CapsuleBD: A Backdoor Attack Method Against Federated Learning Under Heterogeneous Models

Abstract

Federated learning under heterogeneous models, as an innovative approach, aims to break through the constraints of vanilla federated learning on the consistency of model architectures to better accommodate the heterogeneity of data distributions and hardware resource constraints in mobile computing scenarios. While significant attention has been given to backdoor risks in federated learning, the impact on heterogeneous models remains insufficiently investigated, where devices contribute models with varying structures. The reduction in the number of benign local model neurons that the adversary can manipulate through the global model reduces the attack surface. To challenge this issue, we propose a white-box multi-target backdoor attack method, CapsuleBD, against heterogeneous federated learning. Specifically, we design a model decoupling method to separate the benign and malicious task training pipelines through weight reassignment. The model responsible for the benign tasks is structurally larger than the malicious one, resembling a capsule encapsulating harmful substance impacting multiple heterogeneous models. Our comprehensive experiments demonstrate the effectiveness of CapsuleBD in seamlessly embedding triggers into heterogeneous local models, sustaining a remarkable 99.5% average attack success rate against all benign users even with a 50% reduction in the attack space.