FedBAP: Backdoor Defense via Benign Adversarial Perturbation in Federated Learning

TL;DR

FedBAP introduces a novel backdoor defense in federated learning by generating benign adversarial perturbations that diminish reliance on triggers, significantly reducing attack success rates and enhancing robustness.

Contribution

The paper presents a new defense framework that uses perturbation triggers and adaptive scaling to effectively mitigate backdoor attacks in federated learning.

Findings

Reduces attack success rates by up to 97.6%

Effective against multiple backdoor attack types

Balances defense strength and model performance

Abstract

Federated Learning (FL) enables collaborative model training while preserving data privacy, but it is highly vulnerable to backdoor attacks. Most existing defense methods in FL have limited effectiveness due to their neglect of the model's over-reliance on backdoor triggers, particularly as the proportion of malicious clients increases. In this paper, we propose FedBAP, a novel defense framework for mitigating backdoor attacks in FL by reducing the model's reliance on backdoor triggers. Specifically, first, we propose a perturbed trigger generation mechanism that creates perturbation triggers precisely matching backdoor triggers in location and size, ensuring strong influence on model outputs. Second, we utilize these perturbation triggers to generate benign adversarial perturbations that disrupt the model's dependence on backdoor triggers while forcing it to learn more robust decision boundaries. Finally, we design an adaptive scaling mechanism to dynamically adjust perturbation intensity, effectively balancing defense strength and model performance. The experimental results demonstrate that FedBAP reduces the attack success rates by 0.22%-5.34%, 0.48%-6.34%, and 97.22%-97.6% under three types of backdoor attacks, respectively. In particular, FedBAP demonstrates outstanding performance against novel backdoor attacks.