Recent advances in federated learning have demonstrated its promising
capability to learn on decentralized datasets. However, a considerable amount
of work has raised concerns due to the potential risks of adversaries
participating in the framework to poison the global model for an adversarial
purpose. This paper investigates the feasibility of model poisoning for
backdoor attacks through rare word embeddings of NLP models. In text
classification, less than 1% of adversary clients suffices to manipulate the
model output without any drop in the performance on clean sentences. For a less
complex dataset, a mere 0.1% of adversary clients is enough to poison the
global model effectively. We also propose a technique specialized in the
federated learning scheme called Gradient Ensemble, which enhances the backdoor
performance in all our experimental settings.

本文通过研究 NLP 模型中的稀有词嵌入，调查了后门攻击的模型毒化的可行性。在文本分类中，不到 1% 的对手客户端就足以操纵模型输出，而对于一个较简单的数据集，仅需 0.1% 的对手客户端就足以有效地污染全局模型。此外，我们还提出了一种针对联邦学习方案的技术 —— 梯度集成，它提高了后门性能在我们的所有实验设置中表现出优越性。