This repository provides a comprehensive framework for implementing and evaluating backdoor attacks in federated learning systems. The framework is designed to be modular and extensible, allowing researchers and developers to easily implement new attacks, defenses, and evaluation methodologies.
A comprehensive framework for implementing and evaluating backdoor attacks and defenses in federated learning. Designed to be modular and extensible, enabling researchers to easily implement new attacks, defenses, and evaluation methodologies. The framework provides multiple attack implementations, defense mechanisms, and tools for comprehensive evaluation across various datasets.
- Modular Architecture: Easy-to-extend base classes for attacks and defenses
- Multiple Attack Types: Pattern-based, model poisoning, and label manipulation attacks
- Comprehensive Defenses: Robust aggregation methods and defense mechanisms
- Flexible Configuration: YAML-based configuration for experiment management
- Reproducibility: Fixed seeds and comprehensive logging
- Multi-Dataset Support: CIFAR-10/100, MNIST, Fashion-MNIST, SVHN, GTSRB, TinyImageNet
Note: This project supports Python 3.9, 3.10, 3.11, and 3.12. Tested with Python 3.11.13.
# Clone repository
git clone https://github.com/mtuann/fedlearn-backdoor-attacks.git
cd fedlearn-backdoor-attacks
# Install uv (if not installed)
curl -LsSf https://astral.sh/uv/install.sh | sh
# Create virtual environment and install dependencies
uv venv --python 3.11 # Or 3.9, 3.10, 3.12 (tested with 3.11.13)
source .venv/bin/activate # On Windows: .venv\Scripts\activate
# Install dependencies (using pyproject.toml)
uv pip install -e .
# Generate lock file with exact versions for reproducibility
uv lock
# For reproducible installation (if uv.lock exists):
# uv sync # Installs exact versions from uv.lock (works with any supported Python version)Note on uv.lock: The lock file supports Python 3.9-3.12. It includes resolution markers that select appropriate package versions for each Python version. For maximum reproducibility, use the same Python version (3.11.13) as tested.
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt # Fallback for pip usersNote: With uv, pyproject.toml is the primary source. requirements.txt is kept for compatibility with pip users.
Step 1: Generate experiment configuration
python gen_exps_config.py \
--attack badnets \
--base configs/base.yaml \
--output configs/generated \
--dataset cifar10 \
--aggregation FedAvgThis generates a config file in configs/generated/ with parameters for the attack.
Step 2: Run federated learning experiment
python run_federated.py \
--config ./configs/badnets_cifar10.yaml \
--gpu 0Step 3: View results
Results are saved in:
results/: Training metrics and historycheckpoints/: Model checkpointslogs/: Training logsvisualizations/: Attack visualizations and trigger examples
Evaluate attacks against various robust aggregation methods:
# Generate configs for multiple aggregation methods
python gen_exps_config.py \
--attack badnets \
--base configs/base.yaml \
--output configs/generated \
--dataset cifar10 \
--aggregation FedAvg SCAFFOLD FedOpt Median Krum TrimmedMean
# Run each experiment
python run_federated.py --config configs/generated/... --gpu 0Compare different attack strategies:
# Generate configs for multiple attacks
python gen_exps_config.py \
--attack badnets blended dba sinusoidal \
--base configs/base.yaml \
--output configs/generated \
--dataset cifar10 \
--aggregation FedAvgCIFAR-10, CIFAR-100, MNIST, Fashion-MNIST, SVHN, GTSRB, TinyImageNet
Pattern-Based Attacks:
- BadNets: Static trigger pattern attack
- Blended: Blended trigger pattern attack
- Sinusoidal: Sinusoidal pattern attack
- DBA: Distributed Backdoor Attack with multiple local triggers
Model Poisoning Attacks:
- ModelReplacement: Model replacement/scaling attack
- Neurotoxin: Gradient masking attack
- EdgeCaseBackdoor: Edge-case sample attack
- ThreeDFed: Covert backdoor with norm clipping
Other Attacks:
- LabelFlipping: Label manipulation attack
Traditional FL Aggregation: FedAvg, FedSGD, FedProx, SCAFFOLD, FedOpt
Robust Aggregation Methods: Median, CoordinateWiseMedian, TrimmedMean, Krum, MultiKrum, Bulyan, RFA
Defense Methods: FLAME, DeepSight, FLDetector, FLTrust, FoolsGold, RLR, MultiMetric, DnC, FLARE, LASA, Bucketing, AUROR, SignGuard, NormClipping, WeakDP, CRFL, CenteredClipping
