NeurIPS'24-NBA-Rebuttal ## Answers for each Reviewer Reviewers'ID: viQS, ogAk, Hxsb, nfBV ### Overall answer We thank the reviewers for their insightful comments and suggestions. We have carefully considered all comments and made substantial revisions to the paper to address the raised concerns. Key takeaways from our study include: - NBA reflects the complexity of federated learning in real-world settings, where each client can manipulate their training strategy or data to introduce additional backdoor tasks to the global model without harming the clean learning task. This is crucial for advancing the development of federated learning. - NBA differs from existing attacks, which typically involve colluded attackers using the same backdoor pattern and target label, or require collaboration among clients. In contrast, NBA represents non-colluded attacks. - The performance of attacks on Tiny-ImageNet may be lower due to the complexity of the learning task, the number of classes, dataset size, poisoning rate, and trigger selection. This highlights the need for effective training methods that enable clients to successfully learn their own backdoor tasks in real-world data. - NBA underscores the importance of developing defense methods to counteract such attacks, especially as real-world data grows larger and more diverse. In brief, our study provides preliminary insights into real-world federated learning scenarios. Our results demonstrate that NBA can successfully inject backdoors without significantly impacting the main task accuracy (see Figures 4, 6, and 7). The impact of NBA varies across different datasets and trigger designs, suggesting potential avenues for optimizing triggers to enhance stealth (see Section 4.3). Below is a summary of the key updates and new experimental results: **1. Enhanced Novelty and Clarity:** We have clarified the novelty of NBA as a distinct threat and its focus on personalized backdoor tasks. **2. Additional Backdoor Types:** We introduced three new backdoor attack types in federated learning — Blend [a], Semantic [b], and Edge-Case [c] — alongside the fixed pattern pixel trigger. We evaluated the effectiveness of these different backdoor tasks within a federated learning setting. **3. Robustness Evaluation:** We assessed NBA's performance against four additional state-of-the-art defenses—FoolsGold [d], KRUM [e], FLAME [f], and SparseFed [g]. **4. Additional Improvements:** We reduced the focus on single-adversary scenarios, expanded the discussion, integrated additional references, and corrected typographical errors. We believe these revisions significantly strengthen the paper and address the reviewers' concerns. We are confident that the revised version makes a valuable contribution to understanding and mitigating backdoor attacks in federated learning. [a]. Chen et al. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526. [b]. Bagdasaryan et al. How to backdoor federated learning. In International conference on artificial intelligence and statistics (pp. 2938-2948). PMLR. [c]. Wang et al. Attack of the tails: Yes, you really can backdoor federated learning. Advances in Neural Information Processing Systems, 33, 16070-16084. [d]. Fung et al. The limitations of federated learning in sybil settings. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020) (pp. 301-316). [e]. Blanchard et al. Machine learning with adversaries: Byzantine tolerant gradient descent. Advances in neural information processing systems, 30. [f]. Nguyen et al. {FLAME}: Taming backdoors in federated learning. In 31st USENIX Security Symposium (USENIX Security 22) (pp. 1415-1432). [g]. Panda et al. Sparsefed: Mitigating model poisoning attacks in federated learning with sparsification. In International Conference on Artificial Intelligence and Statistics (pp. 7587-7624). PMLR. **537 words 3,809 characters** ### 1. Reviewer viQS * **Main Points:** * Lacks strong evaluation against robust aggregators and other defense mechanisms designed for backdoor attacks. * Should compare NBA's effectiveness to attacks using Sybil/Byzantine nodes, not just a single attacker. * Needs to discuss potential countermeasures and defenses against NBA. * **Questions:** * Do different backdoor patterns in NBA affect each other's learning in the global model? * Is there potential for interference among triggers (one trigger activating another's backdoor)? ### Answer viQS **1. Comparison to Sybil/Byzantine Attacks:** Thank you for your suggestion. The combination of Sybil and Byzantine attacks is interesting and can provide valuable insights into the robustness of Federated Learning systems. In our study, the objective of the backdoor attack is to maintain the performance of the model on both clean and poisoned samples, i.e., activating the trigger without compromising clean accuracy. This