BoBa: Boosting Backdoor Detection through Data Distribution Inference in Federated Learning

TL;DR

This work addresses the difficulty of detecting backdoor attacks in federated learning under non-IID data by introducing BoBa, a distribution-aware defense that first infers client data distributions from gradients (DDIG) and then performs overlapping clustering to enable robust, vote-based trust estimation. The method attaches to standard IID detectors, enabling improved performance against stealthy backdoors while preserving main-task accuracy, and it demonstrates dramatic reductions in attack success rate (ASR) across multiple datasets and attack strategies. Key innovations include DDIG for distribution inference, an NP-hard clustering formulation solved via an efficient greedy algorithm, and a fairness-oriented trust aggregation mechanism with accumulation and median-based mitigation. The results show BoBa substantially lowers ASR (often below 0.001) and improves resilience to adaptive attacks, highlighting its practical potential for secure federated learning under non-IID conditions.

Abstract

Federated learning, while being a promising approach for collaborative model training, is susceptible to poisoning attacks due to its decentralized nature. Backdoor attacks, in particular, have shown remarkable stealthiness, as they selectively compromise predictions for inputs containing triggers. Previous endeavors to detect and mitigate such attacks are based on the Independent and Identically Distributed (IID) data assumption where benign model updates exhibit high-level similarity in multiple feature spaces due to IID data. Thus, outliers are detected as backdoor attacks. Nevertheless, non-IID data presents substantial challenges in backdoor attack detection, as the data variety introduces variance among benign models, making outlier detection-based mechanisms less effective. We propose a novel distribution-aware anomaly detection mechanism, BoBa, to address this problem. In order to differentiate outliers arising from data variety versus backdoor attack, we propose to break down the problem into two steps: clustering clients utilizing their data distribution followed by a voting-based detection. Based on the intuition that clustering and subsequent backdoor detection can drastically benefit from knowing client data distributions, we propose a novel data distribution inference mechanism. To improve detection robustness, we introduce an overlapping clustering method, where each client is associated with multiple clusters, ensuring that the trustworthiness of a model update is assessed collectively by multiple clusters rather than a single cluster. Through extensive evaluations, we demonstrate that BoBa can reduce the attack success rate to lower than 0.001 while maintaining high main task accuracy across various attack strategies and experimental settings.

Figures (11)

• Figure 1: Illustration of backdoor update recognition relying on outlier detection mechanism. (a) IID data scenario. In non-IID data scenario, use (b) solely outlier detection or (c) cluster based on data distribution and conduct in-cluster detection.
• Figure 2: Abstract of clients' data distribution in FL systems. $\mathcal{A}_{ij}$ is an indicator of client $j$'s data sufficiency in class $i$: 1 for sufficient data and 0 for non-sufficient data.
• Figure 3: FL system with backdoor attackers. Steps (1)(2)(3) depict the traditional FL framework while the process inside the blue dashed frame is the design of BoBa to address backdoor attacks. Details of BoBa is shown in Figure \ref{['fig:workflow_server']}.
• Figure 4: BoBa workflow: data distribution inference, client clustering, feature extraction, and voting-based trust evaluation and aggregation.
• Figure 5: The illustration of our clustering method.