To implement a new backdoor attack:
- Create your attack class in
core/attacks.py:
from .attacks import BaseAttack
class MyCustomAttack(BaseAttack):
"""Your custom attack implementation"""
def __init__(self, config: Dict[str, Any]):
super().__init__(config)
# Initialize your attack-specific parameters
def get_data_type(self) -> str:
return "image" # or "time_series"
def _apply_static_trigger(self, poisoned_data, poisoned_labels, poison_indices):
# Implement your trigger application logic
pass
# Or override _generate_attack_batch for generative attacks- Register your attack in the
create_attack()factory function:
def create_attack(attack_config: Dict[str, Any]) -> BaseAttack:
attack_name = attack_config['name']
if attack_name == 'MyCustomAttack':
return MyCustomAttack(attack_config)
# ... other attacks- Add configuration support in
gen_exps_config.pyif needed
To implement a new defense mechanism:
- Create your aggregation class in
core/aggregations.py:
from .aggregations import BaseAggregation
class MyCustomDefense(BaseAggregation):
"""Your custom defense implementation"""
def aggregate(self, client_updates, client_weights):
# Implement your aggregation logic
pass-
Register your defense in the aggregation factory
-
Update configuration to include your defense
- Add dataset loading logic in
data_loader.py - Update normalization parameters in configuration files
- Add dataset-specific model architectures if needed in
core/custom_models/
Configs are YAML files. Generate experiment configs using gen_exps_config.py:
python gen_exps_config.py \
--attack <attack_name> \
--base configs/base.yaml \
--output configs/generated \
--dataset <dataset> \
--aggregation <agg_method>Supported attacks: badnets, blended, sinusoidal, dba, labelflipping, modelreplacement, neurotoxin, edgecasebackdoor, threedfed
Supported datasets: cifar10, cifar100, mnist, fashionmnist, svhn, gtsrb, tinyimagenet
Supported aggregations: See list above (can specify multiple)
<project-directory>/
βββ results/ # Training metrics and history
βββ checkpoints/ # Model checkpoints (including attack models)
βββ logs/ # Training logs
βββ visualizations/ # Attack visualizations
βββ configs/ # Configuration files
β βββ base.yaml # Base configuration
β βββ generated/ # Generated experiment configs
βββ core/ # Core framework code
βββ attacks.py # Attack implementations
βββ aggregations.py # Defense/aggregation implementations
βββ client.py # Client-side FL logic
βββ server.py # Server-side FL logic
βββ ...
All experiments use fixed random seeds for reproducibility. The framework includes:
- Deterministic training with seed configuration
- Checkpoint saving/loading for experiment resumption
- Comprehensive logging of all hyperparameters and results
- Version tracking for dependencies
core/attacks.py: Base attack class and all attack implementationscore/aggregations.py: Aggregation methods and defense mechanismscore/client.py: Client-side federated learning logiccore/server.py: Server-side federated learning logiccore/framework.py: Core federated learning frameworkcore/models.py: Model definitionsdata_loader.py: Dataset loading utilitiesfederated_trainer.py: Main training looprun_federated.py: Entry point for running experimentsgen_exps_config.py: Configuration file generator
This framework is designed to be extended. When adding new features:
- Follow the existing code structure and patterns
- Add comprehensive docstrings
- Update this README with new features
- Ensure reproducibility with proper seed handling
- Add appropriate error handling
MIT License
This framework implements various attacks and defenses from the federated learning security literature. For a comprehensive survey on backdoor attacks and defenses in federated learning, please refer to:
Nguyen, T. D., Nguyen, T., Le Nguyen, P., Pham, H. H., Doan, K. D., & Wong, K. S. (2024). Backdoor attacks and defenses in federated learning: Survey, challenges and future research directions. Engineering Applications of Artificial Intelligence, 127, 107166. https://doi.org/10.1016/j.engappai.2023.107166
Please cite the original papers when using specific attacks or defenses in your research.
Backdoor Learning Papers (Up-to-date):
- GitHub Repository: backdoor-ai-resources - Comprehensive collection of backdoor learning papers with code
- Interactive Search & Browse: Research Papers Portal - Filter, search, and explore all papers with an intuitive interface