Federated Learning Backdoor Attack Based on Constrained Perturbation and Loss Regulation

Journal of Information Security Reserach ›› 2026, Vol. 12 ›› Issue (3): 210-.

Previous Articles Next Articles

Federated Learning Backdoor Attack Based on Constrained Perturbation and Loss Regulation

Zhang Zhenbo, Zhang Shufen, Qu Changsheng, Zhong Qi, and Li Tao#br#

#br#

(College of Science, North China University of Science and Technology, Tangshan, Hebei 063210)
(Hebei Province Key Laboratory of Data Science and Application (North China University of Science and Technology), Tangshan, Hebei 063210)
(Tangshan Key Laboratory of Data Science (North China University of Science and Technology), Tangshan, Hebei 063210)

Online:2026-03-12 Published:2026-03-12

基于约束扰动与损失调控的联邦学习后门攻击

张镇博张淑芬屈昌盛钟琪李涛

(华北理工大学理学院河北唐山063210)
(河北省数据科学与应用重点实验室(华北理工大学)河北唐山063210)
(唐山市数据科学重点实验室(华北理工大学)河北唐山063210)

通讯作者: 张淑芬硕士，教授，硕士生导师.主要研究方向为网络安全、数据安全、隐私保护. zhsf@ncst.edu.cn
作者简介:张镇博硕士研究生.主要研究方向为数据安全、隐私保护. zhangzb6@stu.ncst.edu.cn 张淑芬硕士，教授，硕士生导师.主要研究方向为网络安全、数据安全、隐私保护. zhsf@ncst.edu.cn 屈昌盛硕士.主要研究方向为数据安全、隐私保护. 958518830@qq.com 钟琪硕士研究生.主要研究方向为数据安全、隐私保护. zhongqi@stu.ncst.edu.cn 李涛硕士研究生.主要研究方向为数据安全、隐私保护. litao@stu.ncst.edu.cn

Abstract

Abstract: Federated learning, as a distributed machine learning framework, enables multiparty collaborative training with data isolation and privacy protection, However, its decentralized architecture makes it vulnerable to backdoor attacks. This paper proposes a federated learning backdoor attack method based on the constrained perturbation and loss regulation (CPR). The method realizes backdoor implantation and proliferation through three modules: input perturbation, dynamic weight regulation, and secondary perturbation reinforcement. Input perturbation introduces constraintbased noise to poison the training samples. Dynamic weight regulation dynamically adjusts the task weights by introducing cosine annealing, which realizes the balance between backdoor feature learning and main task performance. Secondary perturbation reinforcement utilizes dynamic loss values to further perturb the poisoned samples and reinforce its backdoor features. The CPR backdoor attack is evaluated on MNIST, FashionMNIST and CIFAR10 datasets, and the experimental results show that the CPR backdoor attack is able to significantly improve the success rate of the attack while maintaining the accuracy of the model’s primary task and exhibits higher stealth and persistence under a variety of data distribution conditions, as compared to pixel, labelflipping and hybrid attacks.

Key words: federated learning, backdoor attack, constraint perturbation, loss regulation, dynamic weight regulation

摘要： 联邦学习作为一种分布式机器学习框架，能够在数据隔离和隐私保护的前提下实现多方协作训练，但其分布式特性使其容易成为后门攻击的目标.提出基于约束扰动与损失调控(constrained perturbation and loss regulation, CPR)的联邦学习后门攻击方法.该方法通过输入扰动、动态权重调控、2次扰动强化3个模块，实现了后门的植入与扩散.输入扰动通过对样本添加约束噪声毒化样本.动态权重调控通过引入余弦退火动态调整任务权重，实现了后门特性学习与主任务性能的平衡.2次扰动强化利用动态损失值进一步对毒化样本进行扰动，强化其后门特征.在MNIST，FashionMNIST，CIFAR10数据集上对CPR后门攻击进行评估，实验结果表明，与像素攻击、标签翻转攻击和混合攻击相比，CPR后门攻击在维持模型主任务准确率的同时，能够显著提高攻击成功率，并在多种数据分布条件下表现出更高的隐蔽性和持久性.

关键词: 联邦学习, 后门攻击, 约束扰动, 损失调控, 动态权重调控

CLC Number:

TP309.2

张镇博, 张淑芬, 屈昌盛, 钟琪, 李涛, . 基于约束扰动与损失调控的联邦学习后门攻击[J]. 信息安全研究, 2026, 12(3): 210-.

