Federated Learning (FL) is a promising approach enabling multiple clients to train Deep Neural Networks (DNNs) collaboratively without sharing their local training data. However, FL is susceptible to backdoor (or targeted poisoning) attacks. These attacks are initiated by malicious clients who seek to compromise the learning process by introducing specific behaviors into the learned model that can be triggered by carefully crafted inputs. Existing FL safeguards have various limitations: They are restricted to specific data distributions or reduce the global model accuracy due to excluding benign models or adding noise, are vulnerable to adaptive defense-aware adversaries, or require the server to access local models, allowing data inference attacks. This paper presents a novel defense mechanism, CrowdGuard, that effectively mitigates backdoor attacks in FL and overcomes the deficiencies of existing techniques. It leverages clients' feedback on individual models, analyzes the behavior of neurons in hidden layers, and eliminates poisoned models through an iterative pruning scheme. CrowdGuard employs a server-located stacked clustering scheme to enhance its resilience to rogue client feedback. The evaluation results demonstrate that CrowdGuard achieves a 100% True-Positive-Rate and True-Negative-Rate across various scenarios, including IID and non-IID data distributions. Additionally, CrowdGuard withstands adaptive adversaries while preserving the original performance of protected models. To ensure confidentiality, CrowdGuard uses a secure and privacy-preserving architecture leveraging Trusted Execution Environments (TEEs) on both client and server sides.

翻译：联邦学习（FL）是一种有前景的方法，允许多个客户端在不共享本地训练数据的情况下协同训练深度神经网络（DNN）。然而，FL易受后门（或定向投毒）攻击。这些攻击由恶意客户端发起，旨在通过在所学模型中引入可由精心构造的输入触发的特定行为，来破坏学习过程。现有的FL防护措施存在各种局限性：它们局限于特定的数据分布，或因排除良性模型或添加噪声而降低全局模型精度，易受自适应防御感知的对手攻击，或需服务器访问本地模型从而引发数据推断攻击。本文提出一种新型防御机制CrowdGuard，它能有效缓解FL中的后门攻击，并克服现有技术的缺陷。该方法利用客户端对单个模型的反馈，分析隐藏层中神经元的行为，并通过迭代剪枝方案消除中毒模型。CrowdGuard采用基于服务器的堆叠聚类方案，以增强其对恶意客户端反馈的鲁棒性。评估结果表明，CrowdGuard在各种场景（包括IID和非IID数据分布）下均能实现100%的真阳性率和真阴性率。此外，CrowdGuard能抵御自适应对手，同时保持受保护模型的原始性能。为确保机密性，CrowdGuard采用安全且隐私保护的架构，利用客户端和服务器两侧的可信执行环境（TEE）。