Concealing Backdoors in Federated Learning by Trigger-Optimized Data Poisoning

Weakness 3: As DPOT introduces extra operations after receiving the global model, time consumed by the optimization procedure could be important. This is because extra processing time could may cause the drop out of malicious clients. I suggest that authors could further discuss on this part.

Response: Thanks for this constructive suggestion! Including comparison results in terms of computational overhead has definitely helped to better clarify DPOT's unique advantages. We measured the execution time of DPOT, A3FL, and IBA attacks on the same computational platform, consisting of one NVIDIA A40 GPU core and 200 GB of CPU RAM. The measurement results are presented in the table below.

• Overall Elapsed Time: The total execution time for an attacker, from receiving the global model to submitting its training data to the training pipeline in one round.
• Elapsed Time per Epoch: The time taken for each epoch to optimize a trigger.
• Number of Epochs: The number of epochs needed to complete trigger optimization. We obtained this data for A3FL and IBA from their default settings for the CIFAR-10 dataset in their open-source projects.
• Local Training Elapsed Time: The training time for each client. The execution of local training is consistent among all clients, as it is handled within TEEs.

The DPOT attack requires less computational time overall and per epoch, highlighting its efficiency compared to other optimization-based attack methods. The overall elapsed time for a DPOT attack is 4.1 times longer than the local training time. In a distributed FL system with heterogeneous client devices, high-end mobile devices, such as the iPhone 15 Pro, can serve as training platforms. We assume adversaries have access to high-performance computational resources, allowing them to compensate for any computational gap between malicious and benign clients. For instance, the iPhone 15 Pro, with approximately 1 TFLOP GPU performance, is significantly outmatched by an NVIDIA A100 GPU, which delivers up to 312 TFLOPS, demonstrating a 312-fold difference in computational power.

Weakness 4:Carefully manipulating the pixel location and pixel value for triggers is not realistic for adversaries to deploy. I dont see a practical setting where adversaries could such precisely control the backdoor pixel location and value. Authors may consider specify this point in the threat model part, otherwise it is inconvincible that the described method is dangerous. & Question 3: is DPOT practical at least for some settings?

Response: Thanks for bringing up the discussion about DPOT's deployment. We envision an attack that manipulates (poisons) the training data before it enters the trusted training pipeline, such as at the sensor where the image is initially captured. This method is similar to how to practically deploy other optimized triggers such as A3FL and IBA. [1] H. Zhang, J. Jia, J. Chen, L. Lin, and D. Wu. A3fl: Adversarially adaptive backdoor attacks to federated learning. In 36thAdvances in Neural Information Processing Systems, 2024. [2] Nguyen, Thuy Dung, et al. "Iba: Towards irreversible backdoor attacks in federated learning." Advances in Neural Information Processing Systems 36 (2024).

Weakness 5:The abstract part claims this work provides theoretical justification about the methods. However, i could only find this part in the appendix. I suggest authors could put some of the main results in the main paper.

Response: Thanks for the suggestion! We particularly wanted to include our theoretical justification in the main paper, but were unable to do so due to page limitations and concerns about maintaining a complete narrative of our method.

Weakness 1: This paper claims that the static optimization objective makes current backdoor training algorithms generate updates with distinct difference with benign ones. This could result in the rejection of many backdoor detection methods. However, a recent work [1] finds that adversaries could simply adopt smaller learning rates to train backdoored models. This could craft malicious updates which are statistically close to benign ones, bypassing most defense methods. This raises concern about the necessity about the proposed method. Authors could further conduct experiments under different adversarial settings (different learning rates), and also against the recent work [1]. Question 1: could DPOT still outperform other methods under different malicious settings? will it bypass the mentioned work?

Response: Thank you for bringing up this recent defense work. We conducted experiments with different learning rates to demonstrate DPOT's attack effectiveness against BackdoorIndicator, comparing it to Fixed Pixel-Pattern Triggers (FT).

