Federated Learning (FL) is susceptible to poisoning attacks, wherein compromised clients manipulate the global model by modifying local datasets or sending manipulated model updates. Experienced defenders can readily detect and mitigate the poisoning effects of malicious behaviors using Byzantine-robust aggregation rules. However, the exploration of poisoning attacks in scenarios where such behaviors are absent remains largely unexplored for Byzantine-robust FL. This paper addresses the challenging problem of poisoning Byzantine-robust FL by introducing catastrophic forgetting. To fill this gap, we first formally define generalization error and establish its connection to catastrophic forgetting, paving the way for the development of a clean-label data poisoning attack named BadSampler. This attack leverages only clean-label data (i.e., without poisoned data) to poison Byzantine-robust FL and requires the adversary to selectively sample training data with high loss to feed model training and maximize the model's generalization error. We formulate the attack as an optimization problem and present two elegant adversarial sampling strategies, Top-$\kappa$ sampling, and meta-sampling, to approximately solve it. Additionally, our formal error upper bound and time complexity analysis demonstrate that our design can preserve attack utility with high efficiency. Extensive evaluations on two real-world datasets illustrate the effectiveness and performance of our proposed attacks.

翻译：联邦学习（FL）易受投毒攻击，即受控客户端通过修改本地数据集或发送篡改的模型更新来操纵全局模型。经验丰富的防御者能够使用拜占庭鲁棒聚合规则轻松检测并缓解恶意行为的投毒效应。然而，对于拜占庭鲁棒联邦学习，在缺乏此类恶意行为场景下的投毒攻击探索仍基本处于空白。本文通过引入灾难性遗忘，解决了毒害拜占庭鲁棒联邦学习这一具有挑战性的问题。为填补这一空白，我们首先形式化定义了泛化误差并建立其与灾难性遗忘的关联，为开发名为BadSampler的干净标签数据投毒攻击奠定了基础。该攻击仅利用干净标签数据（即不含污染数据）来毒害拜占庭鲁棒联邦学习，要求攻击者选择性采样高损失训练数据以供给模型训练，从而最大化模型的泛化误差。我们将攻击形式化为优化问题，并提出两种精巧的对抗性采样策略——Top-$\kappa$采样与元采样——以近似求解该问题。此外，我们通过形式化的误差上界分析与时间复杂度论证，表明所提设计能以高效率保持攻击效用。在两个真实数据集上的大量评估验证了所提攻击方法的有效性与性能。