BackdoorIndicator: Leveraging OOD Data for Proactive Backdoor Detection in Federated Learning

TL;DR

BackdoorIndicator is a proactive federated learning defense that uses out-of-distribution data to detect backdoors in models, showing superior performance over existing methods across various settings.

Contribution

The paper introduces BackdoorIndicator, a novel proactive backdoor detection method leveraging OOD data, which is effective regardless of backdoor type or label.

Findings

BackdoorIndicator outperforms baseline defenses in diverse settings.

It maintains high detection accuracy even with sophisticated backdoor attacks.

The method is practical and adaptable to real-world federated learning systems.

Abstract

In a federated learning (FL) system, decentralized data owners (clients) could upload their locally trained models to a central server, to jointly train a global model. Malicious clients may plant backdoors into the global model through uploading poisoned local models, causing misclassification to a target class when encountering attacker-defined triggers. Existing backdoor defenses show inconsistent performance under different system and adversarial settings, especially when the malicious updates are made statistically close to the benign ones. In this paper, we first reveal the fact that planting subsequent backdoors with the same target label could significantly help to maintain the accuracy of previously planted backdoors, and then propose a novel proactive backdoor detection mechanism for FL named BackdoorIndicator, which has the server inject indicator tasks into the global model leveraging out-of-distribution (OOD) data, and then utilizing the fact that any backdoor samples are OOD samples with respect to benign samples, the server, who is completely agnostic of the potential backdoor types and target labels, can accurately detect the presence of backdoors in uploaded models, via evaluating the indicator tasks. We perform systematic and extensive empirical studies to demonstrate the consistently superior performance and practicality of BackdoorIndicator over baseline defenses, across a wide range of system and adversarial settings.