{"title":"消除你的痕迹:远程清除联合学习中的后门","authors":"Manaar Alam;Hithem Lamri;Michail Maniatakos","doi":"10.1109/TAI.2024.3465441","DOIUrl":null,"url":null,"abstract":"Federated learning (FL) enables collaborative learning across multiple participants without exposing sensitive personal data. However, the distributed nature of FL and unvetted participants’ data makes it vulnerable to \n<italic>backdoor attacks</i>\n. In these attacks, adversaries selectively inject malicious functionality into the centralized model during training, leading to intentional misclassifications for specific adversary-chosen inputs. While previous research has demonstrated successful injections of persistent backdoors in FL, the persistence also poses a challenge, as their existence in the centralized model can prompt the central aggregation server to take preventive measures for penalizing the adversaries. Therefore, this article proposes a method \n<italic>that enables adversaries to effectively remove backdoors from the centralized model</i>\n upon achieving their objectives or upon suspicion of possible detection. The proposed approach extends the concept of \n<italic>machine unlearning</i>\n and presents strategies to preserve the performance of the centralized model and simultaneously prevent over-unlearning of information unrelated to backdoor patterns, making adversaries stealthy while removing backdoors. To the best of our knowledge, this is the first work exploring machine unlearning in FL to remove backdoors to the benefit of adversaries. Exhaustive evaluation considering various image classification scenarios demonstrates the efficacy of the proposed method for efficient backdoor removal from the centralized model, injected by state-of-the-art attacks across multiple configurations.","PeriodicalId":73305,"journal":{"name":"IEEE transactions on artificial intelligence","volume":"5 12","pages":"6683-6698"},"PeriodicalIF":0.0000,"publicationDate":"2024-09-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Get Rid of Your Trail: Remotely Erasing Backdoors in Federated Learning\",\"authors\":\"Manaar Alam;Hithem Lamri;Michail Maniatakos\",\"doi\":\"10.1109/TAI.2024.3465441\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Federated learning (FL) enables collaborative learning across multiple participants without exposing sensitive personal data. However, the distributed nature of FL and unvetted participants’ data makes it vulnerable to \\n<italic>backdoor attacks</i>\\n. In these attacks, adversaries selectively inject malicious functionality into the centralized model during training, leading to intentional misclassifications for specific adversary-chosen inputs. While previous research has demonstrated successful injections of persistent backdoors in FL, the persistence also poses a challenge, as their existence in the centralized model can prompt the central aggregation server to take preventive measures for penalizing the adversaries. Therefore, this article proposes a method \\n<italic>that enables adversaries to effectively remove backdoors from the centralized model</i>\\n upon achieving their objectives or upon suspicion of possible detection. The proposed approach extends the concept of \\n<italic>machine unlearning</i>\\n and presents strategies to preserve the performance of the centralized model and simultaneously prevent over-unlearning of information unrelated to backdoor patterns, making adversaries stealthy while removing backdoors. To the best of our knowledge, this is the first work exploring machine unlearning in FL to remove backdoors to the benefit of adversaries. Exhaustive evaluation considering various image classification scenarios demonstrates the efficacy of the proposed method for efficient backdoor removal from the centralized model, injected by state-of-the-art attacks across multiple configurations.\",\"PeriodicalId\":73305,\"journal\":{\"name\":\"IEEE transactions on artificial intelligence\",\"volume\":\"5 12\",\"pages\":\"6683-6698\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-09-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE transactions on artificial intelligence\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10685452/\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE transactions on artificial intelligence","FirstCategoryId":"1085","ListUrlMain":"https://ieeexplore.ieee.org/document/10685452/","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Get Rid of Your Trail: Remotely Erasing Backdoors in Federated Learning
Federated learning (FL) enables collaborative learning across multiple participants without exposing sensitive personal data. However, the distributed nature of FL and unvetted participants’ data makes it vulnerable to
backdoor attacks
. In these attacks, adversaries selectively inject malicious functionality into the centralized model during training, leading to intentional misclassifications for specific adversary-chosen inputs. While previous research has demonstrated successful injections of persistent backdoors in FL, the persistence also poses a challenge, as their existence in the centralized model can prompt the central aggregation server to take preventive measures for penalizing the adversaries. Therefore, this article proposes a method
that enables adversaries to effectively remove backdoors from the centralized model
upon achieving their objectives or upon suspicion of possible detection. The proposed approach extends the concept of
machine unlearning
and presents strategies to preserve the performance of the centralized model and simultaneously prevent over-unlearning of information unrelated to backdoor patterns, making adversaries stealthy while removing backdoors. To the best of our knowledge, this is the first work exploring machine unlearning in FL to remove backdoors to the benefit of adversaries. Exhaustive evaluation considering various image classification scenarios demonstrates the efficacy of the proposed method for efficient backdoor removal from the centralized model, injected by state-of-the-art attacks across multiple configurations.