Attacking Distance-aware Attack: Semi-targeted Model Poisoning on Federated Learning

Existing model poisoning attacks on federated learning (FL) assume that an adversary has access to the full data distribution. In reality, usually limited prior knowledge about clients' data. A poorly chosen target class renders attack less effective. This work considers a semi-targeted situation where source is predetermined but not. The goal cause misclassification of global classifier from class. Approaches such as label flipping have been used inject malicious parameters into FL. Nevertheless, it shown their performances are class-sensitive, varying with different classes. Typically, becomes effective when shifting To overcome this challenge, we propose Attacking Distance-aware Attack (ADA) enhances in FL by finding optimized feature space. ADA deduces pair-wise attacking distances using Fast LAyer gradient MEthod (FLAME). Extensive evaluations were performed five benchmark image classification tasks and three architectures frequencies. Furthermore, ADA's robustness conventional defenses Byzantine-robust aggregation differential privacy was validated. results showed succeeded increasing performance 2.8 times most challenging case frequency 0.01 bypassed existing defenses, defense still could not reduce below 50%.