Comparison of DPOT and FT's ASR on CIFAR-10 with Non-IID Degree 0.5

As shown in the table above, the DPOT trigger maintains a significant Final ASR (> 50%) against BackdoorIndicator across different learning rates and outperforms FT. We observe that BackdoorIndicator's defense effectiveness improves with smaller learning rates, consistent with the results in its original paper.

Weakness 2:The newly proposed method, DPOT, involves trigger optimization for every global round. And since optimized triggers are different for every global round, will the malicious training for early rounds (with different triggers) helps the training for the last round (the final evaluated trigger)? Otherwise, i cant find reasons for continuously poisoning the FL systems with different triggers. Question 2: could the malicious training for early rounds (with different triggers) helps the training for the last round (the final evaluated trigger)?

Response: Thank you for this insightful suggestion! Optimized triggers differ for each global round, but they share a hidden association due to the Markov chain formed by the global model and optimized triggers. The DPOT trigger is optimized based on the global model’s parameters, and the global model, in turn, is influenced by malicious model updates backdoored by the DPOT trigger. Therefore, early-round triggers impact later-round triggers. To better understand the optimal timing for initiating a DPOT attack, we added experiments to evaluate the DPOT attack's effectiveness at different rounds and frequencies. The results are shown in the following table.

Final ASR of DPOT when attacking at different round and frequency on CIFAR10

• Start round: The round that DPOT starts attacking.
• Interval round: The number of rounds between two adjacent DPOT attacks.

In conclusion, DPOT attack shows better attack effectiveness in lower attacking frequency when against specific defense strategy like FLAIR. FLAIR penalizes clients that are frequently flagged as suspicious by lowering their aggregation weight, reducing their impact on the global model. Malicious clients can regain their normal influence by pausing malicious behavior, allowing the penalty score to gradually decrease. For other defenses that do not use a similar strategy, the effectiveness of the DPOT attack shows insignificant variation across different start rounds and interval rounds.

Weakness 8: The impact of different levels of Non-IID on DPOT’s attack performance is not evaluated.

Response: Thank you for this suggestion. All results in our paper are trained under non-IID settings, with the non-IID degree set to 0.5. We implemented experiments to study the impact of different non-IID degrees on the performance of DPOT, FT, and DFT attacks. We evaluated Final ASR and Avg ASR to compare attack effectiveness, and Main-task Accuracy to assess the stealthiness of all backdoor attacks. Other attack and FL training settings are consistent with those in the main body of the paper. The results are shown in the following tables.

Final ASR

Average ASR

Main-task Accuracy

It can be observed from the last table that different non-IID degrees result in different main-task accuracies. A smaller non-IID degree indicates that the data distribution is closer to an IID distribution, with a non-IID degree of 0 representing an IID distribution. The DPOT attack consistently exhibits better attack effectiveness than FT and DFT, performing well across different non-IID degree settings.

Weakness 4:A comparison between DPOT and IBA (IBA: Towards Irreversible Backdoor Attacks in Federated Learning) would be beneficial, as IBA optimizes the trigger generator, which intuitively offers greater room for enhancement and may outperform all baselines considered here.

Response: Thank you for mentioning related work IBA, which is a representative study using an $L_2$-norm constrained trigger to attack an FL system. We compared the attack results of IBA with our method, as shown in the table below.

Comaprison results with IBA attack on CIFAR10

In summary, our method demonstrates better attack effectiveness than IBA's method. To explain how we reproduced IBA's results, we integrated the entire attacker implementation from IBA's open-source project into our FL training framework and disabled any model-poisoning techniques to match the TEE settings in our threat model. We faithfully used their attacker configuration for the CIFAR-10 dataset. All experiments were conducted under the same default settings listed in Table 5, with FL training configurations aligned with Appendix D.2.

Weakness 5:In terms of defenses, it would be useful to include more recent approaches, such as BackdoorIndicator (Usenix Security ‘24).

