FedRAB: Robust federated learning against backdoor attacks based on collaborative defense with smoothing

Abstract

Federated learning (FL) enables collaborative model training without exposing local data, offering privacy benefits. However, its distributed nature makes it vulnerable to backdoor attacks, where adversaries manipulate training data or model updates to trigger attacker-chosen outputs. Existing defenses often fail under high proportions of malicious clients and struggle to balance robustness and model utility. This article proposes FedRAB, a collaborative FL defense framework using dynamic smoothing to mitigate backdoor threats. FedRAB remains effective even when over 50% of clients are malicious. In this framework, clients are categorized into three types: fully trusted clients, malicious but trusted clients and malicious and untrusted clients. The first two inject controlled perturbation noise into their local datasets, suppressing poisoning attacks while preserving accuracy. To address diverse and severe backdoor behaviors, the server applies dimensionality reduction followed by clustering to identify and filter out the most harmful malicious updates. This enhances both the accuracy and efficiency of malicious update detection. The server then clips and perturbs the remaining model updates, further strengthening defense against backdoors while preserving data diversity and generalization. We evaluate the effectiveness of FedRAB on various datasets. For example, on the MNIST dataset, when 65% of clients are malicious, FedRAB reduces the backdoor accuracy from 94.6% to 1.5%, while only decreasing the model's accuracy on benign samples by 1.2%.

Keywords

federated learning backdoor attacks perturbation noise dynamic clustering dimensionality reduction

Get full access to this article

View all access options for this article.

References

McMahan

Moore

Ramage

, et al. Communication-efficient learning of deep networks from decentralized data. In: International conference on artificial intelligence and statistics, 2017a, pp.1273–1282. PMLR.

Erickson

Korfiatis

Akkus

, et al. Machine learning for medical imaging. Radiographics 2017; 37: 505–515.

Shen

Cheng

, et al. Fedproc: prototypical contrastive federated learning on non-iid data. Fut Gener Comput Syst 2023; 143: 93–104.

Sim

Beaufays

Benard

, et al. Personalization of end-to-end speech recognition on mobile devices for named entities. In: 2019 IEEE automatic speech recognition and understanding workshop (ASRU), 2019, pp.23–30. IEEE.

Bagdasaryan

Veit

Hua

, et al. How to backdoor federated learning. In: International conference on artificial intelligence and statistics, 2020, pp.2938–2948. PMLR.

Shejwalkar

Houmansadr

. Manipulating the byzantine: optimizing model poisoning attacks and defenses for federated learning. In: Procedings of the 28th Annual network and distributed system security symposium, 2021, pp.1–18.

Tolpegin

Truex

Gursoy

, et al. Data poisoning attacks against federated learning systems. In: Computer Security–ESORICS 2020: 25th European symposium on research in computer security, 2020, pp.480–501. Springer.

Wang

Sreenivasan

Rajput

, et al. Attack of the tails: yes, you really can backdoor federated learning. Adv Neural Inf Process Syst 2020; 33: 16070–16084.

Shen

Tople

Saxena

. Auror: defending against poisoning attacks in collaborative deep learning systems. In: Proceedings of the 32nd annual conference on computer security applications, 2016, pp.508–519.

10.

Blanchard

El Mhamdi

Guerraoui

, et al. Machine learning with adversaries: byzantine tolerant gradient descent. Adv Neural Inf Process Syst 2017; 30: 118–128.

11.

Fung

Yoon

Beschastnikh

. Mitigating sybils in federated learning poisoning. arXiv preprint arXiv:1808.04866, 2018.

12.

Muñoz-González

Lupu

. Byzantine-robust federated machine learning through adaptive model averaging. arXiv preprint arXiv:1909.05125, 2019.

13.

Nguyen

Rieger

De Viti

, et al.

{

FLAME

}

: taming backdoors in federated learning. In: 31st USENIX Security Symposium (USENIX Security 22), 2022, pp.1415–1432.

14.

