In a federated learning (FL) system, malicious participants can easily embed backdoors into the aggregated model while maintaining the model's performance on the main task. To this end, various defenses, including training stage aggregation-based defenses and post-training mitigation defenses, have been proposed recently. While these defenses obtain reasonable performance against existing backdoor attacks, which are mainly heuristics based, we show that they are insufficient in the face of more advanced attacks. In particular, we propose a general reinforcement learning-based backdoor attack framework where the attacker first trains a (non-myopic) attack policy using a simulator built upon its local data and common knowledge on the FL system, which is then applied during actual FL training. Our attack framework is both adaptive and flexible and achieves strong attack performance and durability even under state-of-the-art defenses.

翻译：在联邦学习（FL）系统中，恶意参与者可以轻松地将后门注入聚合模型，同时保持模型在主任务上的性能。为此，近年来提出了多种防御措施，包括训练阶段基于聚合的防御和训练后缓解防御。尽管这些防御措施对现有的基于启发式方法的后门攻击取得了合理的效果，但我们表明它们在面对更高级的攻击时仍然不足。具体而言，我们提出了一种通用的基于强化学习的后门攻击框架，其中攻击者首先利用其本地数据和对FL系统的常识构建的模拟器训练一个（非短视的）攻击策略，然后在实际FL训练中应用该策略。我们的攻击框架既具有自适应性又具有灵活性，即使在最先进的防御下也能实现强大的攻击性能和持久性。