Response: Thank you for bring up this recent defense work. We conducted experiments with different learning rates to demonstrate DPOT's attack effectiveness against BackdoorIndicator, comparing it to Fixed Pixel-Pattern Triggers (FT).

Comparison of DPOT and FT's ASR on CIFAR-10 with Non-IID Degree 0.5

As shown in the table above, the DPOT trigger maintains a significant Final ASR (> 50%) against BackdoorIndicator across different learning rates and outperforms FT. We observe that BackdoorIndicator's defense effectiveness improves with smaller learning rates, consistent with the results in its original paper.

Weakness 6:Would optimizing only the Trigger-Pixel Values without limiting Trigger-Pixel Placements lead to better attack performance?

Response: During the development of the DPOT attack, we found that combining trigger-pixel value optimization with trigger-pixel placement optimization resulted in better attack effectiveness than using either one alone. Propositions C.2 and C.3 in Appendix C provide theoretical justification for the effectiveness of combining the two optimizations in reducing backdoor loss.

Weakness 7: Can DPOT withstand adaptive defenses, where defenders anticipate the use of DPOT and design customized countermeasures?

Response: Thank you for this insightful suggestion about adaptive defense. In the advancing defense scenario, defenders might have information about the DPOT trigger in some rounds and attempt to unlearn it from the global model. We look forward to exploring this idea in future work.

Weakness 3: In Table 5, why is the trigger size for Fashion MNIST set larger than for CIFAR-10 and even equal to Tiny ImageNet?

Response: Thanks for this suggestion! To quantify the visual stealthiness of a trigger, we use a computer vision model as the judge. In the following experiment, we chose a computer vision model over human vision not only because the model provides an objective assessment, but also because the benign performance of a clean model on poisoned data is significant to adversaries who aim to maintain the functionality of their own models while compromising a competitor's model.

We trained a benign global model on clean data under the same training settings as the victim FL system, using it as the judge model. We consider a trigger to have good visual stealthiness if its poisoned data can maintain high benign accuracy on the judge model while showing a high attack success rate (ASR) on the victim global model. The following results explain why the DPOT trigger sizes differ across different datasets.

Judge model's performance on DPOT poisoned data

• Benign acc: accuracy of poisoned data being predicted to its original bengin label.
• Drop (%): Benign acc drop compared to when testing clean data (trigger size is 0) on the Judge model.

Based on the ASR results in Table 3 and Figure 3, we selected the trigger size by balancing the trade-off between attack performance and visual stealthiness—a larger trigger size results in a higher ASR but lower benign accuracy. We set the lower bound for 'Drop' at -30% and the lower bound for 'Final ASR' at 50%, and choose the smallest trigger size that meets both constraints.

Judge model's and Victim model's performance on poisoned data having different types of optimized triggers (CIFAR10)

We compared the visual stealthiness and attack performance of different types of optimized triggers. We reproduced the triggers of IBA and A3FL using their default settings for CIFAR-10, as provided in their open-source projects. For $L_2$-norm constrained triggers like IBA's, the additive perturbations spread across the entire image cause a significant drop in the judge model's benign accuracy, indicating poor visual stealthiness to benign computer vision models. In contrast, for $L_0$-norm constrained triggers, like those used by IBA and DPOT, the judge model’s benign accuracy on poisoned data is only slightly reduced. Compared to A3FL's trigger, the DPOT trigger demonstrates better attack performance, as reflected in its higher Final ASR (Table 6).

Weakness 1: DPOT’s core concept of using a UAP as a trigger (even though the UAP changes dynamically each round) lacks novelty; similar approaches have already been explored in methods like A3FL and IBA.

