Search papers, labs, and topics across Lattice.
This paper introduces a novel feature-based triggerless backdoor attack in vertical federated learning (VFL), demonstrating that triggers are not essential for successful backdoor attacks. The attack leverages label inference, poison generation with amplification and perturbation, and backdoor execution modules, operating under a honest-but-curious attacker model. Experiments across five datasets show the proposed attack significantly outperforms existing trigger-based methods while maintaining high performance even with numerous passive parties and robustness against defenses.
Trigger-based defenses offer a false sense of security in federated learning, as this new attack shows backdoors can be implanted without any explicit triggers, achieving 2-50x better performance than trigger-based attacks.
As a distributed collaborative machine learning paradigm, vertical federated learning (VFL) allows multiple passive parties with distinct features and one active party with labels to collaboratively train a model. Although it is known for the privacy-preserving capabilities, VFL still faces significant privacy and security threats from backdoor attacks. Existing backdoor attacks typically involve an attacker implanting a trigger into the model during the training phase and executing the attack by adding the trigger to the samples during the inference phase. However, in this paper, we find that triggers are not essential for backdoor attacks in VFL. In light of this, we disclose a new backdoor attack pathway in VFL by introducing a feature-based triggerless backdoor attack. This attack operates under a more stringent security assumption, where the attacker is honest-but-curious rather than malicious during the training phase. It comprises three modules: label inference for the targeted backdoor attack, poison generation with amplification and perturbation mechanisms, and backdoor execution to implement the attack. Extensive experiments on five benchmark datasets demonstrate that our attack outperforms three baseline backdoor attacks by 2 to 50 times while minimally impacting the main task. Even in VFL scenarios with 32 passive parties and only one set of auxiliary data, our attack maintains high performance. Moreover, when confronted with distinct defense strategies, our attack remains largely unaffected and exhibits strong robustness. We hope that the disclosure of this triggerless backdoor attack pathway will encourage the community to revisit security threats in VFL scenarios and inspire researchers to develop more robust and practical defense strategies.
