Federated Learning (FL) is a promising distributed learning approach that enables multiple clients to collaboratively train a shared global model. However, recent studies show that FL is vulnerable to various poisoning attacks, which can degrade the performance of global models or introduce backdoors into them. In this paper, we first conduct a comprehensive study on prior FL attacks and detection methods. The results show that all existing detection methods are only effective against limited and specific attacks. Most detection methods suffer from high false positives, which lead to significant performance degradation, especially in not independent and identically distributed (non-IID) settings. To address these issues, we propose FLTracer, the first FL attack provenance framework to accurately detect various attacks and trace the attack time, objective, type, and poisoned location of updates. Different from existing methodologies that rely solely on cross-client anomaly detection, we propose a Kalman filter-based cross-round detection to identify adversaries by seeking the behavior changes before and after the attack. Thus, this makes it resilient to data heterogeneity and is effective even in non-IID settings. To further improve the accuracy of our detection method, we employ four novel features and capture their anomalies with the joint decisions. Extensive evaluations show that FLTracer achieves an average true positive rate of over $96.88\%$ at an average false positive rate of less than $2.67\%$, significantly outperforming SOTA detection methods. \footnote{Code is available at \url{https://github.com/Eyr3/FLTracer}.}

翻译：联邦学习（FL）是一种前景广阔的分布式学习方法，允许多个客户端协同训练共享的全局模型。然而，近期研究表明，联邦学习易受到各种投毒攻击，这些攻击会降低全局模型的性能或在其中植入后门。在本文中，我们首先对现有的联邦学习攻击与检测方法进行了全面研究。结果表明，所有现有检测方法仅对有限且特定的攻击有效。大多数检测方法存在高误报率的问题，导致性能显著下降，尤其是在非独立同分布（non-IID）场景中。为解决这些问题，我们提出了FLTracer——首个联邦学习攻击溯源框架，能够准确检测各类攻击并追溯攻击时间、目标、类型以及更新的投毒位置。与仅依赖跨客户端异常检测的现有方法不同，我们提出了一种基于卡尔曼滤波的跨轮次检测方法，通过寻找攻击前后的行为变化来识别攻击者。因此，该方法对数据异质性具有鲁棒性，即使在non-IID场景中也能有效工作。为进一步提升检测精度，我们采用了四种新颖特征，并通过联合决策捕获其异常。大量评估表明，FLTracer的平均真阳性率超过96.88%，平均假阳性率低于2.67%，显著优于当前最优检测方法。\footnote{代码开源地址：\url{https://github.com/Eyr3/FLTracer}.}