Response: In addition to its outstanding attack effectiveness compared to existing attacks such as A3FL and IBA, DPOT makes two important contributions to the FL security community that differentiate it from other attacks:

• DPOT explicitly indicates and proves that FL is highly vulnerable to pure data-poisoning attacks. The absence of this indication in existing works can cause the community to underestimate the harm of pure data-poisoning attacks and hinder the development of more advanced security strategies outside of TEEs.
• DPOT is the first to proposes a method to generate $L_0$-norm constrained trigger with free shape and placement while being able to specify its exact size, which greatly increases the $L_0$-norm constrained triggers' attack effectiveness. The development of optimizing $L_0$-norm constrained triggers should be encouraged in the same way as $L_2$-norm constrained perturbations.

Weakness 2: Could the authors clarify why A3FL shows a performance far below the values reported in the original paper, even underperforming compared to FT and DFT? This result appears counterintuitive. Also, A3FL should be given more emphasis in the main experiment, rather than being placed in the Appendix.

Response: Thanks for this suggestion. A3FL is a very important pioneering work that used optimized $L_0$-norm constrained triggers to attack FL. We appreciates the important step that A3FL has taken for the FL backdoor attacks and respectfully included it in our main comparison baselines. The results of the A3FL experiments were initially included in the main paper, but we adjusted the text at the last minute due to page limitations and paragraph length considerations. We will readjust the text to include it in the main paper. In our experiments, A3FL shows different performance from its original paper because of two reasons:

• As A3FL claims in their contribution, "we predict the movement of the global model by assuming that the server can access the backdoor trigger and train the global model to directly unlearn the trigger. We adaptively optimize the backdoor trigger to make it survive this adversarial global model." While in DPOT's threat model and experiment settings, we conservatively assume that the server doesn't possess knowledge about the trigger and so is unable to implement unlearning process on the global model. We believe that both conservative and advancing defense scenarios are equally important in research value.
• Our FL training configurations (Appendix D.2) and attack's Default settings (Table 5) are different from A3FL's paper (their section 4.1), which may lead to different performance when evaluating the same attacking implementation.

Question 7: How is the non-iid data distribution considered in attack scenarios?

Response: Thank you for this suggestion. All results in our paper are trained under non-IID settings, with the non-IID degree set to 0.5. We implemented experiments to study the impact of different non-IID degrees on the performance of DPOT, FT, and DFT attacks. We evaluated Final ASR and Avg ASR to compare attack effectiveness, and Main-task Accuracy to assess the stealthiness of all backdoor attacks. Other attack and FL training settings are consistent with those in the main body of the paper. The results are shown in the following tables.

Final ASR

Average ASR

Main-task Accuracy

It can be observed from the last table that different non-IID degrees result in different main-task accuracies. A smaller non-IID degree indicates that the data distribution is closer to an IID distribution, with a non-IID degree of 0 representing an IID distribution. The DPOT attack consistently exhibits better attack effectiveness than FT and DFT, performing well across different non-IID degree settings.

Question 4: Do all attack scenarios require attackers to participate in only one training round?

Response: In our work, each client participate in FL training for each round, so malicious client can conduct attacking in each round. We added experiments to evaluate DPOT attack's extensive capability in attacking at different round and different frequency. Results are shown in the following table.

Final ASR of DPOT when attacking at different round and frequency on CIFAR10

• Start round: The round that DPOT starts attacking.
• Interval round: The number of rounds beween two adjacent DPOT attacks.

In conclusion, DPOT attack shows better attack effectiveness in lower attacking frequency when against specific defense strategy like FLAIR. FLAIR penalizes clients that are frequently flagged as suspicious by lowering their aggregation weight, reducing their impact on the global model. Malicious clients can regain their normal influence by pausing malicious behavior, allowing the penalty score to gradually decrease. For other defenses that do not use similar strategy, the effectiveness of the DPOT attack shows insignificant variation across different start rounds and interval rounds.

Question 5: In Figure 6 (page 23), global accuracy on the main task drops between rounds 0 and 40, so the server might not need the contribution from clients and can detect the poisoned model early. How can this be prevented?

