TY - GEN
T1 - Defending Against Backdoor Attacks with Feature Activation-Based Detection and Model Recovery
AU - Ma, Xiao
AU - Shen, Hong
AU - Lam, Chan Tong
N1 - Publisher Copyright:
©2024 IEEE.
PY - 2024
Y1 - 2024
N2 - The characteristics of Federated Learning (FL) make FL highly susceptible to malicious poisoning attacks from adversaries. Existing FL defense methods can detect attacks of fixed poisoning patterns, hence are lack of flexibility. Additionally, they typically remove the malicious node models upon detection, leading to a certain degree of data loss. To address these issues, we propose a novel defense method against backdoor attacks in FL systems, effectively enhancing their robustness to malicious poisoning attacks. Specifically, we introduce a malicious update detection method based on feature activation matrices. This method compares the distribution differences of updates from different clients on the same validation data and detects malicious clients based on the outlier rates of their updates. Furthermore, to mitigate the data loss caused by the removal of malicious clients, the server assesses the distance between the distribution of feature activation matrices from the client’s historical updates and the overall model distribution in the current iteration. Based on this distance, the server performs model recovery to a certain extent. Extensive experiments on two benchmark datasets demonstrate that our method accurately detects malicious clients under various state-of-the-art model poisoning attacks. Additionally, the model recovery method provides a notable improvement to the system, ensuring the robustness and performance of the FL system.
AB - The characteristics of Federated Learning (FL) make FL highly susceptible to malicious poisoning attacks from adversaries. Existing FL defense methods can detect attacks of fixed poisoning patterns, hence are lack of flexibility. Additionally, they typically remove the malicious node models upon detection, leading to a certain degree of data loss. To address these issues, we propose a novel defense method against backdoor attacks in FL systems, effectively enhancing their robustness to malicious poisoning attacks. Specifically, we introduce a malicious update detection method based on feature activation matrices. This method compares the distribution differences of updates from different clients on the same validation data and detects malicious clients based on the outlier rates of their updates. Furthermore, to mitigate the data loss caused by the removal of malicious clients, the server assesses the distance between the distribution of feature activation matrices from the client’s historical updates and the overall model distribution in the current iteration. Based on this distance, the server performs model recovery to a certain extent. Extensive experiments on two benchmark datasets demonstrate that our method accurately detects malicious clients under various state-of-the-art model poisoning attacks. Additionally, the model recovery method provides a notable improvement to the system, ensuring the robustness and performance of the FL system.
KW - backdoor attacks
KW - data poisoning
KW - distributed systems
KW - Federated learning
UR - http://www.scopus.com/inward/record.url?scp=105002730690&partnerID=8YFLogxK
U2 - 10.1109/NCA61908.2024.00050
DO - 10.1109/NCA61908.2024.00050
M3 - Conference contribution
AN - SCOPUS:105002730690
T3 - Proceedings - 2024 22nd International Symposium on Network Computing and Applications, NCA 2024
SP - 294
EP - 301
BT - Proceedings - 2024 22nd International Symposium on Network Computing and Applications, NCA 2024
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 22nd International Symposium on Network Computing and Applications, NCA 2024
Y2 - 24 October 2024 through 26 October 2024
ER -