XMAM:X-raying Models with A Matrix to Reveal Backdoor Attacks for Federated Learning

TL;DR

This paper introduces XMAM, a novel aggregation method for federated learning that effectively detects backdoor attacks by analyzing Softmax outputs, outperforming existing defenses especially under adaptive attack scenarios.

Contribution

XMAM is a new backdoor detection technique that uses Softmax output analysis and clustering, achieving higher robustness without requiring training data on the server.

Findings

Effectively detects backdoor attacks with up to 45% malicious clients.

Outperforms existing methods in speed, being 10-10000 times faster.

Maintains model training under adaptive attack conditions with 40% malicious clients.

Abstract

Federated Learning (FL) has received increasing attention due to its privacy protection capability. However, the base algorithm FedAvg is vulnerable when it suffers from so-called backdoor attacks. Former researchers proposed several robust aggregation methods. Unfortunately, many of these aggregation methods are unable to defend against backdoor attacks. What's more, the attackers recently have proposed some hiding methods that further improve backdoor attacks' stealthiness, making all the existing robust aggregation methods fail. To tackle the threat of backdoor attacks, we propose a new aggregation method, X-raying Models with A Matrix (XMAM), to reveal the malicious local model updates submitted by the backdoor attackers. Since we observe that the output of the Softmax layer exhibits distinguishable patterns between malicious and benign updates, we focus on the Softmax layer's output in which the backdoor attackers are difficult to hide their malicious behavior. Specifically, like X-ray examinations, we investigate the local model updates by using a matrix as an input to get their Softmax layer's outputs. Then, we preclude updates whose outputs are abnormal by clustering. Without any training dataset in the server, the extensive evaluations show that our XMAM can effectively distinguish malicious local model updates from benign ones. For instance, when other methods fail to defend against the backdoor attacks at no more than 20% malicious clients, our method can tolerate 45% malicious clients in the black-box mode and about 30% in Projected Gradient Descent (PGD) mode. Besides, under adaptive attacks, the results demonstrate that XMAM can still complete the global model training task even when there are 40% malicious clients. Finally, we analyze our method's screening complexity, and the results show that XMAM is about 10-10000 times faster than the existing methods.