Current backdoor attacks against federated learning (FL) strongly rely on universal triggers or semantic patterns, which can be easily detected and filtered by certain defense mechanisms such as norm clipping, comparing parameter divergences among local updates. In this work, we propose a new stealthy and robust backdoor attack with flexible triggers against FL defenses. To achieve this, we build a generative trigger function that can learn to manipulate the benign samples with an imperceptible flexible trigger pattern and simultaneously make the trigger pattern include the most significant hidden features of the attacker-chosen label. Moreover, our trigger generator can keep learning and adapt across different rounds, allowing it to adjust to changes in the global model. By filling the distinguishable difference (the mapping between the trigger pattern and target label), we make our attack naturally stealthy. Extensive experiments on real-world datasets verify the effectiveness and stealthiness of our attack compared to prior attacks on decentralized learning framework with eight well-studied defenses.

翻译：当前针对联邦学习的后门攻击严重依赖通用触发器或语义模式，这些极易被范数裁剪、局部更新参数差异比较等防御机制检测过滤。本研究提出一种新颖的隐蔽鲁棒后门攻击方法，通过灵活触发器突破联邦学习防御。为此，我们构建了生成式触发器函数，该函数能学习以不可察觉的灵活触发模式操控良性样本，同时使触发模式包含攻击者指定类别的最显著隐层特征。此外，触发器生成器可在不同训练轮次持续学习自适应，从而适应全局模型的变化。通过消除触发模式与目标标签之间的可区分差异，我们实现了攻击的自然隐蔽性。在真实数据集上的大量实验表明，与在配备八种经典防御机制的分布式学习框架上的既有攻击相比，本攻击在有效性和隐蔽性方面均具有优势。