Revisiting Personalized Federated Learning: Robustness Against Backdoor Attacks

TL;DR

This paper investigates how personalized federated learning (pFL) can enhance robustness against backdoor attacks, revealing that partial model-sharing improves security and proposing a lightweight defense method, with extensive benchmarking on benchmark datasets.

Contribution

It is the first comprehensive study of backdoor attacks in pFL, demonstrating robustness benefits of partial model-sharing and introducing Simple-Tuning as an effective defense.

Findings

Partial model-sharing in pFL boosts robustness against backdoor attacks.

Full model-sharing in pFL does not improve robustness.

The proposed Simple-Tuning method empirically enhances defense performance.

Abstract

In this work, besides improving prediction accuracy, we study whether personalization could bring robustness benefits to backdoor attacks. We conduct the first study of backdoor attacks in the pFL framework, testing 4 widely used backdoor attacks against 6 pFL methods on benchmark datasets FEMNIST and CIFAR-10, a total of 600 experiments. The study shows that pFL methods with partial model-sharing can significantly boost robustness against backdoor attacks. In contrast, pFL methods with full model-sharing do not show robustness. To analyze the reasons for varying robustness performances, we provide comprehensive ablation studies on different pFL methods. Based on our findings, we further propose a lightweight defense method, Simple-Tuning, which empirically improves defense performance against backdoor attacks. We believe that our work could provide both guidance for pFL application in terms of its robustness and offer valuable insights to design more robust FL methods in the future. We open-source our code to establish the first benchmark for black-box backdoor attacks in pFL: https://github.com/alibaba/FederatedScope/tree/backdoor-bench.