FedESP: Effective, Stealthy, and Persistent backdoor attack on federated learning

IF 3.7 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-09-12 DOI:10.1016/j.jisa.2025.104223

Sitian Wang , Xuan Li , Mingyang Yu , Shuai Yuan , Zhitao Guan

{"title":"FedESP: Effective, Stealthy, and Persistent backdoor attack on federated learning","authors":"Sitian Wang , Xuan Li , Mingyang Yu , Shuai Yuan , Zhitao Guan","doi":"10.1016/j.jisa.2025.104223","DOIUrl":null,"url":null,"abstract":"<div><div>Federated learning enables clients to train models collaboratively without exchanging local data, but its decentralized nature brings new security threats, including backdoor attacks. In a backdoor attack, adversaries embed triggers that lead the global model to produce incorrect predictions for certain inputs. Nevertheless, current approaches often demonstrate limited effectiveness, poor stealth, and low persistence. We address these issues by introducing FedESP. It first optimizes the trigger through adversarial training, ensuring its effectiveness even after the attacker ceases the attack, thus enhancing its persistence. A regularization term is incorporated during trigger optimization to further enhance stealth. Then FedESP selectively poisons high-responsive parameters and applies a malicious scaling factor to increase the impact of these poisoned updates, thereby improving the attack’s effectiveness. Experimental results on CIFAR-10 and CIFAR-100 confirm that FedESP achieves a higher success rate and persistence than benchmark methods while effectively bypassing existing backdoor defense mechanisms.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"94 ","pages":"Article 104223"},"PeriodicalIF":3.7000,"publicationDate":"2025-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625002601","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Federated learning enables clients to train models collaboratively without exchanging local data, but its decentralized nature brings new security threats, including backdoor attacks. In a backdoor attack, adversaries embed triggers that lead the global model to produce incorrect predictions for certain inputs. Nevertheless, current approaches often demonstrate limited effectiveness, poor stealth, and low persistence. We address these issues by introducing FedESP. It first optimizes the trigger through adversarial training, ensuring its effectiveness even after the attacker ceases the attack, thus enhancing its persistence. A regularization term is incorporated during trigger optimization to further enhance stealth. Then FedESP selectively poisons high-responsive parameters and applies a malicious scaling factor to increase the impact of these poisoned updates, thereby improving the attack’s effectiveness. Experimental results on CIFAR-10 and CIFAR-100 confirm that FedESP achieves a higher success rate and persistence than benchmark methods while effectively bypassing existing backdoor defense mechanisms.

查看原文本刊更多论文

FedESP：对联邦学习的有效、隐蔽和持久的后门攻击

联邦学习使客户能够在不交换本地数据的情况下协作训练模型，但其分散的性质带来了新的安全威胁，包括后门攻击。在后门攻击中，攻击者嵌入触发器，导致全局模型对某些输入产生错误的预测。然而，目前的方法通常表现出有限的有效性、较差的隐蔽性和较低的持久性。我们通过引入联邦快递来解决这些问题。它首先通过对抗性训练来优化触发器，即使在攻击者停止攻击后也能保证其有效性，从而增强其持久性。在触发优化过程中加入正则化项，进一步增强了隐身性。然后，FedESP选择性地毒害高响应参数，并应用恶意缩放因子来增加这些中毒更新的影响，从而提高攻击的有效性。在CIFAR-10和CIFAR-100上的实验结果证实，FedESP在有效绕过现有后门防御机制的同时，取得了比基准方法更高的成功率和持久性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.