Backdoor Defense in Federated Learning Using Differential Testing and Outlier Detection

TL;DR

This paper introduces DifFense, an automated framework using differential testing and outlier detection to defend federated learning systems from backdoor attacks, effectively reducing attack success and maintaining model accuracy.

Contribution

It presents a novel defense method that does not require prior attack knowledge or access to local models, improving robustness against backdoor attacks in federated learning.

Findings

Reduces backdoor accuracy to below 4%

Achieves zero false negatives in attack detection

Maintains model convergence comparable to FedAvg

Abstract

The goal of federated learning (FL) is to train one global model by aggregating model parameters updated independently on edge devices without accessing users' private data. However, FL is susceptible to backdoor attacks where a small fraction of malicious agents inject a targeted misclassification behavior in the global model by uploading polluted model updates to the server. In this work, we propose DifFense, an automated defense framework to protect an FL system from backdoor attacks by leveraging differential testing and two-step MAD outlier detection, without requiring any previous knowledge of attack scenarios or direct access to local model parameters. We empirically show that our detection method prevents a various number of potential attackers while consistently achieving the convergence of the global model comparable to that trained under federated averaging (FedAvg). We further corroborate the effectiveness and generalizability of our method against prior defense techniques, such as Multi-Krum and coordinate-wise median aggregation. Our detection method reduces the average backdoor accuracy of the global model to below 4% and achieves a false negative rate of zero.