Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Buffer is All You Need: Defending Federated Learning against Backdoor Attacks under Non-iids via Buffering

Xingyu Lyu, Ning Wang, Yang Xiao, Shixiong Li, Tao Li, Danjue Chen, Yimin Chen

TL;DR

This paper tackles backdoor defenses in federated learning under challenging non-iid data distributions by introducing FLBuff, a buffering-based approach that leverages supervised contrastive learning on penultimate-layer representations to separate benign and malicious updates. By modeling non-iid effects as omni-directional expansions and backdoors as uni-directional displacements in representation space, FLBuff creates a large buffer between benign and malicious clusters and uses MMD-driven trust scores to weight updates during aggregation. The authors provide a comprehensive evaluation across MNIST, FMNIST, CIFAR-10, and IMDB, showing FLBuff consistently reduces ASR to near 0-1% while preserving clean accuracy, outperforming five baselines and remaining robust against unseen and adaptive attacks under five non-iid settings. The work also offers a practical benchmark framework for evaluating backdoor defenses under comprehensive non-iid conditions and contributes insights into the fundamental distinction between non-iid shifts and backdoor perturbations in representation space.

Abstract

Federated Learning (FL) is a popular paradigm enabling clients to jointly train a global model without sharing raw data. However, FL is known to be vulnerable towards backdoor attacks due to its distributed nature. As participants, attackers can upload model updates that effectively compromise FL. What's worse, existing defenses are mostly designed under independent-and-identically-distributed (iid) settings, hence neglecting the fundamental non-iid characteristic of FL. Here we propose FLBuff for tackling backdoor attacks even under non-iids. The main challenge for such defenses is that non-iids bring benign and malicious updates closer, hence harder to separate. FLBuff is inspired by our insight that non-iids can be modeled as omni-directional expansion in representation space while backdoor attacks as uni-directional. This leads to the key design of FLBuff, i.e., a supervised-contrastive-learning model extracting penultimate-layer representations to create a large in-between buffer layer. Comprehensive evaluations demonstrate that FLBuff consistently outperforms state-of-the-art defenses.

Buffer is All You Need: Defending Federated Learning against Backdoor Attacks under Non-iids via Buffering

TL;DR

This paper tackles backdoor defenses in federated learning under challenging non-iid data distributions by introducing FLBuff, a buffering-based approach that leverages supervised contrastive learning on penultimate-layer representations to separate benign and malicious updates. By modeling non-iid effects as omni-directional expansions and backdoors as uni-directional displacements in representation space, FLBuff creates a large buffer between benign and malicious clusters and uses MMD-driven trust scores to weight updates during aggregation. The authors provide a comprehensive evaluation across MNIST, FMNIST, CIFAR-10, and IMDB, showing FLBuff consistently reduces ASR to near 0-1% while preserving clean accuracy, outperforming five baselines and remaining robust against unseen and adaptive attacks under five non-iid settings. The work also offers a practical benchmark framework for evaluating backdoor defenses under comprehensive non-iid conditions and contributes insights into the fundamental distinction between non-iid shifts and backdoor perturbations in representation space.

Abstract

Federated Learning (FL) is a popular paradigm enabling clients to jointly train a global model without sharing raw data. However, FL is known to be vulnerable towards backdoor attacks due to its distributed nature. As participants, attackers can upload model updates that effectively compromise FL. What's worse, existing defenses are mostly designed under independent-and-identically-distributed (iid) settings, hence neglecting the fundamental non-iid characteristic of FL. Here we propose FLBuff for tackling backdoor attacks even under non-iids. The main challenge for such defenses is that non-iids bring benign and malicious updates closer, hence harder to separate. FLBuff is inspired by our insight that non-iids can be modeled as omni-directional expansion in representation space while backdoor attacks as uni-directional. This leads to the key design of FLBuff, i.e., a supervised-contrastive-learning model extracting penultimate-layer representations to create a large in-between buffer layer. Comprehensive evaluations demonstrate that FLBuff consistently outperforms state-of-the-art defenses.

Paper Structure

This paper contains 24 sections, 3 equations, 5 figures, 5 tables.

Table of Contents

  1. Introduction
  2. System and Adversary Model
  3. System Model
  4. Adversary Model
  5. Design of FLBuff
  6. Intuition
  7. FLBuff: Buffer is All You Need
  8. Performance Evaluation
  9. Experimental Settings & Goals
  10. Implementation
  11. Datasets and Models
  12. FL Settings
  13. Metrics
  14. Baselines
  15. Evaluation Goals
  16. ...and 9 more sections

Figures (5)

  • Figure 1: Illustrations of iid and five non-iids (dir-based, prob-based, qty-based, noise, qs) for $u_1, u_2$, and $u_3$, and 10 label classes.
  • Figure 2: Workflow of FL with FLBuff.
  • Figure 3: A unified view for modeling the impacts of backdoor attacks and non-iids.
  • Figure 4: Model updates for CIFAR-10 in PLR space under different scenarios: iid, non-iid (prob), and with FLBuff.
  • Figure 5: Impact of various factors on FLBuff on CIFAR10 with Scaling attack.