We study backdoor attacks in peer-to-peer federated learning systems on different graph topologies and datasets. We show that only 5% attacker nodes are sufficient to perform a backdoor attack with 42% attack success without decreasing the accuracy on clean data by more than 2%. We also demonstrate that the attack can be amplified by the attacker crashing a small number of nodes. We evaluate defenses proposed in the context of centralized federated learning and show they are ineffective in peer-to-peer settings. Finally, we propose a defense that mitigates the attacks by applying different clipping norms to the model updates received from peers and local model trained by a node.

翻译：我们研究了不同图拓扑和数据集上对等联邦学习系统中的后门攻击。结果表明，仅需5%的攻击者节点即可实现42%的攻击成功率，同时干净数据的准确率下降不超过2%。我们还证明，攻击者可通过瘫痪少量节点来放大攻击效果。我们评估了针对集中式联邦学习提出的防御方法，发现它们在对等设置中效果不佳。最后，我们提出了一种防御机制，通过对来自对等节点的模型更新与节点本地训练的模型应用不同的裁剪范数来缓解此类攻击。