Coward: Collision-based OOD Watermarking for Practical Proactive Federated Backdoor Detection

TL;DR

Coward is a proactive federated backdoor detection method that leverages collision-based watermarks and multi-backdoor effects to improve detection accuracy and mitigate out-of-distribution bias.

Contribution

The paper introduces Coward, a novel proactive detection technique using collision-based watermarks and multi-backdoor effects to enhance federated backdoor detection.

Findings

Coward achieves state-of-the-art detection performance on benchmark datasets.

It effectively reduces the impact of out-of-distribution bias.

The method introduces minimal disruption to the federated learning process.

Abstract

Backdoor detection is currently the mainstream defense against backdoor attacks in federated learning (FL), where a small number of malicious clients can upload poisoned updates to compromise the federated global model. Existing backdoor detection techniques fall into two categories, passive and proactive, depending on whether the server proactively intervenes in the training process. However, both of them have practical limitations: passive detection methods are disrupted by common non-i.i.d. data distributions and random participation of FL clients, whereas current proactive detection methods are misled by an inevitable out-of-distribution (OOD) bias because they rely on backdoor coexistence effects. To address these issues, we introduce a novel proactive detection method dubbed Coward, inspired by our discovery of multi-backdoor collision effects, in which consecutively planted, distinct backdoors significantly suppress earlier ones. Correspondingly, we modify the federated global model by injecting a carefully designed backdoor-collided watermark, implemented via regulated dual-mapping learning on OOD data. This design not only enables an inverted detection paradigm compared to existing proactive methods, thereby naturally counteracting the adverse impact of OOD prediction bias, but also introduces a low-disruptive training intervention that inherently limits the strength of OOD bias, leading to significantly fewer misjudgments. Extensive experiments on benchmark datasets show that Coward achieves state-of-the-art performance and effectively alleviates OOD bias.