Horizontal federated learning (HFL) backdoor audits often summarize model behavior through clean accuracy (CA), mean attack success rate (ASR), or a single known-trigger test. Such summaries can hide a different failure mode, in which one target label is activated by many trigger realizations. We study this failure mode with FLAT, a latent-conditioned reliability stress test for HFL backdoors. In FLAT, compromised clients still submit ordinary classifier updates to the server, while an attacker-side generator G(x,t,z) separates target intent t from trigger realization z. This separation shifts the audit question from whether one known trigger succeeds to how the hidden behavior varies across targets, latent samples, defenses, and post-stop rounds. On CIFAR-10, CIFAR-100, and Tiny-ImageNet, FLAT preserves clean utility while reaching 99.49%, 99.66%, and 94.10% single-target FedAvg ASR. The evaluation also reveals non-uniform defense responses, where a server rule can suppress one target mode while leaving another active. These observations motivate HFL backdoor audits that report target-wise ASR, worst-target ASR, target coverage, latent-sampled behavior, post-stop persistence, and defense response.
FLAT: Revealing Hidden Latent-Conditioned Backdoor Failures in Federated Learning
Horizontal federated learning (HFL) backdoor audits often summarize model behavior through clean accuracy (CA), mean attack success rate (ASR), or a single known-trigger test.
- Preview

- Year
- 2025
- Hosting
- Excerpt onlyCC-BY-NC-4.0
Cite
Notes
Only stored in your browser.
Attribution
- Abstract & full text
- arxiv.org/abs/2508.04064CC-BY-NC-4.0
- TL;DR
- Semantic Scholar