Federated learning, while being a promising approach for collaborative model training, is susceptible to poisoning attacks due to its decentralized nature. Backdoor attacks, in particular, have shown remarkable stealthiness, as they selectively compromise predictions for inputs containing triggers. Previous endeavors to detect and mitigate such attacks are based on the Independent and Identically Distributed (IID) data assumption where benign model updates exhibit high-level similarity in multiple feature spaces due to IID data. Thus, outliers are detected as backdoor attacks. Nevertheless, non-IID data presents substantial challenges in backdoor attack detection, as the data variety introduces variance among benign models, making outlier detection-based mechanisms less effective. We propose a novel distribution-aware anomaly detection mechanism, BoBa, to address this problem. In order to differentiate outliers arising from data variety versus backdoor attack, we propose to break down the problem into two steps: clustering clients utilizing their data distribution followed by a voting-based detection. Based on the intuition that clustering and subsequent backdoor detection can drastically benefit from knowing client data distributions, we propose a novel data distribution inference mechanism. To improve detection robustness, we introduce an overlapping clustering method, where each client is associated with multiple clusters, ensuring that the trustworthiness of a model update is assessed collectively by multiple clusters rather than a single cluster. Through extensive evaluations, we demonstrate that BoBa can reduce the attack success rate to lower than 0.001 while maintaining high main task accuracy across various attack strategies and experimental settings.

翻译：联邦学习作为一种有前景的协同模型训练方法，因其去中心化特性而易受投毒攻击。后门攻击尤其表现出显著的隐蔽性，因其选择性地破坏包含触发器的输入预测。先前检测与缓解此类攻击的研究基于独立同分布数据假设，即良性模型更新因IID数据在多个特征空间中呈现高度相似性，从而将异常值检测为后门攻击。然而，非IID数据对后门攻击检测构成重大挑战，因为数据多样性会引入良性模型间的方差，使得基于异常值检测的机制效果下降。为解决该问题，我们提出一种新颖的分布感知异常检测机制BoBa。为区分源于数据多样性的异常值与后门攻击，我们将问题分解为两个步骤：利用客户端数据分布进行聚类，随后执行基于投票的检测。基于聚类及后续后门检测能极大受益于客户端数据分布信息的认知，我们提出一种创新的数据分布推断机制。为提升检测鲁棒性，我们引入重叠聚类方法，使每个客户端关联多个聚类簇，确保模型更新的可信度由多个簇而非单一簇共同评估。通过大量实验评估，我们证明BoBa能将攻击成功率降至0.001以下，同时在多种攻击策略与实验设置下保持较高的主任务准确率。