Federated Learning (FL) systems are susceptible to adversarial attacks, such as model poisoning attacks and backdoor attacks. Existing defense mechanisms face critical limitations in real-world deployments, such as relying on impractical assumptions (e.g., adversaries acknowledging the presence of attacks before attacking) or undermining accuracy in model training, even in benign scenarios. To address these challenges, we propose RedJasper, a two-staged anomaly detection method specifically designed for real-world FL deployments. It identifies suspicious activities in the first stage, then activates the second stage conditionally to further scrutinize the suspicious local models, employing the 3{\sigma} rule to identify real malicious local models and filtering them out from FL training. To ensure integrity and transparency within the FL system, RedJasper integrates zero-knowledge proofs, enabling clients to cryptographically verify the server's detection process without relying on the server's goodwill. RedJasper operates without unrealistic assumptions and avoids interfering with FL training in attack-free scenarios. It bridges the gap between theoretical advances in FL security and the practical demands of real-world deployment. Experimental results demonstrate that RedJasper consistently delivers performance comparable to benign cases, highlighting its effectiveness in identifying potential attacks and eliminating malicious models with high accuracy.

翻译：联邦学习（FL）系统容易受到对抗性攻击，例如模型投毒攻击和后门攻击。现有的防御机制在现实世界部署中面临关键限制，例如依赖于不切实际的假设（例如，攻击者在攻击前承认攻击的存在），或者即使在良性场景下也会损害模型训练的准确性。为了应对这些挑战，我们提出了RedJasper，一种专为现实世界联邦学习部署设计的两阶段异常检测方法。它在第一阶段识别可疑活动，然后有条件地激活第二阶段以进一步审查可疑的本地模型，采用3σ规则识别真正的恶意本地模型并将其从联邦学习训练中过滤掉。为了确保联邦学习系统内的完整性和透明度，RedJasper集成了零知识证明，使客户端能够在不依赖服务器善意的情况下，以密码学方式验证服务器的检测过程。RedJasper的运行无需不切实际的假设，并在无攻击场景中避免干扰联邦学习训练。它弥合了联邦学习安全理论进展与现实世界部署实际需求之间的差距。实验结果表明，RedJasper始终提供与良性情况相当的性能，突显了其在识别潜在攻击和以高精度消除恶意模型方面的有效性。