Most machine learning applications rely on centralized learning processes, opening up the risk of exposure of their training datasets. While federated learning (FL) mitigates to some extent these privacy risks, it relies on a trusted aggregation server for training a shared global model. Recently, new distributed learning architectures based on Peer-to-Peer Federated Learning (P2PFL) offer advantages in terms of both privacy and reliability. Still, their resilience to poisoning attacks during training has not been investigated. In this paper, we propose new backdoor attacks for P2PFL that leverage structural graph properties to select the malicious nodes, and achieve high attack success, while remaining stealthy. We evaluate our attacks under various realistic conditions, including multiple graph topologies, limited adversarial visibility of the network, and clients with non-IID data. Finally, we show the limitations of existing defenses adapted from FL and design a new defense that successfully mitigates the backdoor attacks, without an impact on model accuracy.

翻译：大多数机器学习应用依赖于集中式学习过程，这带来了训练数据集暴露的风险。虽然联邦学习（FL）在一定程度上缓解了这些隐私风险，但其依赖于可信的聚合服务器来训练共享的全局模型。最近，基于点对点联邦学习（P2PFL）的新型分布式学习架构在隐私和可靠性方面均提供了优势。然而，其在训练过程中对投毒攻击的抵御能力尚未得到研究。在本文中，我们针对P2PFL提出了新的后门攻击方法，该方法利用图的结构特性来选择恶意节点，在保持隐蔽性的同时实现高攻击成功率。我们在多种现实条件下评估了我们的攻击，包括多种图拓扑结构、有限的网络对抗可见性以及具有非独立同分布数据的客户端。最后，我们展示了现有从FL改编的防御方法的局限性，并设计了一种新的防御方法，该方法能成功缓解后门攻击，且不影响模型准确性。