Your Privacy My Cloak: Backdoor Attacks on Differentially Private Federated Learning
中文标题: 隐私作掩护:针对差分隐私联邦学习的后门攻击
英文摘要
This paper challenges the prevailing assumption that differential privacy (DP) inherently improves backdoor robustness in federated learning (FL). It reveals a masking effect where DP undermines detection of malicious updates by hiding their statistical signatures. The authors propose RING, a novel attack that deliberately exploits DP as a cloak; compromised clients collaboratively craft adversarial perturbations to reconstruct a strong backdoor signal during aggregation without triggering anomaly detection. RING is agnostic to the underlying backdoor technique and can compose with existing attacks, amplifying its threat. Experiments across four image and text datasets under non-iid settings show RING achieves an average attack success rate of 90.3% against six state-of-the-art defenses under moderate privacy budgets, improving up to 26.08× over baselines. Potential countermeasures incur significant utility trade-offs, exposing a fundamental security gap in DP-FL deployments.
中文摘要
本文挑战了差分隐私(DP)在联邦学习中固有增强后门鲁棒性的主流观点,揭示了DP可掩盖恶意更新统计特征的隐蔽效应,使现有防御失效。作者提出RING攻击,蓄意利用DP作掩护,多个恶意客户端通过协作构造对抗扰动,在聚合阶段重建强力后门信号而不触发异常检测。RING与具体后门技术解耦,可与已有攻击组合,威胁显著放大。在四个图像和文本数据集非独立同分布场景下,中等隐私预算时,RING对六种先进防御的平均攻击成功率达90.3%,较基线策略提升最高26.08倍。可能的缓解手段均伴随严重效用损失,暴露出差分隐私联邦学习部署中的根本性安全缺陷。
关键要点
DP can mask the statistical anomalies of backdoor updates, rendering existing defenses ineffective in DP-protected FL.
差分隐私可掩盖后门更新的统计异常,使DP保护的联邦学习中现有防御措施失效。
RING attack exploits DP as a cloak by collaboratively crafting adversarial perturbations to stealthily reconstruct backdoor signals during aggregation.
RING攻击通过共谋构造对抗扰动,将DP用作掩护,在聚合时隐秘地重建后门信号。
RING is composable with any underlying backdoor method, and achieves an average 90.3% attack success rate against six SOTA defenses, a 26.08× improvement over baselines.
RING可与任意底层后门技术组合,对六种最先进防御达到平均90.3%的攻击成功率,是基线方案的26.08倍。
Mitigating RING-like threats requires substantial utility sacrifices, highlighting a fundamental security gap in realistic DP-FL systems.
缓解该类威胁需付出显著效用代价,揭示了实际差分隐私联邦学习系统的根本安全缺口。