DeepSight: Mitigating Backdoor Attacks in Federated Learning Through Deep Model Inspection

TL;DR

DeepSight is a novel approach that effectively detects and mitigates backdoor attacks in federated learning by analyzing model updates' internal structures and data distributions, outperforming existing defenses with minimal impact on benign models.

Contribution

DeepSight introduces a new model filtering method based on data distribution and internal structure analysis to identify and eliminate poisoned model updates in federated learning.

Findings

Successfully mitigates state-of-the-art backdoor attacks

Maintains high model performance on benign data

Outperforms existing defenses in detection accuracy

Abstract

Federated Learning (FL) allows multiple clients to collaboratively train a Neural Network (NN) model on their private data without revealing the data. Recently, several targeted poisoning attacks against FL have been introduced. These attacks inject a backdoor into the resulting model that allows adversary-controlled inputs to be misclassified. Existing countermeasures against backdoor attacks are inefficient and often merely aim to exclude deviating models from the aggregation. However, this approach also removes benign models of clients with deviating data distributions, causing the aggregated model to perform poorly for such clients. To address this problem, we propose DeepSight, a novel model filtering approach for mitigating backdoor attacks. It is based on three novel techniques that allow to characterize the distribution of data used to train model updates and seek to measure fine-grained differences in the internal structure and outputs of NNs. Using these techniques, DeepSight can identify suspicious model updates. We also develop a scheme that can accurately cluster model updates. Combining the results of both components, DeepSight is able to identify and eliminate model clusters containing poisoned models with high attack impact. We also show that the backdoor contributions of possibly undetected poisoned models can be effectively mitigated with existing weight clipping-based defenses. We evaluate the performance and effectiveness of DeepSight and show that it can mitigate state-of-the-art backdoor attacks with a negligible impact on the model's performance on benign data.