BoBa: Boosting Backdoor Detection through Data Distribution Inference in Federated Learning

TL;DR

BoBa is a novel backdoor detection method for federated learning that leverages data distribution inference and overlapping clustering to effectively distinguish malicious updates from benign data variance.

Contribution

The paper introduces a distribution-aware backdoor detection mechanism using data distribution inference and overlapping clustering to improve detection robustness in federated learning.

Findings

BoBa reduces attack success rate to below 0.001.

BoBa maintains high main task accuracy across various attack strategies.

BoBa effectively differentiates benign data variance from backdoor attacks.

Abstract

Federated learning, while being a promising approach for collaborative model training, is susceptible to backdoor attacks due to its decentralized nature. Backdoor attacks have shown remarkable stealthiness, as they compromise model predictions only when inputs contain specific triggers. As a countermeasure, anomaly detection is widely used to filter out backdoor attacks in FL. However, the non-independent and identically distributed (non-IID) data distribution nature of FL clients presents substantial challenges in backdoor attack detection, as the data variety introduces variance among benign models, making them indistinguishable from malicious ones. In this work, we propose a novel distribution-aware backdoor detection mechanism, BoBa, to address this problem. To differentiate outliers arising from data variety versus backdoor attacks, we propose to break down the problem into two steps: clustering clients utilizing their data distribution, and followed by a voting-based detection. We propose a novel data distribution inference mechanism for accurate data distribution estimation. To improve detection robustness, we introduce an overlapping clustering method, where each client is associated with multiple clusters, ensuring that the trustworthiness of a model update is assessed collectively by multiple clusters rather than a single cluster. Through extensive evaluations, we demonstrate that BoBa can reduce the attack success rate to lower than 0.001 while maintaining high main task accuracy across various attack strategies and experimental settings.