\textit{Federated learning} (FL) is a nascent distributed learning paradigm to train a shared global model without violating users' privacy. FL has been shown to be vulnerable to various Byzantine attacks, where malicious participants could independently or collusively upload well-crafted updates to deteriorate the performance of the global model. However, existing defenses could only mitigate part of Byzantine attacks, without providing an all-sided shield for FL. It is difficult to simply combine them as they rely on totally contradictory assumptions. In this paper, we propose FPD, a \underline{\textbf{f}}our-\underline{\textbf{p}}ronged \underline{\textbf{d}}efense against both non-colluding and colluding Byzantine attacks. Our main idea is to utilize absolute similarity to filter updates rather than relative similarity used in existingI works. To this end, we first propose a reliable client selection strategy to prevent the majority of threats in the bud. Then we design a simple but effective score-based detection method to mitigate colluding attacks. Third, we construct an enhanced spectral-based outlier detector to accurately discard abnormal updates when the training data is \textit{not independent and identically distributed} (non-IID). Finally, we design update denoising to rectify the direction of the slightly noisy but harmful updates. The four sequentially combined modules can effectively reconcile the contradiction in addressing non-colluding and colluding Byzantine attacks. Extensive experiments over three benchmark image classification datasets against four state-of-the-art Byzantine attacks demonstrate that FPD drastically outperforms existing defenses in IID and non-IID scenarios (with $30\%$ improvement on model accuracy).

翻译：\textit{联邦学习}（FL）是一种新兴的分布式学习范式，旨在不侵犯用户隐私的前提下训练共享全局模型。研究表明，FL极易遭受各类拜占庭攻击，恶意参与者可独立或合谋上传精心构造的更新，以破坏全局模型性能。然而，现有防御方法仅能缓解部分拜占庭攻击，无法为FL提供全面防护。简单组合这些方法并不可行，因为它们依赖于完全矛盾的假设。本文提出FPD——一种针对非合谋与合谋拜占庭攻击的\textbf{四重防御}机制。核心思想在于利用绝对相似性而非现有工作中采用的相对相似性来过滤更新。为此，我们首先设计可靠客户端选择策略，从源头遏制大多数威胁；其次构建简单高效的基于分数的检测方法以缓解合谋攻击；第三，针对\textit{非独立同分布}（non-IID）训练数据，构造增强型谱域异常检测器以精准剔除异常更新；最后通过更新去噪方法修正含轻微噪声但有害的更新方向。这四个顺序组合的模块可有效协调处理非合谋与合谋拜占庭攻击时的矛盾。在三个基准图像分类数据集上针对四种最先进的拜占庭攻击进行的大量实验表明，FPD在IID与non-IID场景下均显著优于现有防御方法（模型精度提升达$30\%$）。