Without direct access to the client's data, federated learning (FL) is well-known for its unique strength in data privacy protection among existing distributed machine learning techniques. However, its distributive and iterative nature makes FL inherently vulnerable to various poisoning attacks. To counteract these threats, extensive defenses have been proposed to filter out malicious clients, using various detection metrics. Based on our analysis of existing attacks and defenses, we find that there is a lack of attention to model redundancy. In neural networks, various model parameters contribute differently to the model's performance. However, existing attacks in FL manipulate all the model update parameters with the same strategy, making them easily detectable by common defenses. Meanwhile, the defenses also tend to analyze the overall statistical features of the entire model updates, leaving room for sophisticated attacks. Based on these observations, this paper proposes a generic and attack-agnostic augmentation approach designed to enhance the effectiveness and stealthiness of existing FL poisoning attacks against detection in FL, pointing out the inherent flaws of existing defenses and exposing the necessity of fine-grained FL security. Specifically, we employ a three-stage methodology that strategically constructs, generates, and injects poison (generated by existing attacks) into a pill (a tiny subnet with a novel structure) during the FL training, named as pill construction, pill poisoning, and pill injection accordingly. Extensive experimental results show that FL poisoning attacks enhanced by our method can bypass all the popular defenses, and can gain an up to 7x error rate increase, as well as on average a more than 2x error rate increase on both IID and non-IID data, in both cross-silo and cross-device FL systems.

翻译：在不直接访问客户端数据的情况下，联邦学习（FL）因其在现有分布式机器学习技术中独特的数据隐私保护能力而闻名。然而，其分布性和迭代特性使得FL本质上容易遭受各种投毒攻击。为应对这些威胁，研究者们提出了多种防御机制，利用各种检测指标来过滤恶意客户端。基于对现有攻击与防御的分析，我们发现现有工作普遍忽视了模型冗余性。在神经网络中，不同模型参数对模型性能的贡献存在差异。然而，现有FL攻击对所有模型更新参数采用相同策略进行操纵，使其容易被常见防御机制检测。与此同时，防御机制也倾向于分析整个模型更新的整体统计特征，为复杂攻击留下了可乘之机。基于这些观察，本文提出一种通用且与具体攻击无关的增强方法，旨在提升现有FL投毒攻击在检测规避方面的有效性和隐蔽性，揭示现有防御的内在缺陷，并论证细粒度FL安全的必要性。具体而言，我们采用三阶段方法论：在FL训练过程中策略性地构造、生成并将攻击剂（由现有攻击生成）注入到“毒丸”（一种具有新颖结构的微型子网络）中，分别称为毒丸构造、毒丸投毒和毒丸注入。大量实验结果表明，经本方法增强的FL投毒攻击能够规避所有主流防御机制，在跨孤岛和跨设备两种FL系统中，对独立同分布（IID）与非独立同分布（Non-IID）数据均可使错误率提升最高达7倍，平均错误率提升超过2倍。