means that NBA targets a completely different goal compared to Sybil and Byzantine attacks, specifically focusing on manipulating model behavior on various triggered inputs. While Sybil attacks aim to gain control over a significant portion of the network, and Byzantine attacks are broader, encompassing any malicious behavior with the goal of compromising accuracy on clean data, Sybil and Byzantine attacks are outside the scope of this study. However, we will include a discussion on the potential implications of combining NBA with Sybil and Byzantine attacks in the revised version of the paper. **2. Lack of Robust Defense Evaluation:** Thank you for highlighting this important aspect. To improve the evaluation of NBA, we conducted additional experiments using three other backdoor attack types (blend, semantic, and edge-case), making a total of four types. Besides the two popular defenses (NormClip and DP), we evaluated NBA against four additional state-of-the-art defenses (FoolsGold, KRUM, FLAME, and SparseFed). We placed NBA in scenarios with four attackers using four backdoor patterns (white rectangle, blend, semantic, edge-case). Specifically, there are a total of 100 clients, and in each round, 10 clients are selected, with four of them being attackers conducting the attack simultaneously. The results are shown in the table below: |Acc | NoDef | NormClip | DP | FoolsGold | KRUM | FLAME | SparseFed | |----|------------|----------|----|-----------|------|-------|-----------| | $MA$ | 76.05 | 74.92 | 56.89 | 73.83 | 74.82 | 71.78 | 73.75 | | $BA_1$ | 91.74 | 88.68 | 75.72 | 83.60 | 78.55 | 82.50 | 87.45 | | $BA_2$ | 98.29 | 92.56 | 82.13 | 78.89 | 73.19 | 81.05 | 70.07 | | $BA_3$ | 99.32 | 87.23 | 74.82 | 72.75 | 76.70 | 77.65 | 81.60 | | $BA_4$ | 57.08 | 48.82 | 44.95 | 46.23 | 36.38 | 30.92 | 47.90 | *Observations:* - Even state-of-the-art defenses are ineffective under the NBA scenario, despite being effective against single-target and colluded attacks. - The blend attack is more potent than the other attacks because the trigger covers the entire image. - The edge-case attack is weaker in the presence of other attacks. We hypothesize that in edge-case, the attacker needs to maintain accuracy on both in-distribution data (e.g., normal cars) and out-of-distribution (OOD) data (e.g., cars with stripes). However, the normal cars are used as triggers by other attacks and are label-flipped into other classes, making it difficult for edge-case attacks to learn both tasks simultaneously. - There is a trade-off between defense efficacy and main accuracy degradation. For example, while FLAME and KRUM are the best defenses in the considered case, they cause a 2-4% decrease in main accuracy due to their false positive detections. **3. Countermeasures and Defenses Discussion:** Thank you for this remark. We will add a discussion section exploring potential defenses [a] against NBA without assuming that the attackers share similar behaviors or patterns. These may include: - *Anomaly Detection:* Utilizing clustering or anomaly detection techniques to identify anomalous behavior based on the distribution of updates. - *Robust Aggregation:* Designing aggregation methods that can handle multi-target backdoor attacks effectively. - *Trigger-Independent Post-Defenses:* Implementing strategies such as pruning [b], reverse-engineering, and backdoor purification via fine-tuning [c] to remove or reduce the influence of nodes in the neural network most likely affecting the backdoor task. This is a backdoor strategy-independent approach and is effective against different backdoor types. **4. Impact of Different Backdoor Patterns and Cross-Trigger Interference:** Thank you for highlighting these factors. Based on our NBA and distributed backdoor attack (DBA) [d], we have identified some possible impacts of triggers from different clients on the backdoor learning task: - *Same Trigger Pattern, Same Target Class:* If multiple adversaries use the same trigger pattern and target class, it reduces the time needed to learn the backdoor task because more adversarial contributions reinforce the backdoor effect. - *Same Trigger Pattern, Same Target Class:* When all tasks use the same trigger pattern and target class, the backdoor accuracy for each task may be low because the model may confuse which class is associated with the given pattern. - *Different Trigger Patterns, Same or Different Target Classes:* In this case, each backdoor task is independent, so they can be learned without negatively impacting each other. Notably, in the third case, even if triggers are different, they might still interfere with each other if they share similar visual features. Potential interactions between triggers and target classes should be carefully evaluated. For instance, if one trigger is a subpart of