References

［1］Airouz P, Mcmahan H B, Avent B, et al. Advances and open problems in federated learning［J］. Foundations and Trends in Machine Learning, 2021, 14(12): 1210［2］Bagdasaryan E, Veit A, Hua Y, et al. How to backdoor federated learning［C］ Proc of the 2020 Int Conf on Artificial Intelligence and Statistics. New York: PMLR, 2020: 29382948［3］陈学斌, 屈昌盛. 面向联邦学习的后门攻击与防御综述［J］. 计算机应用, 2024, 44(11): 34593469［4］Liu T, Zhang Y, Feng Z, et al. Beyond traditional threats: A persistent backdoor attack on federated learning［C］ Proc of the AAAI Conf on Artificial Intelligence. Menlo Park, CA: AAAI, 2024: 2135921367［5］Umer M, Dawson G, Polikar R. Targeted forgetting and false memory formation in continual learners through adversarial backdoor attacks［C］ Proc of the 2020 Int Joint Conf on Neural Networks (IJCNN). Piscataway, NJ: IEEE, 2020: 18［6］Liu B, Lyu N, Guo Y, et al. Recent advances on federated learning: A systematic survey［J］. Neurocomputing, 2024, 597(7): 128019［7］Mcmahan B, Moore E, Ramage D, et al. Communicationefficient learning of deep networks from decentralized data［C］ Proc of Artificial Intelligence and Statistics. New York: PMLR, 2017: 12731282［8］Liu Z, Guo J, Yang W, et al. Privacypreserving aggregation in federated learning: A survey［J］. arXiv prepring, arXiv:2203.17005, 2022［9］Liu Y, Ma S, Aafer Y, et al. Trojaning attack on neural networks［C］ Proc of the 25th Annual Network and Distributed System Security Symposium (NDSS 2018). San Diego: Internet Society, 2018: 115［10］Gong X, Chen Y, Huang H, et al. Coordinated backdoor attacks against federated learning with modeldependent triggers［J］. IEEE Network, 2022, 36(1): 8490［11］周景贤, 韩威, 张德栋, 等. 一种抗标签翻转攻击的联邦学习方法［J］. 信息安全研究, 2025, 11(3): 205213［12］Nguyen T D, Nguyen T, Le Nguyen P, et al. Backdoor attacks and defenses in federated learning: Survey, challenges and future research directions［J］. Engineering Applications of Artificial Intelligence, 2024, 127: 107166［13］Shejwalkar V, Houmansadr A, Kairouz P, et al. Back to the drawing board: A critical evaluation of poisoning attacks on production federated learning［C］ Proc of IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2022: 13541371［14］Xie C, Huang K, Chen P Y, et al. Dba: Distributed backdoor attacks against federated learning［C］ Proc of the 2020 Int Conf on Learning Representations. Washington: ICLR, 2020: 119［15］屈昌盛, 陈学斌, 任志强, 等. 基于离散余弦变换的联邦学习后门攻击［JOL］. 郑州大学学报: 理学版, 2024 ［20250507］. https:dio.org10.13705j.issn.16716841.2024121［16］Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks［J］.arXiv preprint, arXiv:1706.06083, 2017［17］Loshchilov I, Hutter F. SGDR: Stochastic gradient descent with warm restarts［J］. arXiv preprint, arXiv:1608.03983, 2016［18］Cao X, Jia J, Gong N Z. Provably secure federated learning against malicious clients［J］. Proceedings of the AAAI Conf on Artificial Intelligence, 2021, 35(8): 68856893［19］He K M, Zhang X Y, Ren S Q, et al. Deep residual learning for image recognition［C］ Proc of IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2016: 770778［20］Lecun Y, Bottou L, Bengio Y, et al. Gradientbased learning applied to document recognition［J］. Proceedings of the IEEE, 1998, 86(11): 22782324［21］Xiao H, Rasul K, Vollgraf R. FashionMNIST: A novel image dataset for benchmarking machine learning algorithms［J］. arXiv preprint, arXiv:1712.0026, 2017［22］Krizhevsky A, Hinton G. Learning multiple layers of features from tiny images［J］. Handbook of Systemic Autoimmune Diseases, 2009, 1(4): 160［23］Chen X, Liu C, Li B, et al. Targeted backdoor attacks on deep learning systems using data poisoning［J］. arXiv preprint, arXiv:1712.05526, 2017

[1]	. A Survey on Backdoor Attacks and Defenses in Federated Learning [J]. Journal of Information Security Reserach, 2025, 11(9): 778-.
[2]	. Internet of Things Intrusion Detection Model Based on Federated Learning [J]. Journal of Information Security Reserach, 2025, 11(9): 788-.
[3]	. A Covert Backdoor Attack Method in Fewshot Class Incremental Learning [J]. Journal of Information Security Reserach, 2025, 11(9): 797-.
[4]	. Task Independent Privacy Protection in Personalized Federated Learning for Battery Monitoring [J]. Journal of Information Security Reserach, 2025, 11(5): 481-.
[5]	. Privacypreserving Federated Learning Research Based on #br# Confused Modulo Projection Homomorphic Encryption#br# [J]. Journal of Information Security Reserach, 2025, 11(3): 198-.
[6]	. A Federated Learning Method Resistant to Label Flip Attack [J]. Journal of Information Security Reserach, 2025, 11(3): 205-.
[7]	. Research of Invisible Backdoor Attack Based on Interpretability [J]. Journal of Information Security Reserach, 2025, 11(1): 21-.
[8]	. A Poisoningresistant Verifiable Secure Federated Learning Scheme #br# in IoT Perception Environments#br# [J]. Journal of Information Security Reserach, 2024, 10(9): 804-.
[9]	. A Cloud Edge Coordinated Federated Computing Method for Fault Detection in the Railway Signal System [J]. Journal of Information Security Reserach, 2024, 10(8): 753-.
[10]	. Federated Foundation Model Finetuning Based on Differential Privacy#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(7): 616-.
[11]	. Model of Intrusion Detection Based on Federated Learning and Convolutional Neural Network [J]. Journal of Information Security Reserach, 2024, 10(7): 642-.
[12]	. A Secure and Efficient Method of Fully Anonymous Vertical Federated Learning [J]. Journal of Information Security Reserach, 2024, 10(6): 506-.
[13]	. Research on Privacy Protection Technology in Federated Learning [J]. Journal of Information Security Reserach, 2024, 10(3): 194-.
[14]	. Malicious Client Detection and Defense Method for Federated Learning [J]. Journal of Information Security Reserach, 2024, 10(2): 163-.
[15]	. An Adaptive Network Attack Analysis Method Based on Federated Learning [J]. Journal of Information Security Reserach, 2024, 10(12): 1091-.

Federated Learning Backdoor Attack Based on Constrained Perturbation and Loss Regulation

基于约束扰动与损失调控的联邦学习后门攻击

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics