Federated learning allows clients to collaboratively train a global model without uploading raw data for privacy preservation. This feature, i.e., the inability to review participants' datasets, has recently been found responsible for federated learning's vulnerability in the face of backdoor attacks. Existing defense methods fall short from two perspectives: 1) they consider only very specific and limited attacker models and unable to cope with advanced backdoor attacks, such as distributed backdoor attacks, which break down the global trigger into multiple distributed triggers. 2) they conduct detection based on model granularity thus the performance gets impacted by the model dimension. To address these challenges, we propose Federated Layer Detection (FLD), a novel model filtering approach for effectively defending against backdoor attacks. FLD examines the models based on layer granularity to capture the complete model details and effectively detect potential backdoor models regardless of model dimension. We provide theoretical analysis and proof for the convergence of FLD. Extensive experiments demonstrate that FLD effectively mitigates state-of-the-art backdoor attacks with negligible impact on the accuracy of the primary task.

翻译：联邦学习允许客户端在不上传原始数据的情况下协作训练全局模型以保护隐私。这一特性（即无法审查参与者数据集）最近被发现是联邦学习易受后门攻击的根本原因。现有防御方法存在两方面不足：1）它们仅考虑非常特定且有限的攻击者模型，无法应对分布式后门攻击等高级后门攻击（这类攻击将全局触发器拆解为多个分布式触发器）；2）它们基于模型粒度进行检测，导致性能受模型维度影响。为应对这些挑战，我们提出联邦层检测（FLD）——一种新颖的模型过滤方法，可有效防御后门攻击。FLD基于层粒度检测模型，能够捕获完整的模型细节，并有效检测潜在的后门模型（无论模型维度如何）。我们提供了FLD收敛性的理论分析与证明。大量实验表明，FLD能有效缓解最先进的后门攻击，同时对主任务准确率的影响可忽略不计。