Federated learning (FL) is vulnerable to poisoning attacks, where adversaries corrupt the global aggregation results and cause denial-of-service (DoS). Unlike recent model poisoning attacks that optimize the amplitude of malicious perturbations along certain prescribed directions to cause DoS, we propose a Flexible Model Poisoning Attack (FMPA) that can achieve versatile attack goals. We consider a practical threat scenario where no extra knowledge about the FL system (e.g., aggregation rules or updates on benign devices) is available to adversaries. FMPA exploits the global historical information to construct an estimator that predicts the next round of the global model as a benign reference. It then fine-tunes the reference model to obtain the desired poisoned model with low accuracy and small perturbations. Besides the goal of causing DoS, FMPA can be naturally extended to launch a fine-grained controllable attack, making it possible to precisely reduce the global accuracy. Armed with precise control, malicious FL service providers can gain advantages over their competitors without getting noticed, hence opening a new attack surface in FL other than DoS. Even for the purpose of DoS, experiments show that FMPA significantly decreases the global accuracy, outperforming six state-of-the-art attacks.

翻译：联邦学习（FL）易受投毒攻击，攻击者破坏全局聚合结果并引发拒绝服务（DoS）。与近期沿特定预设方向优化恶意扰动幅度以引发DoS的模型投毒攻击不同，我们提出一种可实现多样化攻击目标的灵活模型投毒攻击（FMPA）。我们考虑一种实际威胁场景：攻击者无法获取FL系统的额外知识（如聚合规则或良性设备上的更新信息）。FMPA利用全局历史信息构建估计器，预测下一轮全局模型作为良性参考，随后微调参考模型以获得低精度和小扰动的恶意投毒模型。除引发DoS的目标外，FMPA可自然扩展为细粒度可控攻击，从而精确降低全局精度。借助精确控制能力，恶意FL服务提供商可在不被察觉的情况下获得竞争优势，由此开辟了除DoS外FL领域的新攻击面。即使针对DoS目的，实验表明FMPA也能显著降低全局精度，性能优于六种最先进攻击方法。