Federated learning (FL) is vulnerable to poisoning attacks, where adversaries corrupt the global aggregation results and cause denial-of-service (DoS). Unlike recent model poisoning attacks that optimize the amplitude of malicious perturbations along certain prescribed directions to cause DoS, we propose a Flexible Model Poisoning Attack (FMPA) that can achieve versatile attack goals. We consider a practical threat scenario where no extra knowledge about the FL system (e.g., aggregation rules or updates on benign devices) is available to adversaries. FMPA exploits the global historical information to construct an estimator that predicts the next round of the global model as a benign reference. It then fine-tunes the reference model to obtain the desired poisoned model with low accuracy and small perturbations. Besides the goal of causing DoS, FMPA can be naturally extended to launch a fine-grained controllable attack, making it possible to precisely reduce the global accuracy. Armed with precise control, malicious FL service providers can gain advantages over their competitors without getting noticed, hence opening a new attack surface in FL other than DoS. Even for the purpose of DoS, experiments show that FMPA significantly decreases the global accuracy, outperforming six state-of-the-art attacks.The code can be found at https://github.com/ZhangHangTao/Poisoning-Attack-on-FL.

翻译：联邦学习（FL）易受投毒攻击，攻击者会破坏全局聚合结果，导致拒绝服务（DoS）。与近期沿特定预设方向优化恶意扰动幅度以引发DoS的模型投毒攻击不同，我们提出一种灵活模型投毒攻击（FMPA），可实现多种攻击目标。我们考虑一个实际威胁场景：攻击者无法获取关于联邦学习系统（如聚合规则或良性设备上的更新）的额外信息。FMPA利用全局历史信息构建一个估计器，用于预测下一轮全局模型作为良性参考，随后对参考模型进行微调，以获得低精度和小扰动的恶意投毒模型。除引发DoS目标外，FMPA还可自然地扩展为细粒度可控攻击，得以精确降低全局精度。借助这种精确控制能力，恶意联邦学习服务提供商可在不暴露的情况下获得竞争优势，从而在FL中开辟出区别于DoS的新的攻击面。即便仅针对DoS目的，实验表明FMPA能显著降低全局精度，性能优于六种最新攻击方法。代码见https://github.com/ZhangHangTao/Poisoning-Attack-on-FL。