In a federated learning (FL) system, malicious participants can easily embed backdoors into the aggregated model while maintaining the model's performance on the main task. To this end, various defenses, including training stage aggregation-based defenses and post-training mitigation defenses, have been proposed recently. While these defenses obtain reasonable performance against existing backdoor attacks, which are mainly heuristics based, we show that they are insufficient in the face of more advanced attacks. In particular, we propose a general reinforcement learning-based backdoor attack framework where the attacker first trains a (non-myopic) attack policy using a simulator built upon its local data and common knowledge on the FL system, which is then applied during actual FL training. Our attack framework is both adaptive and flexible and achieves strong attack performance and durability even under state-of-the-art defenses.

翻译：在联邦学习系统中，恶意参与者可以轻易地将后门嵌入聚合模型中，同时保持模型在主任务上的性能。为此，近年来提出了多种防御措施，包括基于训练阶段聚合的防御和训练后缓解防御。尽管这些防御针对现有的（主要基于启发式方法的）后门攻击取得了合理的性能，但我们证明它们在面对更高级的攻击时仍显不足。具体而言，我们提出了一种通用的基于强化学习的后门攻击框架：攻击者首先利用基于其本地数据和联邦系统常识构建的模拟器训练一种非短视攻击策略，随后在实际联邦学习训练中应用该策略。我们的攻击框架兼具自适应性及灵活性，即使面对最先进的防御手段也能实现强大的攻击性能与持久性。