Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Securing Federated Learning against Backdoor Threats with Foundation Model Integration

Xiaohuan Bi, Xi Li

TL;DR

The paper tackles the threat of backdoors in federated learning when foundation models are integrated, focusing on a novel server-side attack that poisons FM-generated synthetic data. It introduces a data-free defense that constrains internal activations of the post-fusion global model by optimizing activation upper bounds with synthetic data, without altering the underlying model parameters during training. The approach demonstrates strong defense performance against both novel FM-driven backdoors and traditional client-side backdoors, preserving accuracy on clean data while substantially reducing backdoor success rates. This method enables practical, secure FM-FL deployments by removing dependency on access to clean data and remaining effective across diverse FL settings and data distributions.

Abstract

Federated Learning (FL) enables decentralized model training while preserving privacy. Recently, the integration of Foundation Models (FMs) into FL has enhanced performance but introduced a novel backdoor attack mechanism. Attackers can exploit FM vulnerabilities to embed backdoors into synthetic data generated by FMs. During global model fusion, these backdoors are transferred to the global model through compromised synthetic data, subsequently infecting all client models. Existing FL backdoor defenses are ineffective against this novel attack due to its fundamentally different mechanism compared to classic ones. In this work, we propose a novel data-free defense strategy that addresses both classic and novel backdoor attacks in FL. The shared attack pattern lies in the abnormal activations within the hidden feature space during model aggregation. Hence, we propose to constrain internal activations to remain within reasonable ranges, effectively mitigating attacks while preserving model functionality. The activation constraints are optimized using synthetic data alongside FL training. Extensive experiments demonstrate its effectiveness against both novel and classic backdoor attacks, outperforming existing defenses.

Securing Federated Learning against Backdoor Threats with Foundation Model Integration

TL;DR

The paper tackles the threat of backdoors in federated learning when foundation models are integrated, focusing on a novel server-side attack that poisons FM-generated synthetic data. It introduces a data-free defense that constrains internal activations of the post-fusion global model by optimizing activation upper bounds with synthetic data, without altering the underlying model parameters during training. The approach demonstrates strong defense performance against both novel FM-driven backdoors and traditional client-side backdoors, preserving accuracy on clean data while substantially reducing backdoor success rates. This method enables practical, secure FM-FL deployments by removing dependency on access to clean data and remaining effective across diverse FL settings and data distributions.

Abstract

Federated Learning (FL) enables decentralized model training while preserving privacy. Recently, the integration of Foundation Models (FMs) into FL has enhanced performance but introduced a novel backdoor attack mechanism. Attackers can exploit FM vulnerabilities to embed backdoors into synthetic data generated by FMs. During global model fusion, these backdoors are transferred to the global model through compromised synthetic data, subsequently infecting all client models. Existing FL backdoor defenses are ineffective against this novel attack due to its fundamentally different mechanism compared to classic ones. In this work, we propose a novel data-free defense strategy that addresses both classic and novel backdoor attacks in FL. The shared attack pattern lies in the abnormal activations within the hidden feature space during model aggregation. Hence, we propose to constrain internal activations to remain within reasonable ranges, effectively mitigating attacks while preserving model functionality. The activation constraints are optimized using synthetic data alongside FL training. Extensive experiments demonstrate its effectiveness against both novel and classic backdoor attacks, outperforming existing defenses.

Paper Structure

This paper contains 12 sections, 2 equations, 1 figure, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Backdoor Attacks in FL
  4. FL Backdoor Defenses
  5. Methodology
  6. Overview
  7. Threat Model and Assumptions on Defender
  8. Server-side Backdoor Mitigation
  9. Experiment
  10. Experimental Setup
  11. Experimental Results
  12. Conclusion

Figures (1)

  • Figure 1: Our defense strategy for the FM-FL framework.