FLAIN: Mitigating Backdoor Attacks in Federated Learning via Flipping Weight Updates of Low-Activation Input Neurons

TL;DR

FLAIN is a novel defense mechanism in federated learning that identifies and flips weight updates of low-activation neurons to mitigate backdoor attacks without significantly harming model performance.

Contribution

The paper introduces FLAIN, a new method that effectively counters backdoor attacks in federated learning by targeting low-activation neurons during training.

Findings

FLAIN significantly reduces backdoor attack success rates.

It maintains high accuracy on clean data.

Effective under Non-IID data and high malicious client ratios.

Abstract

Federated learning (FL) enables multiple clients to collaboratively train machine learning models under the coordination of a central server, while maintaining privacy. However, the server cannot directly monitor the local training processes, leaving room for malicious clients to introduce backdoors into the model. Research has shown that backdoor attacks exploit specific neurons that are activated only by malicious inputs, remaining dormant with clean data. Building on this insight, we propose a novel defense method called Flipping Weight Updates of Low-Activation Input Neurons (FLAIN) to counter backdoor attacks in FL. Specifically, upon the completion of global training, we use an auxiliary dataset to identify low-activation input neurons and iteratively flip their associated weight updates. This flipping process continues while progressively raising the threshold for low-activation neurons, until the model's performance on the auxiliary data begins to degrade significantly. Extensive experiments demonstrate that FLAIN effectively reduces the success rate of backdoor attacks across a variety of scenarios, including Non-IID data distributions and high malicious client ratios (MCR), while maintaining minimal impact on the performance of clean data.