Response: Thank you for your careful observation. We may not be the best authority to comment on Flip's performance, as we are not its developers. However, based on our experiments shown in Figure 6, we observed that the MA of the global model decreases at the early stage, regardless of whether the system is under attack (represented by the "Continuous" line) or not (represented by the "Single shot" line). Therefore, we were uncertain whether these drops could serve as a potential signal of an attack. Additionally, since Flip's implementation uses a pretrained model for initialization, could we interpret any subsequent state of the global model during training as a new "pretrained" model that begins the training process from scratch? If so, the benign global model at round 40 might not differ in state or meaning from that at round 0, and our attack conclusions should be applicable to both.

Question 6: The FEMNIST dataset lacks a dedicated test set. How was a test set generated for this dataset?

Response: We downloaded FEMNIST dataset from the open-source github repository of the project "LEAF: A Benchmark for Federated Settings". We followed the instructions in their FEMNIST subdirectory and used their suggested default argument value “-t sample” to partition each user's samples into train-test groups.

Weakness 2: DPOT’s use of an adversarial-style trigger is likely a significant factor in its success, which may explain its improved performance over fixed-pixel triggers. However, it would strengthen the paper by providing a detailed comparison with other adversarial trigger methods, such as A3FL, in terms of both attack effectiveness and computational overhead. Conducting experiments that directly compare DPOT with A3FL under the same settings could help clarify DPOT’s unique advantages. & Question 2: How does the optimization process in DPOT compare to other optimization-based attacks like A3FL in terms of training time and convergence?

Response: Thanks for this constructive suggestion! Including comparison results in terms of computational overhead has definitely helped to better clarify DPOT's unique advantages. We measured the execution time of DPOT, A3FL, and IBA attacks on the same computational platform, consisting of one NVIDIA A40 GPU core and 200 GB of CPU RAM. The measurement results are presented in the table below.

• Overall Elapsed Time: The total execution time for an attacker, from receiving the global model to submitting its training data to the training pipeline in one round.
• Elapsed Time per Epoch: The time taken for each epoch to optimize a trigger.
• Number of Epochs: The number of epochs needed to complete trigger optimization. We obtained this data for A3FL and IBA from their default settings for the CIFAR-10 dataset in their open-source projects.
• Local Training Elapsed Time: The training time for each client. The execution of local training is consistent among all clients, as it is handled within TEEs.

The DPOT attack requires less computational time overall and per epoch, highlighting its efficiency compared to other optimization-based attack methods. The overall elapsed time for a DPOT attack is 4.1 times longer than the local training time. In a distributed FL system with heterogeneous client devices, high-end mobile devices, such as the iPhone 15 Pro, can serve as training platforms. We assume adversaries have access to high-performance computational resources, allowing them to compensate for any computational gap between malicious and benign clients. For instance, the iPhone 15 Pro, with approximately 1 TFLOP GPU performance, is significantly outmatched by an NVIDIA A100 GPU, which delivers up to 312 TFLOPS, demonstrating a 312-fold difference in computational power.

Weakness 4:The paper lacks a discussion on the potential limitations of DPOT and possible future directions to address them. For instance, the authors could suggest strategies to defend against DPOT, propose enhancements to strengthen existing defense mechanisms, or explore applying the technique to other domains (e.g., text or time-series data) and FL tasks (e.g., regression or reinforcement learning).

Response: Thank you for the thoughtful suggestions. A potential limitation of DPOT is that our algorithms are designed for data with a continuous range of values, such as pixel values in images. For data with a discrete range of values, such as text, we have not yet explored potential optimization algorithms. We believe this could be a promising direction for extending the DPOT attack in the future. We agree that exploring defense strategies against DPOT and proposing enhancements to existing mechanisms could provide valuable insights for the FL security community. We look forward to investigating these areas in future work to further advance the understanding and resilience of federated learning systems.

