Collusive Backdoor Attacks in Federated Learning Frameworks for IoT Systems
Saier Alharbi, Yifan Guo, Wei Yu
Abstract
Internet of Things (IoT) devices generate massive amounts of data from local devices, making Federated Learning (FL) a viable distributed machine learning paradigm to learn a global model while keeping private data locally in various IoT systems. However, recent studies show that FL’s decentralized nature makes it susceptible to backdoor attacks. Existing defenses like robust aggregation defenses have reduced attack success rates by identifying significant statistical differences between normal and backdoored models individually. However, these defenses fail to consider the potential collusion among attackers to bypass statistical measures utilized in defenses. In this paper, we propose a novel attack approach, called collusive backdoor attacks (CBA), which bypasses robust aggregation defense by considering both local backdoor training and post-training model manipulations among collusive attackers. Particularly, we introduce a non-trivial perturbation estimation scheme to add manipulations over model update vectors after local backdoor training and use the Gram-Schmidt process to speed up the estimation process. This makes the magnitude of the perturbed poisoned model to the same level as normal models, evading robust aggregation-based defense while maintaining attack efficacy. After that, we provide a pilot study to verify the feasibility of our perturbation estimation scheme, followed by its convergence analysis. By evaluating the attack performance on four representative datasets, our CBA approach maintains high attack success rates under benchmark robust aggregation defenses in both IID (independent and identically distributed) and non-IID local data settings. Particularly, it increases the attack success rate by 126% on average compared to individual backdoor attacks.