In a federated learning (FL) system, malicious participants can easily embed backdoors into the aggregated model while maintaining the model's performance on the main task. To this end, various defenses, including training stage aggregation-based defenses and post-training mitigation defenses, have been proposed recently. While these defenses obtain reasonable performance against existing backdoor attacks, which are mainly heuristics based, we show that they are insufficient in the face of more advanced attacks. In particular, we propose a general reinforcement learning-based backdoor attack framework where the attacker first trains a (non-myopic) attack policy using a simulator built upon its local data and common knowledge on the FL system, which is then applied during actual FL training. Our attack framework is both adaptive and flexible and achieves strong attack performance and durability even under state-of-the-art defenses.

翻译：在一个联合学习(FL)系统中,恶意参与者可以很容易地将后门嵌入综合模型,同时保持模型在主要任务方面的性能。为此目的,最近提出了各种防御,包括培训阶段综合防御和训练后减缓防御。虽然这些防御在现有的后门攻击中取得了合理的性能,这些后门攻击主要是基于疲劳主义的,但我们表明,面对更先进的攻击,它们是不够的。特别是,我们提议了一个一般强化学习后门攻击框架,攻击者首先利用模拟器,根据当地数据和对FL系统的共同知识来训练(非中观)攻击政策,然后在实际的FL训练中应用。我们的攻击框架既适应又灵活,甚至在最先进的防御下也能达到很强的攻击性能和耐力。</s>