Mitigating Backdoor Attacks in Federated Learning

TL;DR

This paper presents a post-training federated pruning method to effectively mitigate backdoor attacks in federated learning, significantly reducing attack success rates with minimal impact on model accuracy.

Contribution

The authors propose a novel federated pruning approach combined with weight adjustment to defend against backdoor attacks after training, which is a new strategy in federated learning security.

Findings

Reduces attack success rate from 99.7% to 1.9% on Fashion-MNIST

Achieves over 70% reduction in attack success rate on CIFAR-10

Maintains high model accuracy with minimal loss after pruning and fine-tuning

Abstract

Malicious clients can attack federated learning systems using malicious data, including backdoor samples, during the training phase. The compromised global model will perform well on the validation dataset designed for the task, but a small subset of data with backdoor patterns may trigger the model to make a wrong prediction. There has been an arms race between attackers who tried to conceal attacks and defenders who tried to detect attacks during the aggregation stage of training on the server-side. In this work, we propose a new and effective method to mitigate backdoor attacks after the training phase. Specifically, we design a federated pruning method to remove redundant neurons in the network and then adjust the model's extreme weight values. Our experiments conducted on distributed Fashion-MNIST show that our method can reduce the average attack success rate from 99.7% to 1.9% with a 5.5% loss of test accuracy on the validation dataset. To minimize the pruning influence on test accuracy, we can fine-tune after pruning, and the attack success rate drops to 6.4%, with only a 1.7% loss of test accuracy. Further experiments under Distributed Backdoor Attacks on CIFAR-10 also show promising results that the average attack success rate drops more than 70% with less than 2% loss of test accuracy on the validation dataset.