Client-Side Patching against Backdoor Attacks in Federated Learning

TL;DR

This paper tackles the problem of backdoor attacks in federated learning by proposing a client-side defense that combines continuous adversarial learning to identify potential backdoor triggers with a patching mechanism to neutralize them. The approach includes an iterative process to discover candidate source-target class pairs, optimize localized triggers $\delta_{s\to t}$, and apply a patching dataset to fine-tune the global model, all while keeping attacker knowledge private. Empirical results on MNIST and Fashion-MNIST show substantial reductions in backdoor accuracy (BA) to near-zero levels across both i.i.d. and non-i.i.d. data distributions, with clean accuracy (MTA) remaining competitive or superior to state-of-the-art defenses. The work demonstrates a practical, lightweight defense that operates at the client side, offering robustness against multiple backdoor strategies and enhancing the security of FL deployments without requiring server-side data access.

Abstract

Federated learning is a versatile framework for training models in decentralized environments. However, the trust placed in clients makes federated learning vulnerable to backdoor attacks launched by malicious participants. While many defenses have been proposed, they often fail short when facing heterogeneous data distributions among participating clients. In this paper, we propose a novel defense mechanism for federated learning systems designed to mitigate backdoor attacks on the clients-side. Our approach leverages adversarial learning techniques and model patching to neutralize the impact of backdoor attacks. Through extensive experiments on the MNIST and Fashion-MNIST datasets, we demonstrate that our defense effectively reduces backdoor accuracy, outperforming existing state-of-the-art defenses, such as LFighter, FLAME, and RoseAgg, in i.i.d. and non-i.i.d. scenarios, while maintaining competitive or superior accuracy on clean data.