Backdoor Attack to Giant Model in Fragment-Sharing Federated Learning

To efficiently train the billions of parameters in a giant model, sharing the parameter-fragments within the Federated Learning (FL) framework has become a popular pattern, where each client only trains and shares a fraction of parameters, extending the training of giant models to the broader resources-constrained scenarios. Compared with the previous works where the models are fully exchanged, the fragment-sharing pattern poses some new challenges for the backdoor attacks. In this paper, we investigate the backdoor attack on giant models when they are trained in an FL system. With the help of fine-tuning technique, a backdoor attack method is presented, by which the malicious clients can hide the backdoor in a designated fragment that is going to be shared with the benign clients. Apart from the individual backdoor attack method mentioned above, we additionally show a cooperative backdoor attack method, in which the fragment of a malicious client to be shared only contains a part of the backdoor while the backdoor is injected when the benign client receives all the fragments from the malicious clients. Obviously, the later one is more stealthy and harder to be detected. Extensive experiments have been conducted on the datasets of CIFAR-10 and CIFAR-100 with the ResNet-34 as the testing model. The numerical results show that our backdoor attack methods can achieve an attack success rate close to 100% in about 20 rounds of iterations.