another and both have the same target class, the smaller trigger might activate the larger one. Conversely, if the target classes differ, the success rate of both backdoors might decrease, as the global model could become confused by the conflicting triggers. [a]. Nguyen et al. "Backdoor attacks and defenses in federated learning: Survey, challenges and future research directions." EAAI'24 [b]. Zhu et al. "Neural polarizer: A lightweight and effective backdoor defense via purifying poisoned features." NeurIPS'24 [c]. Zhu et al. "Enhancing fine-tuning based backdoor defense with sharpness-aware minimization." ICCV'23 [d]. Xie et al. "Dba: Distributed backdoor attacks against federated learning." ICLR'19 **850 words 5,961 characters** <!-- * Due to the decentralized and independent nature of the attacks, backdoor patterns might significantly interfere with each other. Especially, where triggers share similar visual features, potential interactions between triggers and target classes should be carefully evaluated. For example, in the case of one trigger is subpart of another trigger, and the target class is the same, the smaller trigger might activate the larger trigger. However, if the target class is different, the backdoor success rate might be lower for both triggers as the global model might be confused by the two triggers. --> <!-- * Hence, cross-trigger interference is possible, especially if triggers are visually similar or target classes overlap --> <!-- * **Cross-Trigger Interference:** As explained in the previous question, interference is possible, especially if triggers are visually similar or target classes overlap. --> ### 2. Reviewer ogAk * **Main Points:** * Limited novelty - simply extends single-client backdoor attacks to multiple clients. * Only uses pixel-pattern modification triggers, not semantic triggers, limiting generalizability. * Evaluates only primitive defenses, not robust defenses like FoolsGold, KRUM, FLAME, and SparseFed. * Unsuccessful on Tiny-ImageNet, raising scalability concerns for complex datasets like ImageNet. * Devotes too much space to single-adversary attacks. * **Questions:** * Will the method generalize to semantic backdoor triggers? * Can the method bypass robust defenses like FoolsGold, KRUM, FLAME, and SparseFed? ### Answer ogAk **1. Limited Novelty:** While NBA builds upon existing backdoor attack concepts, it introduces significant novelty by focusing on different (personalized) backdoor tasks. Each client employs a unique backdoor strategy, mirroring the practical and dynamic nature of Federated Learning, where clients operate independently and can introduce diverse triggers. This new attack creates a distinct threat landscape in Federated Learning, setting it apart from traditional single-client attacks. Most existing work on attacks and defenses concentrates on a single backdoor task scenario, whether colluded or non-colluded. Therefore, NBA is crucial for understanding the behavior of multiple independent attacks in Federated Learning and for identifying the limitations of current defenses in addressing these scenarios. This underscores NBA's distinctive contribution as more than just an extension of single-client attacks. **2. Pixel-Based Triggers and Primitive Defenses:** Thank you for highlighting this important aspect. To enhance NBA evaluation, we conducted additional experiments with three other backdoor attack types (blend, semantic, and edge-case), making a total of four. We tested NBA against six state-of-the-art defenses: NormClip, DP, FoolsGold, KRUM, FLAME, and SparseFed. In our setup, there are 100 clients, with 10 selected per round, including four attackers using different backdoor patterns (white rectangle, blend, semantic, edge-case) simultaneously. The results are summarized in the table below: | Acc | NoDef | NormClip | DP | FoolsGold | KRUM | FLAME | SparseFed | |-----|-------|----------|----|-----------|------|-------|-----------| | $MA$ | 76.05 | 74.92 | 56.89 | 73.83 | 74.82 | 71.78 | 73.75 | | $BA_1$ | 91.74 | 88.68 | 75.72 | 83.60 | 78.55 | 82.50 | 87.45 | | $BA_2$ | 98.29 | 92.56 | 82.13 | 78.89 | 73.19 | 81.05 | 70.07 | | $BA_3$ | 99.32 | 87.23 | 74.82 | 72.75 | 76.70 | 77.65 | 81.60 | | $BA_4$ | 57.08 | 48.82 | 44.95 | 46.23 | 36.38 | 30.92 | 47.90 | *Observations:* - State-of-the-art defenses fail to be effective against the NBA scenario, even though they perform well against single-target and colluded attacks. - The blend attack proves to be more powerful than other types because its trigger spans the entire image. - The edge-case attack is less effective when other attacks are present. This is likely because edge-case attackers must maintain accuracy for both in-distribution data (e.g., normal cars) and out-of-distribution data (e.g., cars with stripes). However, normal cars are used