This paper explores previously unknown backdoor risks in HyperNet-based personalized federated learning (HyperNetFL) through poisoning attacks. Based upon that, we propose a novel model transferring attack (called HNTroj), i.e., the first of its kind, to transfer a local backdoor infected model to all legitimate and personalized local models, which are generated by the HyperNetFL model, through consistent and effective malicious local gradients computed across all compromised clients in the whole training process. As a result, HNTroj reduces the number of compromised clients needed to successfully launch the attack without any observable signs of sudden shifts or degradation regarding model utility on legitimate data samples making our attack stealthy. To defend against HNTroj, we adapted several backdoor-resistant FL training algorithms into HyperNetFL. An extensive experiment that is carried out using several benchmark datasets shows that HNTroj significantly outperforms data poisoning and model replacement attacks and bypasses robust training algorithms even with modest numbers of compromised clients.

翻译：本文通过投毒攻击探索了基于超网络的个性化联邦学习（HyperNetFL）中此前未知的后门风险。基于此，我们提出了一种新颖的模型迁移攻击（称为HNTroj），即同类攻击中的首创方法，通过在整个训练过程中所有被攻陷客户端计算的一致且有效的恶意局部梯度，将本地后门感染模型迁移到由HyperNetFL模型生成的所有合法且个性化的本地模型中。因此，HNTroj减少了成功发起攻击所需的被攻陷客户端数量，且在对合法数据样本的模型效用上不出现任何突变或退化迹象，使攻击具有隐蔽性。为防御HNTroj，我们将多种可抵御后门的联邦学习训练算法适配到HyperNetFL中。使用多个基准数据集进行的大量实验表明，即使在被攻陷客户端数量较少的情况下，HNTroj也显著优于数据投毒和模型替换攻击，并能绕过鲁棒训练算法。