The generalization bound is a crucial theoretical tool for assessing the
generalizability of learning methods and there exist vast literatures on
generalizability of normal learning, adversarial learning, and data poisoning.
Unlike other data poison attacks, the backdoor attack has the special property
that the poisoned triggers are contained in both the training set and the test
set and the purpose of the attack is two-fold. To our knowledge, the
generalization bound for the backdoor attack has not been established. In this
paper, we fill this gap by deriving algorithm-independent generalization bounds
in the clean-label backdoor attack scenario. Precisely, based on the goals of
backdoor attack, we give upper bounds for the clean sample population errors
and the poison population errors in terms of the empirical error on the
poisoned training dataset. Furthermore, based on the theoretical result, a new
clean-label backdoor attack is proposed that computes the poisoning trigger by
combining adversarial noise and indiscriminate poison. We show its
effectiveness in a variety of settings.

本文推导出了算法无关的干净标签后门攻击情景中的泛化界限；提出一种新的干净标签后门攻击方法，通过结合对抗性噪音和无差别毒害计算出毒触发器，并在各种情景中展示其有效性。

干净标签背门攻击的泛化界限和新算法

Generalization Bound and New Algorithm for Clean-Label Backdoor Attack

Federated learning (FL) enables multiple parties to collaboratively train a
machine learning model without sharing their data; rather, they train their own
model locally and send updates to a central server for aggregation. Depending
on how the data is distributed among the participants, FL can be classified
into Horizontal (HFL) and Vertical (VFL). In VFL, the participants share the
same set of training instances but only host a different and non-overlapping
subset of the whole feature space. Whereas in HFL, each participant shares the
same set of features while the training set is split into locally owned
training data subsets.
VFL is increasingly used in applications like financial fraud detection;
nonetheless, very little work has analyzed its security. In this paper, we
focus on robustness in VFL, in particular, on backdoor attacks, whereby an
adversary attempts to manipulate the aggregate model during the training
process to trigger misclassifications. Performing backdoor attacks in VFL is
more challenging than in HFL, as the adversary i) does not have access to the
labels during training and ii) cannot change the labels as she only has access
to the feature embeddings. We present a first-of-its-kind clean-label backdoor
attack in VFL, which consists of two phases: a label inference and a backdoor
phase. We demonstrate the effectiveness of the attack on three different
datasets, investigate the factors involved in its success, and discuss
countermeasures to mitigate its impact.

本文研究了垂直联邦学习中的干扰攻击，提出了第一种干净标签后门攻击技术，并在三个数据集上验证了其有效性，研究了攻击成功的因素，并讨论了减轻其影响的对策。