as triggers by other attacks and are label-flipped into other classes, complicating the learning of both tasks simultaneously. - A trade-off exists between defense effectiveness and main accuracy degradation. For instance, FLAME and KRUM are the most effective defenses in the scenario, but they reduce main accuracy by 2-4% due to false positive detections. **3. Tiny-ImageNet Performance:** We acknowledge the reviewer's concern regarding the performance of NBA on Tiny-ImageNet. The reasons could include the difficulty of the main task, the larger number of classes, dataset size, poisoning rate, and trigger selection. In a single-shot setting with a single adversary, the backdoor accuracy (Fig. 3 and Tab. 1) for all types of triggers can reach nearly 100%. However, this success diminishes in the case of multiple adversaries (NBA), raising concerns about how different adversaries might affect each other and the global models. The low backdoor accuracy on Tiny-ImageNet underscores the importance of considering factors like model capacity, trigger design, and data distribution when scaling the attack to more complex datasets. Exploring adaptive trigger strategies and other enhancements will be part of our future work to improve the scalability of NBA to more complex datasets like ImageNet. Nevertheless, the main contribution of this paper is the introduction of a complex attack scenario, NBA, which presents a new threat landscape in Federated Learning. **4. Single-Adversary Focus:** Thank you for this remark. We will restructure the paper to emphasize the NBA scenario. The discussion of single-adversary attacks will be condensed, as their primary purpose is to establish a baseline and provide context for the contributions of NBA. We will provide a more concise overview of single-adversary attacks, highlighting the key insights that are essential for understanding the multi-adversary setting and the unique challenges it presents. **623 words 4,482 characters** <!-- * While NBA builds upon existing backdoor attack concepts, it introduces significant novelty by focusing on personalized trigger, ensuring each client has a unique trigger. This dynamic approach addresses limitations of existing methods that rely on single trigger, offering a more stealthy and adaptable attack strategy for FL. The experimental results demonstrate the unique effectiveness of NBA against various scenarios, highlighting its distinctive contribution beyond a simple extension of single-client attacks. --> <!-- * We acknowledge the reviewer's concern regarding the performance of NBA on Tiny-ImageNet. The limited success on this dataset highlights the importance of carefully considering factors like model capacity, trigger design, and data distribution when scaling the attack to more complex datasets. However, the main contribution of this paper is the introduction of a novel attack scenario, NBA, which presents a new threat landscape in Federated Learning. We hypothesize that the fixed-size triggers used in our current experiments may be a contributing factor to the performance on Tiny-ImageNet, as they might not be sufficiently robust or adaptable for datasets like ImageNet with higher visual variability and a larger number of classes. Exploring adaptive trigger strategies and other enhancements will be part of our future work to enhance the scalability of NBA to more complex datasets like ImageNet. --> <!-- We understand the reviewer's point about the extensive focus on single-adversary attacks in the paper. We will restructure the paper to emphasize the NBA scenario. The discussion of single-adversary attacks will be condensed, as their primary purpose is to establish a baseline and provide context for the novel contributions of NBA. We will provide a more concise overview of single-adversary attacks, highlighting only the key insights that are essential for understanding the multi-adversary setting and the unique challenges it presents. --> ### 3. Reviewer Hxsb * **Main Points:** * Insights into stealthiness and detectability are vague; need more concrete analysis. * Lacks formal results, relying only on empirical evidence, weakening the argument and missing stronger guarantees. * Should reference and discuss works on backdoor detection that formally define regions where detection is feasible or bound to fail (references [a]-[e] in the review). * Evaluation against defenses is insufficient as the defenses were not specifically designed for NBA. ### Answer Hxsb **1. Vague Stealth and Detectability:** We appreciate the reviewer's emphasis on stealthiness and detectability, as these are indeed crucial aspects of any backdoor attack. While our current work primarily focuses on introducing the NBA attack scenario and empirically demonstrating its evaluations, we recognize the importance of analyzing