Question 1: Could an $L_\infty$ norm be used to constrain the trigger pattern, and how would this impact attack performance?

Response: The $L_\infty$-norm constrained perturbations appear to be a very interesting idea in creating adversarial example. We look forward to studying its performance in backdoor attacks in future work.

Question 3: How does model performance compare when optimization for trigger-pixel values is omitted (i.e. when selected positions are set to 1)?

Response: During the development of the DPOT attack, we found that combining trigger-pixel value optimization with trigger-pixel placement optimization resulted in better attack effectiveness than using either one alone. Propositions C.2 and C.3 in Appendix C provide theoretical justification for the effectiveness of combining the two optimizations in reducing backdoor loss.

Weakness 1: While DPOT effectively hides malicious model updates, the backdoor images still display a visible trigger, which could limit the attack's practicality in real-world applications. Have the authors considered techniques such as IBA [1] or similar methods to make the trigger less detectable? An analysis comparing DPOT's trigger visibility with other state-of-the-art methods, including a discussion on the trade-off between trigger visibility and attack effectiveness, would be valuable. & Weakness 3: The paper does not specify the number of pixels in Algorithm 1, which is crucial for the optimization process. How is this pixel count determined in practice?

Response: Thanks for the suggestion! To quantify the visual stealthiness of a trigger, we use a computer vision model as the judge. In the following experiment, we chose a computer vision model over human vision not only because the model provides an objective assessment, but also because the benign performance of a clean model on poisoned data is significant to adversaries who aim to maintain the functionality of their own models while compromising a competitor's model.

We trained a benign global model on clean data under the same training settings as the victim FL system, using it as the judge model. We consider a trigger to have good visual stealthiness if its poisoned data can maintain high benign accuracy on the judge model while showing a high attack success rate (ASR) on the victim global model. The following results explain why the DPOT trigger sizes differ across different datasets.

Judge model's performance on DPOT poisoned data

• Benign acc: accuracy of poisoned data being predicted to its original bengin label.
• Drop (%): Benign acc drop compared to when testing clean data (trigger size is 0) on the Judge model.

Based on the ASR results in Table 3 and Figure 3, we selected the trigger size by balancing the trade-off between attack performance and visual stealthiness—a larger trigger size results in a higher ASR but lower benign accuracy. We set the lower bound for 'Drop' at -30% and the lower bound for 'Final ASR' at 50%, and choose the smallest trigger size that meets both constraints.

Judge model's and Victim model's performance on poisoned data having different types of optimized triggers (CIFAR10)

We compared the visual stealthiness and attack performance of different types of optimized triggers. We reproduced the triggers of IBA and A3FL using their default settings for CIFAR-10, as provided in their open-source projects. For $L_2$-norm constrained triggers like IBA's, the additive perturbations spread across the entire image cause a significant drop in the judge model's benign accuracy, indicating poor visual stealthiness to benign computer vision models. In contrast, for $L_0$-norm constrained triggers, like those used by IBA and DPOT, the judge model’s benign accuracy on poisoned data is only slightly reduced. Compared to A3FL's trigger, the DPOT trigger demonstrates better attack performance, as reflected in its higher Final ASR (Table 6).

Weakness 1.1: The trigger seems to be very noticeable, especially when the trigger size is high, which can not be effective against post-defense such as Neural Cleanse.

Response: Neural Cleanse is one of the most important defense strategies against backdoor attacks in centralized learning settings. FLIP extends Neural Cleanse’s post-defense strategy to federated learning (FL) settings, where benign clients perform trigger inversion and adversarial training using their local data to recover the global model from backdoors. We provided evaluation results and an extensive discussion of the DPOT attack against the FLIP defense in Appendix E.2, demonstrating that DPOT is effective against this post-defense strategy. Thank you for mentioning Neural Cleanse; we will add it to the references.

