SABRE-FL: Selective and Accurate Backdoor Rejection for Federated Prompt Learning

TL;DR

This paper exposes a vulnerability of Federated Prompt Learning to trigger-based backdoors, where a subset of malicious clients can inject learnable, imperceptible triggers that bias the global prompt space toward a target class while preserving clean accuracy. It then proposes SABRE-FL, a lightweight server-side defense that trains an embedding-space detector on an out-of-distribution dataset to distinguish clean from poisoned embeddings and filters malicious updates via a rank-based client selection strategy. Across five datasets and multiple baselines, SABRE-FL substantially reduces backdoor accuracy with minimal or no loss in clean accuracy, and demonstrates robustness to dataset variety, prompt-shot counts, and larger client settings. The approach is privacy-conscious, operating only on embeddings from a frozen CLIP backbone, and generalizes across domains, making it a practical defense for future federated multimodal learning deployments.

Abstract

Federated Prompt Learning has emerged as a communication-efficient and privacy-preserving paradigm for adapting large vision-language models like CLIP across decentralized clients. However, the security implications of this setup remain underexplored. In this work, we present the first study of backdoor attacks in Federated Prompt Learning. We show that when malicious clients inject visually imperceptible, learnable noise triggers into input images, the global prompt learner becomes vulnerable to targeted misclassification while still maintaining high accuracy on clean inputs. Motivated by this vulnerability, we propose SABRE-FL, a lightweight, modular defense that filters poisoned prompt updates using an embedding-space anomaly detector trained offline on out-of-distribution data. SABRE-FL requires no access to raw client data or labels and generalizes across diverse datasets. We show, both theoretically and empirically, that malicious clients can be reliably identified and filtered using an embedding-based detector. Across five diverse datasets and four baseline defenses, SABRE-FL outperforms all baselines by significantly reducing backdoor accuracy while preserving clean accuracy, demonstrating strong empirical performance and underscoring the need for robust prompt learning in future federated systems.

Figures (10)

• Figure 1: Backdoor attack on prompt-learning-based multimodal models. A learnable and imperceptible noise trigger is added to the image that results in a poisoned image embedding, which is then used to generate the learnable prompts. This addition of noise causes the image features to deviate from their respective text features in the embedding space, thereby causing misclassification.
• Figure 2: An overview of the attack in an FL setting. A malicious client embeds a learnable noise trigger into images. The context generator helps optimize the prompts according to the image features.
• Figure 3: Accuracy during attack.
• Figure 4: t-SNE visualization on Caltech embeddings. Clean and backdoored samples are clearly separable in the CLIP embedding space.
• Figure 5: Varying number of shots for DTD