Federated Learning (FL) has been demonstrated to be vulnerable to backdoor attacks. As a decentralized machine learning framework, most research focuses on the Single-Label Backdoor Attack (SBA), where adversaries share the same target but neglect the fact that adversaries may be unaware of each other's existence and hold different targets, i.e., Multi-Label Backdoor Attack (MBA). Unfortunately, directly applying prior work to the MBA would not only be ineffective but also potentially mitigate each other. In this paper, we first investigate the limitations of applying previous work to the MBA. Subsequently, we propose M2M, a novel multi-label backdoor attack in federated learning (FL), which adversarially adapts the backdoor trigger to ensure that the backdoored sample is processed as clean target samples in the global model. Our key intuition is to establish a connection between the trigger pattern and the target class distribution, allowing different triggers to activate backdoors along clean activation paths of the target class without concerns about potential mitigation. Extensive evaluations comprehensively demonstrate that M2M outperforms various state-of-the-art attack methods. This work aims to alert researchers and developers to this potential threat and to inspire the design of effective detection methods. Our code will be made available later.

翻译：联邦学习（FL）已被证明易受后门攻击。作为一个去中心化的机器学习框架，现有研究多集中于单标签后门攻击（SBA），即攻击者共享同一目标标签。然而，这些研究忽略了攻击者可能彼此不知晓且持有不同目标标签的情况，即多标签后门攻击（MBA）。遗憾的是，直接将现有方法应用于MBA不仅效果有限，甚至可能导致不同攻击相互抵消。本文首先探讨了将先前工作应用于MBA的局限性。随后，我们提出M2M——一种新颖的联邦学习多标签后门攻击方法，该方法通过对抗性调整后门触发器，确保被植入后门的样本在全局模型中被处理为目标类的干净样本。我们的核心思路是建立触发器模式与目标类分布之间的关联，使得不同触发器能够沿着目标类的干净激活路径触发后门，而无需担心潜在的抵消效应。大量实验评估全面表明，M2M在性能上优于多种先进攻击方法。本研究旨在警示研究人员和开发者关注这一潜在威胁，并启发有效检测方法的设计。我们的代码将于后续公开。