While federated learning protects data privacy, it also makes the model update process vulnerable to long-term stealthy perturbations. Existing studies on backdoor attacks in federated learning mainly focus on trigger design or poisoning strategies, typically assuming that identical perturbations behave similarly across different model architectures. This assumption overlooks the impact of model structure on perturbation effectiveness. From a structure-aware perspective, this paper analyzes the coupling relationship between model architectures and backdoor perturbations. We introduce two metrics, Structural Responsiveness Score (SRS) and Structural Compatibility Coefficient (SCC), to measure a model's sensitivity to perturbations and its preference for fractal perturbations. Based on these metrics, we develop a structure-aware fractal perturbation injection framework (TFI) to study the role of architectural properties in the backdoor injection process. Experimental results show that model architecture significantly influences the propagation and aggregation of perturbations. Networks with multi-path feature fusion can amplify and retain fractal perturbations even under low poisoning ratios, while models with low structural compatibility constrain their effectiveness. Further analysis reveals a strong correlation between SCC and attack success rate, suggesting that SCC can predict perturbation survivability. These findings highlight that backdoor behaviors in federated learning depend not only on perturbation design or poisoning intensity but also on the interaction between model architecture and aggregation mechanisms, offering new insights for structure-aware defense design.

翻译：尽管联邦学习保护了数据隐私，但它也使模型更新过程容易受到长期隐蔽扰动的攻击。现有关于联邦学习中后门攻击的研究主要集中在触发器设计或投毒策略上，通常假设相同的扰动在不同模型架构中表现相似。这一假设忽略了模型结构对扰动效果的影响。本文从结构感知的角度，分析了模型架构与后门扰动之间的耦合关系。我们引入了两个度量指标：结构响应分数（SRS）和结构兼容性系数（SCC），用于衡量模型对扰动的敏感性及其对分形扰动的偏好。基于这些指标，我们开发了一个结构感知的分形扰动注入框架（TFI），以研究架构特性在后门注入过程中的作用。实验结果表明，模型架构显著影响扰动的传播与聚合。具有多路径特征融合的网络即使在低投毒比例下也能放大并保留分形扰动，而结构兼容性较低的模型则限制了其有效性。进一步分析揭示了SCC与攻击成功率之间的强相关性，表明SCC可以预测扰动的生存能力。这些发现强调，联邦学习中的后门行为不仅取决于扰动设计或投毒强度，还取决于模型架构与聚合机制之间的相互作用，为结构感知的防御设计提供了新的见解。