MARS: A Malignity-Aware Backdoor Defense in Federated Learning

Federated Learning (FL) is a distributed paradigm aimed at protecting participant data privacy by exchanging model parameters to achieve high-quality model training. However, this distributed nature also makes FL highly vulnerable to backdoor attacks. Notably, the recently proposed state-of-the-art (SOTA) attack, 3DFed (SP2023), uses an indicator mechanism to determine whether the backdoor models have been accepted by the defender and adaptively optimizes backdoor models, rendering existing defenses ineffective. In this paper, we first reveal that the failure of existing defenses lies in the employment of empirical statistical measures that are loosely coupled with backdoor attacks. Motivated by this, we propose a Malignity-Aware backdooR defenSe (MARS) that leverages backdoor energy (BE) to indicate the malicious extent of each neuron. To amplify malignity, we further extract the most prominent BE values from each model to form a concentrated backdoor energy (CBE). Finally, a novel Wasserstein distance-based clustering method is introduced to effectively identify backdoor models. Extensive experiments demonstrate that MARS can defend against SOTA backdoor attacks and significantly outperforms existing defenses.

Key Contributions

• Introduces backdoor energy (BE) as a neuron-level malignancy indicator that is tightly coupled to backdoor intent, overcoming limitations of empirical statistical measures used by prior defenses.
• Proposes concentrated backdoor energy (CBE) by extracting the most prominent BE values per model to amplify malicious signals for detection.
• Introduces a Wasserstein distance-based clustering algorithm on CBE distributions to robustly identify backdoor models, avoiding order-sensitivity issues of Euclidean/cosine methods.

🛡️ Threat Analysis

Details

Similar Papers