FedSurrogate: Backdoor Defense in Federated Learning via Layer Criticality and Surrogate Replacement

TL;DR

FedSurrogate is a novel federated learning defense that reduces false positives and neutralizes backdoor attacks by combining gradient filtering, layer-criticality analysis, and surrogate replacement.

Contribution

It introduces a new backdoor defense method that effectively balances attack mitigation with low false-positive rates in non-IID federated learning scenarios.

Findings

Maintains false-positive rates below 10% across datasets and attacks.

Achieves attack success rates below 2.1% in non-IID settings.

Outperforms baseline methods in accuracy and security metrics.

Abstract

Federated Learning remains highly susceptible to backdoor attacks--malicious clients inject targeted behaviours into the global model. Existing defenses suffer from substantial false-positive rates under realistic non-independent and identically distributed (non-IID) data, incorrectly flagging benign clients and degrading model accuracy even when adversaries are correctly identified. We present FedSurrogate, a novel backdoor defense that addresses this limitation by combining bidirectional gradient alignment filtering with layer-adaptive anomaly detection. FedSurrogate performs selective clustering on security-critical layers identified via directional divergence analysis, concentrating the detection signal on a low-dimensional subspace. A bidirectional soft-filtering stage screens trusted clients for residual contamination while rescuing false positives from suspects, substantially reducing misclassifications under heterogeneous conditions. Rather than removing confirmed malicious updates, FedSurrogate replaces them with downscaled surrogate updates from structurally similar benign clients, preserving gradient diversity while neutralising adversarial influence. Extensive evaluations demonstrate that FedSurrogate maintains false-positive rates below 10% across all datasets and attack types, compared to 31-32% for the nearest comparably effective baseline, while achieving superior main-task accuracy and maintaining attack success rates below 2.1% across all tested datasets and attack types under challenging non-IID settings.