FilterFL: Knowledge Filtering-based Data-Free Backdoor Defense for Federated Learning

TL;DR

FilterFL is a novel data-free defense method for federated learning that detects and filters backdoor triggers by leveraging differences in model knowledge, effectively defending against various backdoor attacks even with high malicious client ratios.

Contribution

This paper introduces a data-free, trigger-generation-based defense approach that identifies and filters backdoor triggers in federated learning by analyzing model differences, outperforming existing methods.

Findings

Effective against nearly all backdoor attack types.

Outperforms seven state-of-the-art defenses.

Maintains robustness even with 80% malicious clients.

Abstract

As a distributed machine learning paradigm, Federated Learning (FL) enables large-scale clients to collaboratively train a model without sharing their raw data. However, due to the lack of data auditing for untrusted clients, FL is vulnerable to poisoning attacks, especially backdoor attacks. By using poisoned data for local training or directly changing the model parameters, attackers can easily inject backdoors into the model, which can trigger the model to make misclassification of targeted patterns in images. To address these issues, we propose a novel data-free trigger-generation-based defense approach based on the two characteristics of backdoor attacks: i) triggers are learned faster than normal knowledge, and ii) trigger patterns have a greater effect on image classification than normal class patterns. Our approach generates the images with newly learned knowledge by identifying the differences between the old and new global models, and filters trigger images by evaluating the effect of these generated images. By using these trigger images, our approach eliminates poisoned models to ensure the updated global model is benign. Comprehensive experiments demonstrate that our approach can defend against almost all the existing types of backdoor attacks and outperform all the seven state-of-the-art defense methods with both IID and non-IID scenarios. Especially, our approach can successfully defend against the backdoor attack even when 80\% of the clients are malicious.