Detecting Backdoor Attacks in Federated Learning via Direction Alignment Inspection
Jiahao Xu, Zikai Zhang, Rui Hu
TL;DR
This work addresses backdoor attacks in Federated Learning by introducing AlignIns, a defense that analyzes local update directions at multiple granularities. By combining Temporal Direction Alignment with Masked Principal Sign Alignment and applying Median-based Z-score filtering followed by post-filtering clipping, AlignIns robustly filters malicious updates while preserving benign information. The authors provide a κ-robustness guarantee with κ = O(1 + m/(n−2m)) under standard FL assumptions and derive a bounded propagation error across rounds, ensuring stability during training. Empirically, AlignIns outperforms state-of-the-art defenses across IID and non-IID data, larger datasets, trigger-optimization attacks, and adaptive/untargeted attacks, with strong performance on CIFAR-10/100 and Tiny-ImageNet and good generalization to MNIST, FMNIST, and Sentiment140. The approach offers practical robustness with modest computational overhead and broad applicability in FL systems facing stealthy backdoor threats.
Abstract
The distributed nature of training makes Federated Learning (FL) vulnerable to backdoor attacks, where malicious model updates aim to compromise the global model's performance on specific tasks. Existing defense methods show limited efficacy as they overlook the inconsistency between benign and malicious model updates regarding both general and fine-grained directions. To fill this gap, we introduce AlignIns, a novel defense method designed to safeguard FL systems against backdoor attacks. AlignIns looks into the direction of each model update through a direction alignment inspection process. Specifically, it examines the alignment of model updates with the overall update direction and analyzes the distribution of the signs of their significant parameters, comparing them with the principle sign across all model updates. Model updates that exhibit an unusual degree of alignment are considered malicious and thus be filtered out. We provide the theoretical analysis of the robustness of AlignIns and its propagation error in FL. Our empirical results on both independent and identically distributed (IID) and non-IID datasets demonstrate that AlignIns achieves higher robustness compared to the state-of-the-art defense methods. The code is available at https://github.com/JiiahaoXU/AlignIns.