Backdoor attacks pose a significant threat to the security of federated learning systems. However, existing research primarily focuses on backdoor attacks and defenses within the generic FL scenario, where all clients collaborate to train a single global model. \citet{qin2023revisiting} conduct the first study of backdoor attacks in the personalized federated learning (pFL) scenario, where each client constructs a personalized model based on its local data. Notably, the study demonstrates that pFL methods with partial model-sharing can significantly boost robustness against backdoor attacks. In this paper, we whistleblow that pFL methods with partial model-sharing are still vulnerable to backdoor attacks in the absence of any defense. We propose three backdoor attack methods: BapFL, BapFL+, and Gen-BapFL, and we empirically demonstrate that they can effectively attack the pFL methods. Specifically, the key principle of BapFL lies in maintaining clean local parameters while implanting the backdoor into the global parameters. BapFL+ generalizes the attack success to benign clients by introducing Gaussian noise to the local parameters. Furthermore, we assume the collaboration of malicious clients and propose Gen-BapFL, which leverages meta-learning techniques to further enhances attack generalization. We evaluate our proposed attack methods against two classic pFL methods with partial model-sharing, FedPer and LG-FedAvg. Extensive experiments on four FL benchmark datasets demonstrate the effectiveness of our proposed attack methods. Additionally, we assess the defense efficacy of various defense strategies against our proposed attacks and find that Gradient Norm-Clipping is particularly effective. It is crucial to note that pFL method is not always secure in the presence of backdoor attacks, and we hope to inspire further research on attack and defense in pFL scenarios.

翻译：后门攻击对联邦学习系统的安全性构成了重大威胁。然而，现有研究主要关注通用联邦学习场景中的后门攻击与防御，在该场景中，所有客户端协作训练一个单一的全局模型。\citet{qin2023revisiting} 首次研究了个性化联邦学习场景中的后门攻击，该场景中每个客户端基于其本地数据构建个性化模型。值得注意的是，该研究表明，采用部分模型共享的个性化联邦学习方法能够显著提升对后门攻击的鲁棒性。在本文中，我们揭示，在没有任何防御措施的情况下，采用部分模型共享的个性化联邦学习方法仍然容易受到后门攻击。我们提出了三种后门攻击方法：BapFL、BapFL+ 和 Gen-BapFL，并通过实验证明它们能够有效攻击个性化联邦学习方法。具体来说，BapFL 的关键原理在于保持本地参数清洁的同时，将后门植入全局参数中。BapFL+ 通过向本地参数引入高斯噪声，将攻击成功率推广至良性客户端。此外，我们假设恶意客户端之间相互协作，并提出 Gen-BapFL，该方法利用元学习技术进一步增强攻击的泛化能力。我们针对两种经典的部分模型共享个性化联邦学习方法 FedPer 和 LG-FedAvg 评估了所提出的攻击方法。在四个联邦学习基准数据集上的大量实验表明了我们提出的攻击方法的有效性。同时，我们评估了多种防御策略针对我们提出攻击的防御效果，发现梯度范数裁剪策略尤为有效。需要明确的是，在存在后门攻击的情况下，个性化联邦学习方法并非始终安全，我们期望能推动个性化联邦学习场景中攻击与防御的进一步研究。