attack 2025

BAPFL: Exploring Backdoor Attacks Against Prototype-based Federated Learning

Honghong Zeng 1, Jiong Lou 1,2, Zhe Wang 1, Hefeng Zhou 1, Chentao Wu 1,2, Wei Zhao 3, Jie Li 1,2

1 Shanghai Jiao Tong University

2 Yancheng Blockchain Research Institute

3 Shenzhen University of Advanced Technology

0 citations
α

Published on arXiv

2509.12964

Model Poisoning

OWASP ML Top 10 — ML10

Key Finding

BAPFL achieves a 35–75% improvement in attack success rate over traditional backdoor attacks on multiple PFL variants while preserving main task accuracy.

BAPFL

Novel technique introduced

Prototype-based federated learning (PFL) has emerged as a promising paradigm to address data heterogeneity problems in federated learning, as it leverages mean feature vectors as prototypes to enhance model generalization. However, its robustness against backdoor attacks remains largely unexplored. In this paper, we identify that PFL is inherently resistant to existing backdoor attacks due to its unique prototype learning mechanism and local data heterogeneity. To further explore the security of PFL, we propose BAPFL, the first backdoor attack method specifically designed for PFL frameworks. BAPFL integrates a prototype poisoning strategy with a trigger optimization mechanism. The prototype poisoning strategy manipulates the trajectories of global prototypes to mislead the prototype training of benign clients, pushing their local prototypes of clean samples away from the prototypes of trigger-embedded samples. Meanwhile, the trigger optimization mechanism learns a unique and stealthy trigger for each potential target label, and guides the prototypes of trigger-embedded samples to align closely with the global prototype of the target label. Experimental results across multiple datasets and PFL variants demonstrate that BAPFL achieves a 35\%-75\% improvement in attack success rate compared to traditional backdoor attacks, while preserving main task accuracy. These results highlight the effectiveness, stealthiness, and adaptability of BAPFL in PFL.

Key Contributions

  • First backdoor attack method specifically designed for prototype-based federated learning (PFL), exposing a previously unexplored vulnerability in this paradigm.
  • Prototype poisoning strategy that manipulates global prototype trajectories to push benign clients' clean-sample prototypes away from trigger-sample prototypes.
  • Trigger optimization mechanism that learns a unique, stealthy trigger per target label and aligns trigger-sample prototypes with the global prototype of the target class.

🛡️ Threat Analysis

Model Poisoning

BAPFL is a trigger-based backdoor attack where malicious FL clients inject hidden targeted behavior (misclassification on trigger-embedded samples) while normal behavior is preserved — the defining characteristic of ML10 backdoor/trojan attacks.

Details

Domains
visionfederated-learning
Model Types
cnnfederated
Threat Tags
training_timetargeteddigitalgrey_box
Applications
federated learningimage classification
Read PDF arXiv

Similar Papers

attack

FLAT: Latent-Driven Arbitrary-Target Backdoor Attacks in Federated Learning

2025 0 cit.
Model Poisoning
93%
attack

Structure-Aware Distributed Backdoor Attacks in Federated Learning

2026 0 cit.
Model Poisoning
93%
attack

On the Out-of-Distribution Backdoor Attack for Federated Learning

2025 0 cit.
Model Poisoning
93%
attack

Mingling with the Good to Backdoor Federated Learning

2025 0 cit.
Model Poisoning
93%
attack

DOPA: Stealthy and Generalizable Backdoor Attacks from a Single Client under Challenging Federated Constraints

2025 0 cit.
Model Poisoning
87%
attack

Exploiting Layer-Specific Vulnerabilities to Backdoor Attack in Federated Learning

2026 0 cit.
Model Poisoning
87%
attack

IPBA: Imperceptible Perturbation Backdoor Attack in Federated Self-Supervised Learning

2025 0 cit.
Model Poisoning
86%
defense

MARS: A Malignity-Aware Backdoor Defense in Federated Learning

2025 5 cit.
Model Poisoning
80%