In a federated learning (FL) system, distributed clients upload their local models to a central server to aggregate into a global model. Malicious clients may plant backdoors into the global model through uploading poisoned local models, causing images with specific patterns to be misclassified into some target labels. Backdoors planted by current attacks are not durable, and vanish quickly once the attackers stop model poisoning. In this paper, we investigate the connection between the durability of FL backdoors and the relationships between benign images and poisoned images (i.e., the images whose labels are flipped to the target label during local training). Specifically, benign images with the original and the target labels of the poisoned images are found to have key effects on backdoor durability. Consequently, we propose a novel attack, Chameleon, which utilizes contrastive learning to further amplify such effects towards a more durable backdoor. Extensive experiments demonstrate that Chameleon significantly extends the backdoor lifespan over baselines by $1.2\times \sim 4\times$, for a wide range of image datasets, backdoor types, and model architectures.

翻译：在联邦学习（FL）系统中，分布式客户端将本地模型上传至中央服务器以聚合为全局模型。恶意客户端可能通过上传中毒的本地模型向后门植入全局模型，导致具有特定模式的图像被误分类至目标标签。当前攻击植入的后门不具备持久性，一旦攻击者停止模型中毒便会迅速消失。本文研究了FL后门持久性与良性图像和中毒图像（即本地训练过程中标签被翻转至目标标签的图像）之间关系的内在联系。具体而言，我们发现中毒图像的原始标签和目标标签对应的良性图像对后门持久性具有关键影响。据此，我们提出了一种新型攻击方法Chameleon，该方法利用对比学习进一步增强此类影响，从而实现更持久的后门。大量实验表明，在多种图像数据集、后门类型及模型架构下，Chameleon将后门寿命较基线方法显著延长了$1.2\times \sim 4\times$倍。