loading page

How the Target Matters: Semi-Targeted Model Poisoning Attack on Federated Learning
  • Yuwei Sun ,
  • Hideya Ochiai ,
  • Jun Sakuma
Yuwei Sun
The University of Tokyo, The University of Tokyo, The University of Tokyo

Corresponding Author:[email protected]

Author Profile
Hideya Ochiai
Author Profile
Jun Sakuma
Author Profile


Existing model poisoning attacks on federated learning assume that an adversary has access to the full data distribution. In reality, an adversary usually has limited prior knowledge about clients’ data distributions. In such a case, a poorly chosen target class renders an attack less effective. In particular, we considered a semi-targeted situation where the source class is predetermined but the target class is not. The goal is to cause the global classifier to misclassify data of the source class. Though approaches such as label flipping have been adopted to inject poisoned parameters into federated learning, it has shown that their performances are usually class-sensitive varying with different target classes applied. Typically, an attack can become less effective when shifting to a different target class. To overcome this challenge, we propose the Attacking Distance-aware Attack (ADA) to enhance a poisoning attack by finding the optimized target class in the feature space. ADA deduces pair-wise distances between different classes in the latent feature space based on the Fast LAyer gradient MEthod (FLAME). We performed extensive empirical evaluations on ADA by varying the factor of attacking frequency in four benchmark image classification tasks. Moreover, we studied the effectiveness of ADA when applying different defense methods. As a result, ADA succeeded in increasing the attack performance by 1.8 times in the most challenging case with an attacking frequency of 0.01 and bypassing existing defenses. Differential privacy which was the most effective defense still could not reduce the attack performance to below 50%.
2023Published in IEEE Transactions on Artificial Intelligence on pages 1-15. 10.1109/TAI.2023.3280155