ML Security PapersExploiting Layer-Specific Vulnerabilities to Backdoor Attack in Federated Learning
Mohammad Hadi Foroughi 1,2, Seyed Hamed Rastegar 3,2, Mohammad Sabokrou 4, Ahmad Khonsari 1,2
Published on arXiv
2602.15161
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
LSA achieves up to 97% backdoor success rate while maintaining high main-task accuracy and consistently bypassing state-of-the-art FL defense mechanisms including robust aggregation rules and anomaly detectors.
Layer Smoothing Attack (LSA)
Novel technique introduced
Federated learning (FL) enables distributed model training across edge devices while preserving data locality. This decentralized approach has emerged as a promising solution for collaborative learning on sensitive user data, effectively addressing the longstanding privacy concerns inherent in centralized systems. However, the decentralized nature of FL exposes new security vulnerabilities, especially backdoor attacks that threaten model integrity. To investigate this critical concern, this paper presents the Layer Smoothing Attack (LSA), a novel backdoor attack that exploits layer-specific vulnerabilities in neural networks. First, a Layer Substitution Analysis methodology systematically identifies backdoor-critical (BC) layers that contribute most significantly to backdoor success. Subsequently, LSA strategically manipulates these BC layers to inject persistent backdoors while remaining undetected by state-of-the-art defense mechanisms. Extensive experiments across diverse model architectures and datasets demonstrate that LSA achieves a remarkably backdoor success rate of up to 97% while maintaining high model accuracy on the primary task, consistently bypassing modern FL defenses. These findings uncover fundamental vulnerabilities in current FL security frameworks, demonstrating that future defenses must incorporate layer-aware detection and mitigation strategies.
Key Contributions
- Layer Substitution Analysis methodology that systematically identifies backdoor-critical (BC) layers — the subset of layers most influential to backdoor success in a neural network
- Layer Smoothing Attack (LSA) that restricts malicious modifications to BC layers and applies a smoothing technique to make poisoned updates statistically indistinguishable from benign updates, evading anomaly-based FL defenses
- Empirical evaluation across diverse architectures and datasets demonstrating up to 97% backdoor success rate while preserving primary task accuracy and bypassing Multi-Krum, Trimmed Mean, and FLAME defenses
🛡️ Threat Analysis
LSA is a backdoor/trojan attack that injects hidden, targeted malicious behavior into FL global models by directly manipulating model weight updates (BC layers) — the model behaves normally on clean inputs but misbehaves when the trigger is present. This is model poisoning, not general data degradation.