its stealth and detectability characteristics in greater depth. **2. Lack of Formal Results:** - We acknowledge the reviewer's point regarding the reliance on empirical evidence and the value of formal results. The NBA attack scenario we introduce is designed to reflect the complexities and unpredictable nature of real-world federated learning, where individual clients act independently. This inherent complexity, with multiple attackers potentially introducing diverse triggers and targeting various classes, makes developing rigorous theoretical guarantees challenging at this stage. - Therefore, as a first step in exploring this new threat landscape, we focused on providing a comprehensive empirical evaluation to demonstrate the effectiveness and feasibility of NBA. We believe this empirical foundation is crucial for motivating and guiding future research on formal analysis. In Li et al. (2024) [a], the authors showed that a variety of factors can affect the backdoor learning task, including even small changes in poisoned learning rates or the round in which the attacker participates, which could reduce backdoor accuracy by approximately 70% with some state-of-the-art defense types. This further opens a new landscape for future studies on attacks and defenses in federated learning, suggesting that practical solutions should consider NBA scenarios and not only focus on single-target attacks. **3. Reference and discuss works on backdoor detection:** Thank you for your comment. We will incorporate these references into our discussion of backdoor detection in federated learning. **4. Insufficient Evaluation against Defenses:** Thank you for highlighting this important aspect. To improve NBA evaluation, we conducted additional experiments using three more backdoor attack types (blend, semantic, and edge-case), totaling four types. We tested NBA against six advanced defenses: NormClip, DP, FoolsGold, KRUM, FLAME, and SparseFed. Our setup involved 100 clients, with 10 selected per round, including four attackers using different backdoor patterns (white rectangle, blend, semantic, edge-case) simultaneously. We present the results in the table below: | Acc | NoDef | NormClip | DP | FoolsGold | KRUM | FLAME | SparseFed | |-----|-------|----------|----|-----------|------|-------|-----------| | $MA$ | 76.05 | 74.92 | 56.89 | 73.83 | 74.82 | 71.78 | 73.75 | | $BA_1$ | 91.74 | 88.68 | 75.72 | 83.60 | 78.55 | 82.50 | 87.45 | | $BA_2$ | 98.29 | 92.56 | 82.13 | 78.89 | 73.19 | 81.05 | 70.07 | | $BA_3$ | 99.32 | 87.23 | 74.82 | 72.75 | 76.70 | 77.65 | 81.60 | | $BA_4$ | 57.08 | 48.82 | 44.95 | 46.23 | 36.38 | 30.92 | 47.90 | *Observations:* - State-of-the-art defenses, while effective against single-target and colluded attacks, fail to perform well under the NBA scenario. - The blend attack is particularly strong because its trigger spans the entire image. - The edge-case attack is less effective when other attacks are also in play. This might be because edge-case attackers must maintain accuracy on both in-distribution data (e.g., normal cars) and out-of-distribution data (e.g., cars with stripes). However, normal cars are used as triggers by other attacks and are label-flipped into different classes, complicating the learning process for edge-case attacks. - There is a trade-off between defense effectiveness and the degradation of main accuracy. For instance, while FLAME and KRUM are the best defenses in this context, they reduce main accuracy by 2-4% due to false positive detections. [a]. Li, S., & Dai, Y. (2024). BackdoorIndicator: Leveraging OOD Data for Proactive Backdoor Detection in Federated Learning. arXiv preprint arXiv:2405.20862. **549 words 4,013 characters** <!-- * Building upon these initial observations, we plan to conduct a more thorough and rigorous analysis of NBA's stealth and detectability in our future work. This will involve quantitative analysis of trigger characteristics, evaluation against detection methods, and further exploration of the attack's impact on model behavior. * These investigations will contribute to a more comprehensive understanding of NBA and inform the development of more effective defenses against this new attack scenario. --> <!-- We plan to explore theoretical guarantees in future work, building upon the insights gained from our empirical findings. This will involve developing formal models of NBA attacks and defenses, analyzing attack success conditions, and potentially deriving bounds on detectability. --> <!