ML Security PapersADCA: Attention-Driven Multi-Party Collusion Attack in Federated Self-Supervised Learning
Jiayao Wang 1, Yiping Zhang 1, Jiale Zhang 1, Wenliang Yuan 2, Qilin Wu 3, Junwu Zhu 1, Dongfang Zhao 4
Published on arXiv
2602.05612
Model Poisoning
OWASP ML Top 10 — ML10
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
ADCA significantly outperforms existing FSSL backdoor attack methods in Attack Success Rate and persistence across four benchmark datasets by using distributed trigger decomposition and attention-driven coalition updates to resist benign-update dilution.
ADCA (Attention-Driven multi-party Collusion Attack)
Novel technique introduced
Federated Self-Supervised Learning (FSSL) integrates the privacy advantages of distributed training with the capability of self-supervised learning to leverage unlabeled data, showing strong potential across applications. However, recent studies have shown that FSSL is also vulnerable to backdoor attacks. Existing attacks are limited by their trigger design, which typically employs a global, uniform trigger that is easily detected, gets diluted during aggregation, and lacks robustness in heterogeneous client environments. To address these challenges, we propose the Attention-Driven multi-party Collusion Attack (ADCA). During local pre-training, malicious clients decompose the global trigger to find optimal local patterns. Subsequently, these malicious clients collude to form a malicious coalition and establish a collaborative optimization mechanism within it. In this mechanism, each submits its model updates, and an attention mechanism dynamically aggregates them to explore the best cooperative strategy. The resulting aggregated parameters serve as the initial state for the next round of training within the coalition, thereby effectively mitigating the dilution of backdoor information by benign updates. Experiments on multiple FSSL scenarios and four datasets show that ADCA significantly outperforms existing methods in Attack Success Rate (ASR) and persistence, proving its effectiveness and robustness.
Key Contributions
- First work exploring distributed trigger decomposition strategies for backdoor attacks in FSSL, partitioning a global trigger into local patterns across malicious clients trained via contrastive learning.
- Attention-driven malicious coalition mechanism that dynamically fuses global model updates with per-client backdoored updates before each local training round, mitigating aggregation-induced backdoor dilution.
- Systematic evaluation on CIFAR-10, STL-10, GTSRB, and CIFAR-100 demonstrating that ADCA outperforms existing FSSL backdoor attacks in both Attack Success Rate and persistence while exposing weaknesses in current federated defenses.
🛡️ Threat Analysis
The attack operates via malicious clients manipulating their local training and model updates in federated learning, which constitutes Byzantine-style model-update poisoning in FL; the collusion mechanism specifically targets the aggregation step to prevent backdoor dilution by benign updates.
ADCA is a backdoor/trojan attack where malicious FL clients inject hidden, trigger-activated targeted behavior into the shared global model; the model behaves normally on clean inputs but misclassifies triggered inputs to attacker-defined targets — the textbook ML10 threat.