Your Privacy My Cloak: Backdoor Attacks on Differentially Private Federated Learning

Problem
This work addresses the assumption that differential privacy (DP) enhances the robustness of federated learning (FL) against backdoor attacks. Prior literature suggests that DP mechanisms can effectively filter out malicious updates, but this paper challenges that notion by demonstrating that compliance with DP can obscure the statistical characteristics of backdoor signals, rendering existing defenses ineffective. The authors highlight a significant gap in the understanding of how DP interacts with backdoor attacks in FL, particularly in the context of non-iid data distributions. This research is presented as a preprint, indicating that it has not yet undergone peer review.

Method
The authors propose a novel attack strategy named RING, which leverages the masking effect of DP to conceal malicious contributions while maximizing the impact of the attack. RING operates as a perturbation layer that is agnostic to the specific backdoor technique employed, allowing it to be integrated with various existing attacks. The attack involves compromised clients collaboratively crafting adversarial perturbations during the aggregation phase, which helps reconstruct a potent backdoor signal without triggering anomaly detection mechanisms. The paper details the architecture of RING and its operational framework, although specific training compute requirements are not disclosed.

Results
Extensive evaluations were conducted across four datasets (two image and two text) under non-iid distributions. RING achieved an average attack success rate of 90.3% against six state-of-the-art defenses, demonstrating a significant improvement of up to 26.08 times over baseline attack strategies. The results indicate that RING effectively circumvents existing defenses by exploiting the inherent properties of DP, thus posing a substantial threat to the security of differentially private FL systems.

Limitations
The authors acknowledge that while RING is effective, its deployment may incur significant utility trade-offs when countermeasures are applied. They also note that the effectiveness of RING may vary depending on the specific configurations of the FL system and the nature of the datasets used. However, the paper does not explore the long-term implications of these trade-offs or the potential for adaptive defenses against RING.

Why it matters
This research has critical implications for the deployment of differentially private federated learning systems, as it exposes a fundamental security gap that could be exploited by adversaries. The findings suggest that while DP is intended to enhance privacy, it may inadvertently compromise the integrity of FL systems by masking malicious activities. This work calls for a reevaluation of current defense mechanisms in the context of DP-FL and highlights the need for more robust strategies to detect and mitigate backdoor attacks. The insights presented in this paper are crucial for future research in secure federated learning, as published in arXiv cs.LG.