Weakness 1.2:The suggestion for the trigger size is vague and does not contain specific number ranges (Appendix D.3), which is hard to apply in real settings. Could the author argue more about it?

Response: Thank you for this suggestion! To quantify the visual stealthiness of a trigger, we use a computer vision model as the judge. In the following experiment, we chose a computer vision model over human vision not only because the model provides an objective assessment, but also because the benign performance of a clean model on poisoned data is significant to adversaries who aim to maintain the functionality of their own models while compromising a competitor's model.

We trained a benign global model on clean data under the same training settings as the victim FL system, using it as the judge model. We consider a trigger to have good visual stealthiness if its poisoned data can maintain high benign accuracy on the judge model while showing a high attack success rate (ASR) on the victim global model. The following results explain why the DPOT trigger sizes differ across different datasets.

Judge model's performance on DPOT poisoned data

• Benign acc: accuracy of poisoned data being predicted to its original bengin label.
• Drop (%): Benign acc drop compared to when testing clean data (trigger size is 0) on the Judge model.

Based on the ASR results in Table 3 and Figure 3, we selected the trigger size by balancing the trade-off between attack performance and visual stealthiness—a larger trigger size results in a higher ASR but lower benign accuracy. We set the lower bound for 'Drop' at -30% and the lower bound for 'Final ASR' at 50%, and choose the smallest trigger size that meets both constraints.

Judge model's and Victim model's performance on poisoned data having different types of optimized triggers (CIFAR10)

We compared the visual stealthiness and attack performance of different types of optimized triggers. We reproduced the triggers of IBA and A3FL using their default settings for CIFAR-10, as provided in their open-source projects. For $L_2$-norm constrained triggers like IBA's, the additive perturbations spread across the entire image cause a significant drop in the judge model's benign accuracy, indicating poor visual stealthiness to benign computer vision models. In contrast, for $L_0$-norm constrained triggers, like those used by IBA and DPOT, the judge model’s benign accuracy on poisoned data is only slightly reduced. Compared to A3FL's trigger, the DPOT trigger demonstrates better attack performance, as reflected in its higher Final ASR (Table 6).

Weakness 4: The rationale for why using DPOT and its subsequent stealthiness across the defenses is unclear, given that Algo 1 and Algo 2 only focus on optimizing triggers to mislead the classification output of model.

Response: An intuitive explanation about the rationale is as follows:

• In Algo1 and Algo2, we construct the backdoor objective by optimizing the backdoor trigger such that the current round’s global model exhibits minimal loss on the backdoored data.
• When the global model becomes more optimized to the backdoored data, further training on this backdoored data will lead to smaller updates to the global model’s current state.
• Therefore, when a malicious client’s local dataset is partially poisoned by the optimized trigger while the rest remains benign, the model updates produced on them can be dominated by benign model updates within a limited number of local training epochs, and thus the malicious client's model updates can conceal among benign ones.
• According to study [8], malicious clients' model updates if constrained to have small difference among benign ones will lead to subsequent stealthiness across the defenses that focus on eliminating outliers.

The theoretical justification that proves trigger optimization can cause small differences in a client’s model updates between the non-attacked and backdoored state can be found in Appendix C: Proposition C.1.

Experiment results that help elaborate the working principles of DPOT attack can be found in section 5.2.2.

[8] E. Bagdasaryan, A. Veit, Y. Hua, D. Estrin, and V. Shmatikov. How to backdoor federated learning. In 23rd International Conference on Artificial Intelligence and Statistics, pp. 2938–2948, 2020.

Weakness 5: This method does not include any component to ensure the MA of the model, and the Backdoor attack should consider both ASR and MA. How to show that this method intuitively does not degrade MA. In Algo.2, there is no optimization objective to maintain clean accuracy, and the MA should be reported together with the ASR in the main paper.

Response: Thanks for this suggestion. We would have liked to report our MA results alongside the ASR in the main paper, but since all backdoor attacks' MA results are similar or repetitive, we decided to move them to the appendix to save space for other results that provide more interesting observations.

