Towards a Defense Against Federated Backdoor Attacks Under Continuous Training

TL;DR

This paper introduces shadow learning, a novel defense framework for federated learning that effectively mitigates backdoor attacks during long-term training by using parallel models and early stopping.

Contribution

It proposes a new defense method called shadow learning that combines filtering and early stopping, addressing backdoor leakage in continuous federated training.

Findings

Significantly improves defense effectiveness against backdoor attacks.

Theoretically justified design choices.

Experimental results show superior performance over existing methods.

Abstract

Backdoor attacks are dangerous and difficult to prevent in federated learning (FL), where training data is sourced from untrusted clients over long periods of time. These difficulties arise because: (a) defenders in FL do not have access to raw training data, and (b) a new phenomenon we identify called backdoor leakage causes models trained continuously to eventually suffer from backdoors due to cumulative errors in defense mechanisms. We propose shadow learning, a framework for defending against backdoor attacks in the FL setting under long-range training. Shadow learning trains two models in parallel: a backbone model and a shadow model. The backbone is trained without any defense mechanism to obtain good performance on the main task. The shadow model combines filtering of malicious clients with early-stopping to control the attack success rate even as the data distribution changes. We theoretically motivate our design and show experimentally that our framework significantly improves upon existing defenses against backdoor attacks.