Most machine learning applications rely on centralized learning processes, opening up the risk of exposure of their training datasets. While federated learning (FL) mitigates to some extent these privacy risks, it relies on a trusted aggregation server for training a shared global model. Recently, new distributed learning architectures based on Peer-to-Peer Federated Learning (P2PFL) offer advantages in terms of both privacy and reliability. Still, their resilience to poisoning attacks during training has not been investigated. In this paper, we propose new backdoor attacks for P2PFL that leverage structural graph properties to select the malicious nodes, and achieve high attack success, while remaining stealthy. We evaluate our attacks under various realistic conditions, including multiple graph topologies, limited adversarial visibility of the network, and clients with non-IID data. Finally, we show the limitations of existing defenses adapted from FL and design a new defense that successfully mitigates the backdoor attacks, without an impact on model accuracy.

翻译：大多数机器学习应用依赖集中式学习过程，这使其训练数据集面临暴露风险。尽管联邦学习（FL）在一定程度上缓解了这些隐私风险，但它仍依赖可信聚合服务器来训练共享全局模型。近来，基于对等联邦学习（P2PFL）的新型分布式学习架构在隐私性和可靠性方面均展现出优势，但其在训练过程中对投毒攻击的抵御能力尚未得到研究。本文针对P2PFL提出了新型后门攻击方法，通过利用图结构属性选择恶意节点，在保持隐蔽性的同时实现高攻击成功率。我们在多种现实条件下评估了攻击效果，包括多类图拓扑、有限网络对抗可见性及非独立同分布数据客户端的场景。最后，我们揭示了现有针对FL的防御方法的局限性，并设计了一种新型防御机制，该机制能有效缓解后门攻击且不影响模型精度。