Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Runtime Backdoor Detection for Federated Learning via Representational Dissimilarity Analysis

Xiyue Zhang, Xiaoyong Xue, Xiaoning Du, Xiaofei Xie, Yang Liu, Meng Sun

TL;DR

The paper tackles the vulnerability of federated learning to backdoor attacks by introducing a runtime defense that does not rely on inspecting large model parameters. It builds per-client representations as Representational Dissimilarity Matrices from outputs on sampled inputs, then uses Pearson distance to quantify cross-client dissimilarity, followed by an iterative Local Outlier Factor-based procedure to identify and remove malicious clients. The approach achieves high detection accuracy across varied attack configurations and preserves global model performance while delivering low runtime overhead, outperforming state-of-the-art baselines such as Spectral, BaFFLe, IRLS, and RLR. This methodology offers a scalable, distribution-agnostic defense suitable for complex architectures and large-scale FL deployments, with significant implications for real-time robustness in privacy-preserving machine learning systems.

Abstract

Federated learning (FL), as a powerful learning paradigm, trains a shared model by aggregating model updates from distributed clients. However, the decoupling of model learning from local data makes FL highly vulnerable to backdoor attacks, where a single compromised client can poison the shared model. While recent progress has been made in backdoor detection, existing methods face challenges with detection accuracy and runtime effectiveness, particularly when dealing with complex model architectures. In this work, we propose a novel approach to detecting malicious clients in an accurate, stable, and efficient manner. Our method utilizes a sampling-based network representation method to quantify dissimilarities between clients, identifying model deviations caused by backdoor injections. We also propose an iterative algorithm to progressively detect and exclude malicious clients as outliers based on these dissimilarity measurements. Evaluations across a range of benchmark tasks demonstrate that our approach outperforms state-of-the-art methods in detection accuracy and defense effectiveness. When deployed for runtime protection, our approach effectively eliminates backdoor injections with marginal overheads.

Runtime Backdoor Detection for Federated Learning via Representational Dissimilarity Analysis

TL;DR

The paper tackles the vulnerability of federated learning to backdoor attacks by introducing a runtime defense that does not rely on inspecting large model parameters. It builds per-client representations as Representational Dissimilarity Matrices from outputs on sampled inputs, then uses Pearson distance to quantify cross-client dissimilarity, followed by an iterative Local Outlier Factor-based procedure to identify and remove malicious clients. The approach achieves high detection accuracy across varied attack configurations and preserves global model performance while delivering low runtime overhead, outperforming state-of-the-art baselines such as Spectral, BaFFLe, IRLS, and RLR. This methodology offers a scalable, distribution-agnostic defense suitable for complex architectures and large-scale FL deployments, with significant implications for real-time robustness in privacy-preserving machine learning systems.

Abstract

Federated learning (FL), as a powerful learning paradigm, trains a shared model by aggregating model updates from distributed clients. However, the decoupling of model learning from local data makes FL highly vulnerable to backdoor attacks, where a single compromised client can poison the shared model. While recent progress has been made in backdoor detection, existing methods face challenges with detection accuracy and runtime effectiveness, particularly when dealing with complex model architectures. In this work, we propose a novel approach to detecting malicious clients in an accurate, stable, and efficient manner. Our method utilizes a sampling-based network representation method to quantify dissimilarities between clients, identifying model deviations caused by backdoor injections. We also propose an iterative algorithm to progressively detect and exclude malicious clients as outliers based on these dissimilarity measurements. Evaluations across a range of benchmark tasks demonstrate that our approach outperforms state-of-the-art methods in detection accuracy and defense effectiveness. When deployed for runtime protection, our approach effectively eliminates backdoor injections with marginal overheads.

Paper Structure

This paper contains 32 sections, 6 theorems, 10 equations, 10 figures, 7 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Robust Federated Learning
  4. Network Representation Comparison
  5. Background
  6. Backdoor Attacks
  7. Attack Model
  8. Approach
  9. Approach Overview
  10. Model Representation Extraction
  11. Client Dissimilarity Quantification
  12. Iterative Backdoor Detection
  13. Backdoor Elimination
  14. Computational Complexity
  15. Experimental evaluation
  16. ...and 17 more sections

Key Result

Lemma 1

For any two benign clients $c_{i_1}$, $c_{i_2}$ in a dense neighborhood, i.e., $c_{i_1} \in N_{k}(c_{i_2})$, $c_{i_2} \in N_{k}(c_{i_1})$, and $\max\{k\text{-}dist(c_j)|c_j \in N_k(c_{i_1}) \cup N_{k}(c_{i_2})\} - \min\{k\text{-}dist(c_j)|c_j \in N_k(c_{i_1}) \cup N_{k}(c_{i_2})\} \le \epsilon$, we

Figures (10)

  • Figure 1: An overview of our approach.
  • Figure 2: The model representation in the form of RDM.
  • Figure 3: Comparison results with BaFFLe for IID data.
  • Figure 4: Comparison results with BaFFLe for Non-IID data.
  • Figure 5: Defense results in terms of attack success rate on the benchmark datasets (IID).
  • ...and 5 more figures

Theorems & Definitions (10)

  • Definition 1: $k$-distance
  • Definition 2: $k$-distance neighborhood
  • Definition 3: local reachability density
  • Lemma 1
  • Lemma 2
  • Definition 4: local outlier factor
  • Theorem 1
  • Theorem 2
  • Lemma 3
  • Theorem 3