Existing approaches defend against backdoor attacks in federated learning (FL) mainly through a) mitigating the impact of infected models, or b) excluding infected models. The former negatively impacts model accuracy, while the latter usually relies on globally clear boundaries between benign and infected model updates. However, model updates are easy to be mixed and scattered throughout in reality due to the diverse distributions of local data. This work focuses on excluding infected models in FL. Unlike previous perspectives from a global view, we propose Snowball, a novel anti-backdoor FL framework through bidirectional elections from an individual perspective inspired by one principle deduced by us and two principles in FL and deep learning. It is characterized by a) bottom-up election, where each candidate model update votes to several peer ones such that a few model updates are elected as selectees for aggregation; and b) top-down election, where selectees progressively enlarge themselves through picking up from the candidates. We compare Snowball with state-of-the-art defenses to backdoor attacks in FL on five real-world datasets, demonstrating its superior resistance to backdoor attacks and slight impact on the accuracy of the global model.

翻译：现有防御联邦学习（FL）中后门攻击的方法主要通过：a）缓解被感染模型的影响，或b）排除被感染模型。前者会降低模型精度，而后者通常依赖于良性模型更新与被感染模型更新之间存在全局清晰的边界。然而在实际场景中，由于本地数据的分布多样性，模型更新极易混合交织。本文聚焦于FL中被感染模型的排除问题。不同于以往基于全局视角的观点，我们受推导出的一个原理以及FL与深度学习中的两个原则启发，提出一种新颖的基于个体视角双向选举的抗后门攻击框架Snowball。该框架具有两大特征：a）自下而上的选举机制，每个候选模型更新对多个同伴进行投票，使少量模型更新被选举为聚合候选者；b）自上而下的选举机制，候选者通过从其余备选中逐步筛选来扩大自身规模。在五个真实数据集上，我们将Snowball与当前最先进的FL后门防御方法进行比较，证明其在抵抗后门攻击方面具有显著优势，且对全局模型准确率影响甚微。