Backdoor attacks based on critical layers (BC) in federated learning suffer from manual, rule-based layer selection that ignores inter-layer dependencies, resulting in poor stealth and high detectability by state-of-the-art defenses. Method: We propose the first reinforcement learning framework for BC attacks, optimizing layer selection via policy gradient methods; it employs Bernoulli sampling for lightweight, dynamic layer poisoning and imposes regularization to constrain the number of modified layers—balancing attack efficacy and low observability. Crucially, the method requires no prior knowledge and adaptively refines its strategy using feedback from attack success rates. Contribution/Results: Evaluated against six SOTA defenses, our approach achieves an average attack success rate up to 40% higher than the best existing method, demonstrating significantly enhanced stealthiness and robustness under defense pressure.

Federated Learning (FL) enables decentralized model training across multiple clients without exposing local data, but its distributed feature makes it vulnerable to backdoor attacks. Despite early FL backdoor attacks modifying entire models, recent studies have explored the concept of backdoor-critical (BC) layers, which poison the chosen influential layers to maintain stealthiness while achieving high effectiveness. However, existing BC layers approaches rely on rule-based selection without consideration of the interrelations between layers, making them ineffective and prone to detection by advanced defenses. In this paper, we propose POLAR (POlicy-based LAyerwise Reinforcement learning), the first pipeline to creatively adopt RL to solve the BC layer selection problem in layer-wise backdoor attack. Different from other commonly used RL paradigm, POLAR is lightweight with Bernoulli sampling. POLAR dynamically learns an attack strategy, optimizing layer selection using policy gradient updates based on backdoor success rate (BSR) improvements. To ensure stealthiness, we introduce a regularization constraint that limits the number of modified layers by penalizing large attack footprints. Extensive experiments demonstrate that POLAR outperforms the latest attack methods by up to 40% against six state-of-the-art (SOTA) defenses.