A3FL: Adversarially Adaptive Backdoor Attacks to Federated Learning
Authors: Hangfan Zhang, Jinyuan Jia, Jinghui Chen, Lu Lin, Dinghao Wu
NeurIPS 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments on benchmark datasets are conducted for twelve existing defenses to comprehensively evaluate the effectiveness of our A3FL. Our empirical results demonstrate that A3FL is consistently effective across different datasets and settings. We further compare A3FL with 4 state-of-the-art backdoor attacks [12, 11, 10, 9] under 13 defenses [2, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27], and the results suggest that A3FL remarkably outperforms all baseline attacks by up to 10 times against all defenses. In addition, we find that A3FL is significantly more durable than all baselines. Finally, we conduct extensive ablation studies to evaluate the impact of hyperparameters on the performance of A3FL. |
| Researcher Affiliation | Academia | Hangfan Zhang, Jinyuan Jia, Jinghui Chen, Lu Lin, Dinghao Wu {hbz5148,jinyuan,jzc5917,lulin,dinghao}@psu.edu The Pennsylvania State University |
| Pseudocode | Yes | Algorithm of A3FL: We depict the workflow of A3FL compromising a client in Algorithm 1. |
| Open Source Code | Yes | Our code is available at https://github.com/hfzhang31/A3FL. |
| Open Datasets | Yes | We evaluate A3FL on three widely-used benchmark datasets: FEMNIST [43], CIFAR10 [15], and Tiny Image Net [16]. |
| Dataset Splits | No | The paper specifies training and testing image counts for CIFAR-10, but does not explicitly mention a separate validation set or its split details for their experiments. It mentions a 'validation dataset' in the context of an existing defense (FLTrust) but not for their own experimental setup. |
| Hardware Specification | No | The paper does not explicitly describe the specific hardware (e.g., GPU models, CPU types) used for running its experiments. |
| Software Dependencies | No | The paper mentions software components like 'SGD optimizer', 'PGD [45]', and 'DBSCAN [48]' but does not provide specific version numbers for these or other general software dependencies (e.g., Python, PyTorch/TensorFlow). |
| Experiment Setup | Yes | By default, we set the number of clients N = 100. At each communication round, the server randomly selects M = 10 clients to contribute to the global model. The global model architecture is Res Net-18 [44]. We assume a non-i.i.d data distribution with a concentration parameter h of 0.9 following previous works [12, 10, 9]. Each selected client trains the local model for 2 epochs using SGD optimizer with a learning rate of 0.01. The FL training process continues for 2,000 communication rounds. By default, the attack window starts at the 1,900th communication round and ends at the 2,000th communication round. Each compromised client poisons 25% of the local training dataset. By default, compromised clients optimize the trigger using Projected Gradient Descent (PGD) [45] with a step size of 0.01. The adversarial global model is optimized using SGD with a learning rate of 0.01. In practice, we set the balancing coefficient λ = λ0sim(θ t, θt). |