Anti-traceable backdoor: Blaming malicious poisoning on innocents in non-IID federated learning

Abstract

Backdoor attacks pose an extremely serious threat to federated learning (FL), where victim models are susceptible to specific triggers. To counter the defense, a smart attacker will forcefully and actively camouflage its behavior profiles (i.e., trigger invisibility and malicious collusion). However, in a more practical scenario where the label distribution on each client is heterogeneous, such camouflage is not highly deceptive and durable, and also malicious clients can be precisely identified by a blanket benchmark comparison. In this paper, we introduce an attack vector that blames innocent clients for malicious poisoning in backdoor tracing and motivates a novel Anti-Traceable Backdoor Attack (ATBA) framework. First, we devise a progressive generative adversarial data inference scheme to compensate missing classes for malicious clients, progressively improving the quality of inferred data through fictitious poisoning. Subsequently, we present a trigger-enhanced specific backdoor learning mechanism, selectively specifying vulnerable classes from benign clients to resist backdoor tracing and adaptively optimizing triggers to adjust specific backdoor behaviors. Additionally, we also design a meta-detection-and-filtering defense strategy, which aims to distinguish fictitiously-poisoned updates. Extensive experiments over three benchmark datasets validate the proposed ATBA’s attack effectiveness, anti-traceability, robustness, and the feasibility of the corresponding defense method.