-- Thank you for providing references and discuss works on backdoor detection that formally define regions where detection is feasible or bound to fail. The works referenced by the reviewer ([c]-[e]) provide valuable insights into the limitations and challenges of backdoor detection in the context of centralized learning. We will integrate these references into our discussion of backdoor detection in federated learning, highlighting the differences and challenges specific to the decentralized and collaborative nature of the FL setting. This will provide a more comprehensive overview of the state-of-the-art in backdoor detection and its implications for NBA. --> ### 4. Reviewer nfBV * **Main Points:** * Limited technical contributions, NBA is easily adaptable by existing methods. * Assumes specific trigger patterns and sizes, not realistic for real-world scenarios. * Evaluation primarily in a defense-free environment (FedAvg) and with a weak implementation of norm clipping. * No comparisons with other attacks. * Unsuccessful on Tiny-ImageNet, indicating unsuitability for large datasets. * Typographical error on line 129. ### Answer nfBV **1. Limited Technical Contribution:** While NBA shares similarities with DBA, it differs in a critical aspect: the independent and uncoordinated nature of the attacks. In DBA, the local triggers are designed as parts of a global trigger, leading to higher efficiency when testing on the global trigger. Additionally, each malicious client in DBA has the same target label, unlike in NBA. In NBA, the design of different triggers can interfere with or collapse each other, especially when different target classes are involved. Moreover, DBA requires knowledge of the number of attackers to conduct the backdoor attack effectively. If some attackers are not selected in certain rounds due to federated learning's client selection protocol, the attack success rate may vary. Thus, the nature of DBA and NBA is fundamentally different: DBA involves strongly colluded attacks, whereas NBA consists of non-colluded attacks. **2 & 3. Specific Trigger Patterns and Defense-Free Evaluation:** Thank you for pointing out this crucial aspect. To enhance the evaluation of NBA, we ran additional experiments with three more backdoor attack types (blend, semantic, and edge-case), making a total of four. We tested NBA against six advanced defenses: NormClip, DP, FoolsGold, KRUM, FLAME, and SparseFed. Our setup included 100 clients, with 10 selected per round, of which four were attackers using different backdoor patterns (white rectangle, blend, semantic, edge-case) simultaneously. The results are shown below: | Acc | NoDef | NormClip | DP | FoolsGold | KRUM | FLAME | SparseFed | |-----|-------|----------|----|-----------|------|-------|-----------| | $MA$ | 76.05 | 74.92 | 56.89 | 73.83 | 74.82 | 71.78 | 73.75 | | $BA_1$ | 91.74 | 88.68 | 75.72 | 83.60 | 78.55 | 82.50 | 87.45 | | $BA_2$ | 98.29 | 92.56 | 82.13 | 78.89 | 73.19 | 81.05 | 70.07 | | $BA_3$ | 99.32 | 87.23 | 74.82 | 72.75 | 76.70 | 77.65 | 81.60 | | $BA_4$ | 57.08 | 48.82 | 44.95 | 46.23 | 36.38 | 30.92 | 47.90 | *Observations:* - Despite their effectiveness against single-target and colluded attacks, state-of-the-art defenses are ineffective against the NBA scenario. - The blend attack is stronger than other attacks because its trigger covers the entire image. - The edge-case attack is less effective when other attacks are present. This may be because edge-case attackers need to maintain accuracy for both in-distribution data (e.g., normal cars) and out-of-distribution data (e.g., cars with stripes). However, normal cars are used as triggers by other attacks and are label-flipped into different classes, making it challenging for edge-case attacks to learn both tasks simultaneously. - There is a trade-off between the effectiveness of defenses and the degradation of main accuracy. For example, FLAME and KRUM are the most effective defenses in this scenario but cause a 2-4% reduction in main accuracy due to false positive detections. **4. Tiny-ImageNet Performance:** - We acknowledge the reviewer's concern about NBA's performance on Tiny-ImageNet, which could be due to the complexity of the task, the larger number of classes, dataset size, poisoning rate, and trigger selection. While backdoor accuracy can reach nearly 100% with a single adversary, it decreases with multiple adversaries (NBA), highlighting how different adversaries might impact each other and the global models. - The low backdoor accuracy on Tiny-ImageNet highlights the need to consider model capacity, trigger design, and data distribution when scaling to more complex datasets. We plan to explore adaptive trigger strategies and other enhancements to improve NBA's scalability to datasets like ImageNet. The main contribution of this paper is introducing the NBA attack scenario, which presents a new threat landscape in Federated Learning. **5. Normalization Clipping Threshold:** Thank you for your suggestions. We conducted experiments using the median of all local updates' magnitudes as the threshold value. Below are the results of NBA on CIFAR-10 with four attackers