FL-CLEANER: byzantine and backdoor defense by CLustering Errors of Activation maps in Non-iid fedErated leaRning

TL;DR

FL-CLEANER is a novel federated learning defense that effectively filters Byzantine and backdoor attacks in non-IID environments by analyzing activation map errors and propagating trust among clients.

Contribution

It introduces a client scoring method based on activation map reconstruction errors and a trust propagation algorithm for filtering malicious updates in non-IID federated learning.

Findings

Achieves less than 1% misclassification rate on benign clients.

Effectively defends against Byzantine and backdoor attacks in non-IID settings.

Outperforms state-of-the-art defenses in experimental evaluations.

Abstract

Federated Learning (FL) enables clients to collaboratively train a global model using their local datasets while reinforcing data privacy, but it is prone to poisoning attacks. Existing defense mechanisms assume that clients' data are independent and identically distributed (IID), making them ineffective in real-world applications where data are non-IID. This paper presents FL-CLEANER, the first defense capable of filtering both byzantine and backdoor attackers' model updates in a non-IID FL environment. The originality of FL-CLEANER is twofold. First, it relies on a client confidence score derived from the reconstruction errors of each client's model activation maps for a given trigger set, with reconstruction errors obtained by means of a Conditional Variational Autoencoder trained according to a novel server-side strategy. Second, it uses an original ad-hoc trust propagation algorithm we propose. Based on previous client scores, it allows building a cluster of benign clients while flagging potential attackers. Experimental results on the datasets MNIST and FashionMNIST demonstrate the efficiency of FL-CLEANER against Byzantine attackers as well as to some state-of-the-art backdoors in non-IID scenarios; it achieves a close-to-zero (<1%) benign client misclassification rate, even in the absence of an attack, and achieves strong performance compared to state of the art defenses.