FAROS: Robust Federated Learning with Adaptive Scaling against Backdoor Attacks

TL;DR

FAROS enhances federated learning robustness against backdoor attacks by dynamically adjusting defense sensitivity and using a core-set approach to mitigate single-point failure risks, showing superior performance in diverse scenarios.

Contribution

Introduces FAROS, a novel federated learning framework with adaptive scaling and core-set computing to improve defense against backdoor attacks.

Findings

Outperforms existing defenses in attack success rate

Maintains higher main task accuracy

Effective across various datasets and attack types

Abstract

Federated Learning (FL) enables multiple clients to collaboratively train a shared model without exposing local data. However, backdoor attacks pose a significant threat to FL. These attacks aim to implant a stealthy trigger into the global model, causing it to mislead on inputs that possess a specific trigger while functioning normally on benign data. Although pre-aggregation detection is a main defense direction, existing state-of-the-art defenses often rely on fixed defense parameters. This reliance makes them vulnerable to single-point-of-failure risks, rendering them less effective against sophisticated attackers. To address these limitations, we propose FAROS, an enhanced FL framework that incorporates Adaptive Differential Scaling (ADS) and Robust Core-set Computing (RCC). The ADS mechanism adjusts the defense's sensitivity dynamically, based on the dispersion of uploaded gradients by clients in each round. This allows it to counter attackers who strategically shift between stealthiness and effectiveness. Furthermore, the RCC effectively mitigates the risk of single-point failure by computing the centroid of a core set comprising clients with the highest confidence. We conducted extensive experiments across various datasets, models, and attack scenarios. The results demonstrate that our method outperforms current defenses in both attack success rate and main task accuracy.