Saved in:
Bibliographic Details
Main Authors: Zeng, Honghong, Lou, Jiong, Wang, Zhe, Zhou, Hefeng, Wu, Chentao, Zhao, Wei, Li, Jie
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2509.12964
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918142149656576
author Zeng, Honghong
Lou, Jiong
Wang, Zhe
Zhou, Hefeng
Wu, Chentao
Zhao, Wei
Li, Jie
author_facet Zeng, Honghong
Lou, Jiong
Wang, Zhe
Zhou, Hefeng
Wu, Chentao
Zhao, Wei
Li, Jie
contents Prototype-based federated learning (PFL) has emerged as a promising paradigm to address data heterogeneity problems in federated learning, as it leverages mean feature vectors as prototypes to enhance model generalization. However, its robustness against backdoor attacks remains largely unexplored. In this paper, we identify that PFL is inherently resistant to existing backdoor attacks due to its unique prototype learning mechanism and local data heterogeneity. To further explore the security of PFL, we propose BAPFL, the first backdoor attack method specifically designed for PFL frameworks. BAPFL integrates a prototype poisoning strategy with a trigger optimization mechanism. The prototype poisoning strategy manipulates the trajectories of global prototypes to mislead the prototype training of benign clients, pushing their local prototypes of clean samples away from the prototypes of trigger-embedded samples. Meanwhile, the trigger optimization mechanism learns a unique and stealthy trigger for each potential target label, and guides the prototypes of trigger-embedded samples to align closely with the global prototype of the target label. Experimental results across multiple datasets and PFL variants demonstrate that BAPFL achieves a 35\%-75\% improvement in attack success rate compared to traditional backdoor attacks, while preserving main task accuracy. These results highlight the effectiveness, stealthiness, and adaptability of BAPFL in PFL.
format Preprint
id arxiv_https___arxiv_org_abs_2509_12964
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle BAPFL: Exploring Backdoor Attacks Against Prototype-based Federated Learning
Zeng, Honghong
Lou, Jiong
Wang, Zhe
Zhou, Hefeng
Wu, Chentao
Zhao, Wei
Li, Jie
Machine Learning
Prototype-based federated learning (PFL) has emerged as a promising paradigm to address data heterogeneity problems in federated learning, as it leverages mean feature vectors as prototypes to enhance model generalization. However, its robustness against backdoor attacks remains largely unexplored. In this paper, we identify that PFL is inherently resistant to existing backdoor attacks due to its unique prototype learning mechanism and local data heterogeneity. To further explore the security of PFL, we propose BAPFL, the first backdoor attack method specifically designed for PFL frameworks. BAPFL integrates a prototype poisoning strategy with a trigger optimization mechanism. The prototype poisoning strategy manipulates the trajectories of global prototypes to mislead the prototype training of benign clients, pushing their local prototypes of clean samples away from the prototypes of trigger-embedded samples. Meanwhile, the trigger optimization mechanism learns a unique and stealthy trigger for each potential target label, and guides the prototypes of trigger-embedded samples to align closely with the global prototype of the target label. Experimental results across multiple datasets and PFL variants demonstrate that BAPFL achieves a 35\%-75\% improvement in attack success rate compared to traditional backdoor attacks, while preserving main task accuracy. These results highlight the effectiveness, stealthiness, and adaptability of BAPFL in PFL.
title BAPFL: Exploring Backdoor Attacks Against Prototype-based Federated Learning
topic Machine Learning
url https://arxiv.org/abs/2509.12964