比较局部更新间的参数差异）检测并过滤。本文提出一种新的隐蔽鲁棒后门攻击方法，可在联邦学习防御框架下使用灵活触发器。为实现该目标，我们构建了一个生成式触发器函数，能够学习以难以察觉的灵活触发模式操控良性样本，同时使该触发模式包含攻击者选定标签的最显著隐藏特征。此外，我们的触发器生成器可在不同轮次中持续学习与适应，从而调整自身以适应全局模型的变化。通过填补可区分性差异（即触发模式与目标标签间的映射关系），使攻击自然具备隐蔽性。在真实数据集上的大量实验验证表明，相较于现有攻击，我们的方法在采用八种广泛研究的防御机制的分散式学习框架中具有更强的有效性与隐蔽性。