ML Security PapersFL-PBM: Pre-Training Backdoor Mitigation for Federated Learning
Osama Wehbi 1, Sarhad Arisdakessian 1, Omar Abdel Wahab 1, Azzam Mourad 2,3, Hadi Otrok 2, Jamal Bentahar 2,4
Published on arXiv
2603.28673
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
Reduces attack success rates by up to 95% compared to FedAvg baseline and 30-80% compared to RDFL and LPSF defenses while maintaining over 90% clean model accuracy
FL-PBM
Novel technique introduced
Backdoor attacks pose a significant threat to the integrity and reliability of Artificial Intelligence (AI) models, enabling adversaries to manipulate model behavior by injecting poisoned data with hidden triggers. These attacks can lead to severe consequences, especially in critical applications such as autonomous driving, healthcare, and finance. Detecting and mitigating backdoor attacks is crucial across the lifespan of model's phases, including pre-training, in-training, and post-training. In this paper, we propose Pre-Training Backdoor Mitigation for Federated Learning (FL-PBM), a novel defense mechanism that proactively filters poisoned data on the client side before model training in a federated learning (FL) environment. The approach consists of three stages: (1) inserting a benign trigger into the data to establish a controlled baseline, (2) applying Principal Component Analysis (PCA) to extract discriminative features and assess the separability of the data, (3) performing Gaussian Mixture Model (GMM) clustering to identify potentially malicious data samples based on their distribution in the PCA-transformed space, and (4) applying a targeted blurring technique to disrupt potential backdoor triggers. Together, these steps ensure that suspicious data is detected early and sanitized effectively, thereby minimizing the influence of backdoor triggers on the global model. Experimental evaluations on image-based datasets demonstrate that FL-PBM reduces attack success rates by up to 95% compared to baseline federated learning (FedAvg) and by 30 to 80% relative to state-of-the-art defenses (RDFL and LPSF). At the same time, it maintains over 90% clean model accuracy in most experiments, achieving better mitigation without degrading model performance.
Key Contributions
- Pre-training backdoor defense that filters poisoned data on client side before model training in FL
- Four-stage pipeline: benign trigger insertion, PCA feature extraction, GMM clustering for malicious sample detection, and targeted blurring
- Reduces attack success rates by up to 95% vs FedAvg and 30-80% vs state-of-the-art defenses while maintaining >90% clean accuracy
🛡️ Threat Analysis
Paper focuses on defending against backdoor attacks in federated learning by detecting and neutralizing poisoned data containing hidden triggers before they compromise the global model.