In a federated learning (FL) system, malicious participants can easily embed backdoors into the aggregated model while maintaining the model's performance on the main task. To this end, various defenses, including training stage aggregation-based defenses and post-training mitigation defenses, have been proposed recently. While these defenses obtain reasonable performance against existing backdoor attacks, which are mainly heuristics based, we show that they are insufficient in the face of more advanced attacks. In particular, we propose a general reinforcement learning-based backdoor attack framework where the attacker first trains a (non-myopic) attack policy using a simulator built upon its local data and common knowledge on the FL system, which is then applied during actual FL training. Our attack framework is both adaptive and flexible and achieves strong attack performance and durability even under state-of-the-art defenses.

翻译：在联邦学习 (FL) 系统中，恶意参与者可以轻松地将后门嵌入聚合模型中，并在保持主要任务的性能的同时，保留他们的后门。为此，近期提出了各种防御措施，包括训练阶段基于聚合的防御和后训练缓解防御。虽然这些防御在现有基于启发式的后门攻击方面取得了合理的性能，但我们表明它们在面对更先进的攻击时是不充分的。具体而言，我们提出了一种基于强化学习的后门攻击框架，在其中攻击者首先使用基于其本地数据和FL系统公共知识的模拟器训练一个（非近视）攻击策略，然后在实际FL训练中应用该策略。我们的攻击框架既是适应性的，又是灵活的，并且即使在最新的防御措施下也可以实现强大的攻击性能和耐久性。