Invariant Aggregator for Defending against Federated Backdoor Attacks

TL;DR

This paper introduces an invariant aggregator for federated learning that effectively defends against backdoor attacks by focusing on invariant update directions, ensuring model robustness without sacrificing utility.

Contribution

The paper proposes a novel invariant aggregator that mitigates backdoor attacks in federated learning by masking malicious update elements, with theoretical guarantees and empirical validation.

Findings

Effectively mitigates backdoor attacks across multiple datasets.

Maintains high model utility with negligible performance loss.

Provably robust against attacks on flat loss landscapes.

Abstract

Federated learning enables training high-utility models across several clients without directly sharing their private data. As a downside, the federated setting makes the model vulnerable to various adversarial attacks in the presence of malicious clients. Despite the theoretical and empirical success in defending against attacks that aim to degrade models' utility, defense against backdoor attacks that increase model accuracy on backdoor samples exclusively without hurting the utility on other samples remains challenging. To this end, we first analyze the failure modes of existing defenses over a flat loss landscape, which is common for well-designed neural networks such as Resnet (He et al., 2015) but is often overlooked by previous works. Then, we propose an invariant aggregator that redirects the aggregated update to invariant directions that are generally useful via selectively masking out the update elements that favor few and possibly malicious clients. Theoretical results suggest that our approach provably mitigates backdoor attacks and remains effective over flat loss landscapes. Empirical results on three datasets with different modalities and varying numbers of clients further demonstrate that our approach mitigates a broad class of backdoor attacks with a negligible cost on the model utility.