and four triggers under norm clipping defense with a fixed threshold value of 5 and the median. | Acc | NoDef | NormClip(5) | NormClip(med) | |-----|-------|-------------|---------------| | $MA$ | 76.05 | 72.12 | 75.72 | | $BA_1$ | 91.74 | 85.67 | 83.60 | | $BA_2$ | 98.29 | 88.43 | 91.14 | | $BA_3$ | 99.32 | 87.22 | 89.45 | | $BA_4$ | 57.08 | 51.44 | 45.23 | The backdoor accuracy for each type of attacker and trigger does not change significantly when using different threshold values. We hypothesize that in a more complex scenario like NBA, the update magnitudes might vary significantly, making it challenging to find a suitable threshold value. Additionally, if the threshold is set too low, it might affect the main task accuracy due to more aggressive clipping of updates. We will discuss this in the revised version of the paper. **6. Typo:** We will correct the typo on line 129. Thank you for pointing this out. **705 words 4,937 characters** <!-- We acknowledge the reviewer's concern about NBA's performance on Tiny-ImageNet. This underscores the need to consider factors like model capacity, trigger design, and data distribution when scaling attacks to more complex datasets. The main contribution of our paper is introducing the complex backdoor attack scenario, NBA, highlighting a new threat in Federated Learning. We believe the fixed-size triggers used might not be robust for datasets with higher visual variability like ImageNet. Future work will explore adaptive trigger strategies to improve NBA's scalability to such datasets. --> <!-- * **No Attack Comparisons:** We will include a section comparing NBA's performance with other FL backdoor attack methods, particularly those focused on cooperative or multi-target attacks. This will showcase the unique characteristics and potential advantages of the NBA approach. --> <!-- While NBA shares similarities with DBA, it differs in a critical aspect: the independent and uncoordinated nature of the attacks. This introduces new challenges for defense mechanisms, as existing methods primarily assume a single adversary or coordinated attacks. The experimental results highlight the unique challenges posed by NBA, particularly in its ability to maintain high backdoor accuracy even with multiple attackers. --> ## Group of questions Reviewers'ID: viQS, ogAk, Hxsb, nfBV **1. Novelty and Significance:** * **Reviewer ogAk:** The paper presents limited novelty, simply extending single-client backdoor attacks to multiple clients. * **Reviewer nfBV:** The technical contributions are limited. NBA merely involves different attackers using different triggers, which existing methods can easily adapt to. NBA can be seen as another form of DBA. **2. Evaluation against Robust Defenses:** * **Reviewer viQS:** The paper lacks proper evaluation against state-of-the-art defenses. Ideally, the attack should be tested against robust aggregators and other defense strategies. * **Reviewer ogAk:** The authors only evaluate primitive defenses (norm clipping, differential privacy). They should assess more robust defenses like FoolsGold, KRUM, FLAME, and SparseFed. * **Reviewer nfBV:** The primary experiments are conducted in a defense-free environment (FedAvg). The authors should evaluate against more robust defenses and consider better ways to implement norm clipping. **3. Generalizability and Scalability:** * **Reviewer ogAk:** The authors only experiment with one type of pixel-pattern modification trigger. They should consider semantic backdoor triggers to assess generalizability. * **Reviewer ogAk:** The results are unsuccessful even on Tiny-ImageNet, raising concerns about scalability to more complex datasets like ImageNet. * **Reviewer nfBV:** The paper assumes specific trigger patterns and sizes (white rectangles of 24 pixels), which might not reflect real-world scenarios where attackers could use more varied triggers. * **Reviewer nfBV:** NBA performs poorly on Tiny-ImageNet, indicating its unsuitability for large datasets. **4. Stealthiness and Detectability:** * **Reviewer Hxsb:** The insights into the stealthiness and detectability of the attack are vague. The authors should provide more concrete analysis and justifications. **5. Lack of Formal Analysis:** * **Reviewer Hxsb:** The authors rely primarily on empirical evidence and lack formal results. This weakens their argument and misses opportunities to provide stronger guarantees. **6. Focus on Single-Adversary Attacks:** * **Reviewer ogAk:** The authors devote a substantial portion to single-adversary attacks, which are already well-established. **7. Potential for Trigger Interference:** * **Reviewer viQS:** Do different backdoor patterns in NBA affect each other in terms of how the global model learns? Is there potential for interference, where one trigger activates another's backdoor?