Multi-metrics adaptively identifies backdoors in Federated learning

TL;DR

This paper introduces a multi-metrics, adaptive defense method for federated learning that effectively detects backdoors without relying on specific attack assumptions, outperforming existing approaches across diverse scenarios.

Contribution

The paper proposes a novel multi-metrics and dynamic weighting strategy for backdoor detection in federated learning, addressing limitations of traditional distance-based methods in high dimensions and diverse attack types.

Findings

Achieves lowest backdoor accuracy of 3.06% under PGD attack.

Outperforms previous defenses across various datasets and attack settings.

Maintains benign model performance across different non-IID data distributions.

Abstract

The decentralized and privacy-preserving nature of federated learning (FL) makes it vulnerable to backdoor attacks aiming to manipulate the behavior of the resulting model on specific adversary-chosen inputs. However, most existing defenses based on statistical differences take effect only against specific attacks, especially when the malicious gradients are similar to benign ones or the data are highly non-independent and identically distributed (non-IID). In this paper, we revisit the distance-based defense methods and discover that i) Euclidean distance becomes meaningless in high dimensions and ii) malicious gradients with diverse characteristics cannot be identified by a single metric. To this end, we present a simple yet effective defense strategy with multi-metrics and dynamic weighting to identify backdoors adaptively. Furthermore, our novel defense has no reliance on predefined assumptions over attack settings or data distributions and little impact on benign performance. To evaluate the effectiveness of our approach, we conduct comprehensive experiments on different datasets under various attack settings, where our method achieves the best defensive performance. For instance, we achieve the lowest backdoor accuracy of 3.06% under the difficult Edge-case PGD, showing significant superiority over previous defenses. The results also demonstrate that our method can be well-adapted to a wide range of non-IID degrees without sacrificing the benign performance.