A Whole-Process Certifiably Robust Aggregation Method Against Backdoor Attacks in Federated Learning

TL;DR

This paper introduces a comprehensive aggregation method for federated learning that certifiably enhances robustness against backdoor attacks by integrating multiple phases and proposing a weighted geometric median estimation, with theoretical guarantees and empirical validation.

Contribution

It proposes a novel whole-process certifiably robust aggregation (WPCRA) method and a weighted geometric median estimation (WGME) algorithm, improving backdoor attack resistance in federated learning.

Findings

Significant robustness improvements against backdoor attacks.

Theoretical proof of increased certified robustness radius.

Empirical validation on loan prediction task shows superior performance.

Abstract

Federated Learning (FL) has garnered widespread adoption across various domains such as finance, healthcare, and cybersecurity. Nonetheless, FL remains under significant threat from backdoor attacks, wherein malicious actors insert triggers into trained models, enabling them to perform certain tasks while still meeting FL's primary objectives. In response, robust aggregation methods have been proposed, which can be divided into three types: ex-ante, ex-durante, and ex-post methods. Given the complementary nature of these methods, combining all three types is promising yet unexplored. Such a combination is non-trivial because it requires leveraging their advantages while overcoming their disadvantages. Our study proposes a novel whole-process certifiably robust aggregation (WPCRA) method for FL, which enhances robustness against backdoor attacks across three phases: ex-ante, ex-durante, and ex-post. Moreover, since the current geometric median estimation method fails to consider differences among clients, we propose a novel weighted geometric median estimation algorithm (WGME). This algorithm estimates the geometric median of model updates from clients based on each client's weight, further improving the robustness of WPCRA against backdoor attacks. We also theoretically prove that WPCRA offers improved certified robustness guarantees with a larger certified radius. We evaluate the advantages of our methods based on the task of loan status prediction. Comparison with baselines shows that our methods significantly improve FL's robustness against backdoor attacks. This study contributes to the literature with a novel WPCRA method and a novel WGME algorithm. Our code is available at https://github.com/brick-brick/WPCRAM.