In addition to the experimental results in Tables 8, 9, and 10, which empirically demonstrate the DPOT attack's ability to maintain a normal MA, an intuitive explanation is that the poisoned data generated by the DPOT attack has minimal impact on a client's model updates after local training. As a result, the malicious client's model updates, when aggregated into the global model, have little effect on diverting the global model from its original benign update direction. This allows the global model to stay on track and consistently converge to a higher MA.

Weakness 6:The related works and introduction should include more works in the literature, now it is not extensive enough.

Response: Thank you for this suggestion. We found many valuable works and genuinely wanted to include them in the main body of the paper, but due to page limitations, we had to move some of them to the appendix. We would like to express our sincere respect and appreciation for all related works that help advance our community!

Question 1: In DPOT, the $W_g$ is used as the starting point model to optimize the trigger, however, at the original rounds, this model has not been converged, does it affect the performance of this method?

Response: Thanks for this insightful question! We added experiments to evaluate DPOT attack's extensive capability in attacking at different round and different frequency. The results are shown in the following table.

Final ASR of DPOT when attacking at different rounds and frequency on CIFAR10

• Start round: The round that DPOT starts attacking.
• Interval round: The number of rounds between two adjacent DPOT attacks.

In conclusion, DPOT attack shows better attack effectiveness in lower attacking frequency when against specific defense strategy like FLAIR. FLAIR penalizes clients who are frequently flagged as suspicious by lowering their aggregation weight, reducing their impact on the global model. Malicious clients can regain their normal influence by pausing malicious behavior, allowing the penalty score to gradually decrease. For other defenses that do not use a similar strategy, the effectiveness of the DPOT attack shows insignificant variation across different start rounds and interval rounds.

Question 4: In Figure 3 and Table I, was it the non-IID or IID setting? It is important that the proposed method can work with both scenarios.

Response: Thank you for this suggestion. All results in our paper are trained under non-IID settings, with the non-IID degree set to 0.5. We implemented experiments to study the impact of different non-IID degrees on the performance of DPOT, FT, and DFT attacks. We evaluated Final ASR and Avg ASR to compare attack effectiveness, and Main-task Accuracy to assess the stealthiness of all backdoor attacks. Other attack and FL training settings are consistent with those in the main body of the paper. The results are shown in the following tables.

Final ASR

Average ASR

Main-task Accuracy

It can be observed from the last table that different non-IID degrees result in different main-task accuracies. A smaller non-IID degree indicates that the data distribution is closer to an IID distribution, with a non-IID degree of 0 representing an IID distribution. The DPOT attack consistently exhibits better attack effectiveness than FT and DFT, performing well across different non-IID degree settings.

Question 2: In Algo.1., why is not CE loss used here, given this is a classification problem?

Response: In the experiment implementation, we used CrossEntropy as the loss function (see Appendix D.2). We use MSE in Algorithm 1 as a loss example to maintain consistency with our theoretical analysis.

Question 3: How is the data poison rate set for the baselines? Since the high DPR may relate to higher suspicion, the original DPR in the DBA paper is much lower than 0.5. An experiment with a smaller DPR with all baselines can ensure fairness across baselines.

Response: Thank you for this suggestion. We implemented experiments to study the impact of different data poison rates on the performance of DPOT, FT, and DFT attacks. We evaluated Final ASR and Avg ASR to compare attack effectiveness, and Main-task Accuracy to assess the stealthiness of all backdoor attacks. Other attack and FL training settings are consistent with those in the main body of the paper. The results are shown in the following tables.

Final ASR

Average ASR

Main-task Accuracy

In general, DPOT attack shows better attack effectiveness than FT and DFT across different DPR. Compared to DPOT and FT attacks, we observed that DFT is truly more susceptible to DPR and is more effective with a small DPR.