ML Security PapersDOPA: Stealthy and Generalizable Backdoor Attacks from a Single Client under Challenging Federated Constraints
Xuezheng Qin 1, Ruwei Huang 1, Xiaolong Tang 1, Feng Li 2
Published on arXiv
2508.14530
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
Achieves 70–100% attack success rates under a single-client, black-box, sparsely participating threat model while evading 12 diverse defense strategies across two datasets and two model architectures.
DOPA (Divergent Optimization Path Attack)
Novel technique introduced
Federated Learning (FL) is increasingly adopted for privacy-preserving collaborative training, but its decentralized nature makes it particularly susceptible to backdoor attacks. Existing attack methods, however, often rely on idealized assumptions and fail to remain effective under real-world constraints, such as limited attacker control, non-IID data distributions, and the presence of diverse defense mechanisms. To address this gap, we propose DOPA (Divergent Optimization Path Attack), a novel framework that simulates heterogeneous local training dynamics and seeks consensus across divergent optimization trajectories to craft universally effective and stealthy backdoor triggers. By leveraging consistency signals across simulated paths to guide optimization, DOPA overcomes the challenge of heterogeneity-induced instability and achieves practical attack viability under stringent federated constraints. We validate DOPA on a comprehensive suite of 12 defense strategies, two model architectures (ResNet18/VGG16), two datasets (CIFAR-10/TinyImageNet), and both mild and extreme non-IID settings. Despite operating under a single-client, black-box, and sparsely participating threat model, DOPA consistently achieves high attack success, minimal accuracy degradation, low runtime, and long-term persistence. These results demonstrate a more practical attack paradigm, offering new perspectives for designing robust defense strategies in federated learning systems
Key Contributions
- DOPA framework that simulates heterogeneous non-IID optimization trajectories and forges a consensus update direction to generate universally effective, stealthy backdoor triggers without access to real client data
- Demonstrates practical attack viability under a stringent single-client, black-box, sparse-participation threat model in both mild and extreme non-IID settings
- Comprehensive evaluation against 12 defense strategies (e.g., Krum, FLAME, FoolsGold, FedDF, DP) on CIFAR-10 and TinyImageNet with ResNet18/VGG16, achieving 70–100% attack success rates with long-term persistence
🛡️ Threat Analysis
DOPA embeds hidden, targeted malicious behavior (backdoor triggers) into a federated global model — the model behaves normally on clean inputs but misbehaves on triggered inputs. This is the canonical backdoor/trojan threat. The FL delivery mechanism does not change the primary category since the goal is trigger-based targeted misbehavior, not general model degradation.