ML Security PapersOn the Out-of-Distribution Backdoor Attack for Federated Learning
Jiahao Xu , Zikai Zhang , Rui Hu
Published on arXiv
2509.13219
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
OBA with SoDa successfully circumvents state-of-the-art FL backdoor defenses while preserving high main task accuracy; BNGuard effectively neutralizes SoDa-based attacks by detecting BN-layer statistical anomalies
OBA / SoDa / BNGuard
Novel technique introduced
Traditional backdoor attacks in federated learning (FL) operate within constrained attack scenarios, as they depend on visible triggers and require physical modifications to the target object, which limits their practicality. To address this limitation, we introduce a novel backdoor attack prototype for FL called the out-of-distribution (OOD) backdoor attack ($\mathtt{OBA}$), which uses OOD data as both poisoned samples and triggers simultaneously. Our approach significantly broadens the scope of backdoor attack scenarios in FL. To improve the stealthiness of $\mathtt{OBA}$, we propose $\mathtt{SoDa}$, which regularizes both the magnitude and direction of malicious local models during local training, aligning them closely with their benign versions to evade detection. Empirical results demonstrate that $\mathtt{OBA}$ effectively circumvents state-of-the-art defenses while maintaining high accuracy on the main task. To address this security vulnerability in the FL system, we introduce $\mathtt{BNGuard}$, a new server-side defense method tailored against $\mathtt{SoDa}$. $\mathtt{BNGuard}$ leverages the observation that OOD data causes significant deviations in the running statistics of batch normalization layers. This allows $\mathtt{BNGuard}$ to identify malicious model updates and exclude them from aggregation, thereby enhancing the backdoor robustness of FL. Extensive experiments across various settings show the effectiveness of $\mathtt{BNGuard}$ on defending against $\mathtt{SoDa}$. The code is available at https://github.com/JiiahaoXU/SoDa-BNGuard.
Key Contributions
- OBA: novel FL backdoor attack using OOD data simultaneously as poisoned samples and triggers, removing the need for visible or physical trigger modifications
- SoDa: stealthiness regularization that constrains both magnitude and direction of malicious local updates to closely mimic benign models and evade existing defenses
- BNGuard: server-side defense that exploits OOD-induced deviations in batch normalization running statistics to identify and exclude malicious model updates from aggregation
🛡️ Threat Analysis
OBA uses OOD data as trigger-based backdoor samples in federated learning; SoDa improves stealthiness by aligning malicious model updates with benign ones; BNGuard is a defense specifically designed to detect this trigger-activated targeted behavior — all hallmarks of ML10 backdoor/trojan attacks.