McMahan

Ramage

Talwar

, et al. Learning differentially private recurrent language models. In: International conference on learning representations, 2018.

15.

Sun

Kairouz

Suresh

, et al. Can you really backdoor federated learning? arXiv preprint arXiv:1911.07963, 2019.

16.

Xie

Chen

P-Y

, et al. CRFL: certifiably robust federated learning against backdoor attacks. In: International conference on machine learning, 2021, pp.11372–11382. PMLR.

17.

Zhang

Panda

Song

, et al. Neurotoxin: durable backdoors in federated learning. In: International conference on machine learning, 2022, pp.26429–26446. PMLR.

18.

Xie

Huang

Chen

, et al. Dba: distributed backdoor attacks against federated learning. In: 8th International conference on learning representations, 2019.

19.

Liu

Dolan-Gavitt

, et al. Badnets: evaluating backdooring attacks on deep neural networks. IEEE Access 2019; 7: 47230–47244.

20.

Zhou

, et al. Deep model poisoning attack on federated learning. Fut Int 2021; 13: 73.

21.

Singhal

, et al. Modern information retrieval: a brief overview. IEEE Data Eng Bull 2001; 24: 35–43.

22.

Mahalanobis

. On the generalized distance in statistics. Sankhya Indian J Stat Ser A (2008-) 2018; 80: S1–S7.

23.

Ozdayi

Kantarcioglu

Gel

. Defending against backdoors in federated learning with robust learning rate. In: Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 35, 2021, pp.9268–9276.

24.

Guerraoui

Rouault

, et al. The hidden vulnerability of distributed learning in byzantium. In: International conference on machine learning, 2018, pp.3521–3530. PMLR.

25.

Yin

Chen

Kannan

, et al. Byzantine-robust distributed learning: towards optimal statistical rates. In: International conference on machine learning, 2018, pp.5650–5659. PMLR.

26.

Sun

DiValentin

, et al. Fl-wbc: enhancing robustness against model poisoning attacks in federated learning from a client perspective. Adv Neural Inf Process Syst 2021; 34: 12613–12624.

27.

Abdi

. Singular value decomposition (SVD) and generalized singular value decomposition. Encycl Measure Stat 2007; 907: 44.

28.

Akritas

Malaschonok

. Applications of singular-value decomposition (SVD). Math Comput Simul 2004; 67: 15–31.

29.

Ankerst

Breunig

Kriegel

H-P

, et al. Optics: ordering points to identify the clustering structure. ACM Sigmod Record 1999; 28: 49–60.

30.

Shejwalkar

Houmansadr

Kairouz

, et al. Back to the drawing board: a critical evaluation of poisoning attacks on production federated learning. In: 2022 IEEE symposium on security and privacy (SP), 2022, pp.1354–1371. IEEE.

31.

Weber

Karlaš

, et al. Rab: provable robustness against backdoor attacks. In: 2023 IEEE symposium on security and privacy (SP), 2023, pp.1311–1328. IEEE.

32.

Wei

Liu

. Gradient leakage attack resilient deep learning. IEEE Trans Inform Forens Sec 2021; 17: 303–316.

33.

, et al. Efficient byzantine-robust and privacy-preserving federated learning on compressive domain. IEEE Int Things J 2024; 11: 7116–7127.

34.

Van der Maaten

Hinton

. Visualizing data using t-sne. J Mach Learn Res 2008; 9: 2579--2605.

35.

McInnes

Healy

Melville

. UMAP: uniform manifold approximation and projection for dimension reduction. Statistics 2020; 1050: 18.

36.

Cover

Hart

. Nearest neighbor pattern classification. IEEE Trans Inform Theory 1967; 13: 21–27.

37.

Rieger

Nguyen

Miettinen

, et al. Deepsight: mitigating backdoor attacks in federated learning through deep model inspection. arXiv preprint arXiv:2201.00763, 2022.

38.

Jia

Song

. Robust anomaly detection and backdoor attack detection via differential privacy. arXiv preprint arXiv:1911.07116, 2019.