Defending the Edge: Representative-Attention Defense against Backdoor Attacks in Federated Learning
Chibueze Peace Obioma, Youcheng Sun, Mustafa A. Mustafa
TL;DR
Backdoor attacks in federated learning enable persistent, trigger-based misclassifications without sacrificing clean accuracy. FeRA introduces an attention-inspired defense that shifts from anomaly-based to consistency-based detection, leveraging representation-space variance suppression and coordination signals across six metrics. The framework employs two complementary detectors—consistency analysis and norm-inflation detection—and an adaptive aggregation scheme to bound malicious influence. Empirical results across multiple datasets, architectures, and attack types show FeRA delivering about $1.67\%$ average Backdoor Accuracy with high clean accuracy, and robust performance under non-IID settings and adaptive threat models, highlighting its practical potential for secure FL deployments.
Abstract
Federated learning (FL) remains highly vulnerable to adaptive backdoor attacks that preserve stealth by closely imitating benign update statistics. Existing defenses predominantly rely on anomaly detection in parameter or gradient space, overlooking behavioral constraints that backdoor attacks must satisfy to ensure reliable trigger activation. These anomaly-centric methods fail against adaptive attacks that normalize update magnitudes and mimic benign statistical patterns while preserving backdoor functionality, creating a fundamental detection gap. To address this limitation, this paper introduces FeRA (Federated Representative Attention) -- a novel attention-driven defense that shifts the detection paradigm from anomaly-centric to consistency-centric analysis. FeRA exploits the intrinsic need for backdoor persistence across training rounds, identifying malicious clients through suppressed representation-space variance, an orthogonal property to traditional magnitude-based statistics. The framework conducts multi-dimensional behavioral analysis combining spectral and spatial attention, directional alignment, mutual similarity, and norm inflation across two complementary detection mechanisms: consistency analysis and norm-inflation detection. Through this mechanism, FeRA isolates malicious clients that exhibit low-variance consistency or magnitude amplification. Extensive evaluation across six datasets, nine attacks, and three model architectures under both Independent and Identically Distributed (IID) and non-IID settings confirm FeRA achieves superior backdoor mitigation. Under different non-IID settings, FeRA achieved the lowest average Backdoor Accuracy (BA), about 1.67% while maintaining high clean accuracy compared to other state-of-the-art defenses. The code is available at https://github.com/Peatech/FeRA_defense.git.
