The decentralized and privacy-preserving nature of federated learning (FL) makes it vulnerable to backdoor attacks aiming to manipulate the behavior of the resulting model on specific adversary-chosen inputs. However, most existing defenses based on statistical differences take effect only against specific attacks, especially when the malicious gradients are similar to benign ones or the data are highly non-independent and identically distributed (non-IID). In this paper, we revisit the distance-based defense methods and discover that i) Euclidean distance becomes meaningless in high dimensions and ii) malicious gradients with diverse characteristics cannot be identified by a single metric. To this end, we present a simple yet effective defense strategy with multi-metrics and dynamic weighting to identify backdoors adaptively. Furthermore, our novel defense has no reliance on predefined assumptions over attack settings or data distributions and little impact on benign performance. To evaluate the effectiveness of our approach, we conduct comprehensive experiments on different datasets under various attack settings, where our method achieves the best defensive performance. For instance, we achieve the lowest backdoor accuracy of 3.06% under the difficult Edge-case PGD, showing significant superiority over previous defenses. The results also demonstrate that our method can be well-adapted to a wide range of non-IID degrees without sacrificing the benign performance.

翻译：联邦学习（FL）的去中心化和隐私保护特性使其易受后门攻击，此类攻击旨在操控最终模型对攻击者特定输入的行为。然而，现有基于统计差异的防御方法大多仅在特定攻击下有效，尤其在恶意梯度与良性梯度相似或数据高度非独立同分布（non-IID）时失效。本文重新审视了基于距离的防御方法，发现：i) 欧氏距离在高维空间中失去意义；ii) 单一度量无法识别具有不同特征的恶意梯度。为此，我们提出了一种简单有效的防御策略，采用多度量与动态权重自适应识别后门。此外，该新型防御方法无需对攻击设置或数据分布预设假设，且对良性性能影响极小。为评估方法有效性，我们在不同攻击设置下对多个数据集进行了全面实验，结果显示所提方法取得了最佳防御性能。例如，在困难的边缘场景PGD攻击下，我们实现了最低的后门准确率3.06%，显著优于以往防御方法。结果还表明，该方法能良好适应广泛non-IID程度，且不影响良性性能。