Federated Contrastive Learning (FCL) enables distributed clients to collaboratively learn task-agnostic encoders from unlabeled data without sharing sensitive information. While this paradigm offers significant privacy benefits, it introduces novel security vulnerabilities. This thesis presents BadAvg, the first aggregation-aware backdoor attack specifically designed for FCL that fundamentally rethinks how backdoors can survive federated aggregation. Unlike existing approaches such as BAGEL that rely on easily detectable linear weight scaling, BadAvg incorporates the federated averaging process directly into the attack optimization through a differentiable aggregation layer. This enables the malicious client to learn optimal parameters via backpropagation that account for aggregation dynamics, achieving both effectiveness and stealth. Our comprehensive evaluation across IID and non-IID federated settings demonstrates that BadAvg achieves near-perfect attack success rates (99.96% and 99.99%, respectively) while producing update norms up to 17× smaller than existing methods without explicit constraints. The attack successfully evades state-of-the-art defenses, including outlier detection, weight clipping, and differential privacy mechanisms based on Gaussian noise. Moreover, BadAvg requires 75% fewer training epochs compared to existing methods, demonstrating superior efficiency. This work reveals critical vulnerabilities in federated contrastive learning systems and emphasizes the urgent need to develop robust defenses against aggregation-aware attacks. Our findings have important implications for the secure deployment of federated learning in privacy-sensitive applications.
Il Federated Contrastive Learning (FCL) permette a client distribuiti di apprendere collaborativamente encoders indipendenti dal task da dati non etichettati senza condividere informazioni sensibili. Sebbene questo paradigma offra significativi vantaggi in termini di privacy, introduce nuove vulnerabilità di sicurezza. Questa tesi presenta BadAvg, il primo attacco backdoor consapevole dell'aggregazione specificamente progettato per FCL che ripensa fondamentalmente come le backdoor possano sopravvivere all'aggregazione federata. A differenza degli approcci esistenti come BAGEL che si basano su uno scaling lineare dei pesi facilmente rilevabile, BadAvg incorpora il processo di federated averaging direttamente nell'ottimizzazione dell'attacco attraverso un layer di aggregazione differenziabile. Ciò consente al client malevolo di apprendere parametri ottimali tramite backpropagation che tengono conto delle dinamiche di aggregazione, ottenendo sia efficacia che furtività. La nostra analisi sperimentale in contesti federati IID e non-IID dimostra che BadAvg raggiunge percentuali di successo dell'attacco quasi perfette (rispettivamente 99.96% and 99.99%) producendo al contempo norme degli updates fino a 17× inferiori rispetto ai metodi esistenti senza vincoli espliciti. L'attacco elude con successo le difese state-of-the-art, inclusi rilevamento di outlier, clipping dei pesi e meccanismi di differential privacy basati sul rumore Gaussiano. Inoltre, BadAvg richiede il 75% in meno di epoche di allenamento rispetto ai metodi esistenti, dimostrando un'efficienza superiore. Questo lavoro rivela vulnerabilità critiche nei sistemi di federated contrastive learning e sottolinea l'urgente necessità di sviluppare difese robuste contro gli attacchi aggregation-aware. I nostri risultati hanno importanti implicazioni per il deployment sicuro del federated learning in applicazioni sensibili alla privacy.
BadAvg: aggregation-aware backdoor attack against Federated Contrastive Learning
Franchi, Davide
2024/2025
Abstract
Federated Contrastive Learning (FCL) enables distributed clients to collaboratively learn task-agnostic encoders from unlabeled data without sharing sensitive information. While this paradigm offers significant privacy benefits, it introduces novel security vulnerabilities. This thesis presents BadAvg, the first aggregation-aware backdoor attack specifically designed for FCL that fundamentally rethinks how backdoors can survive federated aggregation. Unlike existing approaches such as BAGEL that rely on easily detectable linear weight scaling, BadAvg incorporates the federated averaging process directly into the attack optimization through a differentiable aggregation layer. This enables the malicious client to learn optimal parameters via backpropagation that account for aggregation dynamics, achieving both effectiveness and stealth. Our comprehensive evaluation across IID and non-IID federated settings demonstrates that BadAvg achieves near-perfect attack success rates (99.96% and 99.99%, respectively) while producing update norms up to 17× smaller than existing methods without explicit constraints. The attack successfully evades state-of-the-art defenses, including outlier detection, weight clipping, and differential privacy mechanisms based on Gaussian noise. Moreover, BadAvg requires 75% fewer training epochs compared to existing methods, demonstrating superior efficiency. This work reveals critical vulnerabilities in federated contrastive learning systems and emphasizes the urgent need to develop robust defenses against aggregation-aware attacks. Our findings have important implications for the secure deployment of federated learning in privacy-sensitive applications.| File | Dimensione | Formato | |
|---|---|---|---|
|
2025_07_Franchi_ExecutiveSummary_02.pdf
accessibile in internet solo dagli utenti autorizzati
Descrizione: Executive Summary
Dimensione
1.19 MB
Formato
Adobe PDF
|
1.19 MB | Adobe PDF | Visualizza/Apri |
|
2025_07_Franchi_Tesi_01.pdf
accessibile in internet solo dagli utenti autorizzati
Descrizione: Testo della tesi
Dimensione
7.3 MB
Formato
Adobe PDF
|
7.3 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/240686