Federated Learning (FL) facilitates decentralized machine learning model training, preserving data privacy, lowering communication costs, and boosting model performance through diversified data sources. Yet, FL faces vulnerabilities such as poisoning attacks, undermining model integrity with both untargeted performance degradation and targeted backdoor attacks. Preventing backdoors proves especially challenging due to their stealthy nature. Prominent mitigation techniques against poisoning attacks rely on monitoring certain metrics and filtering malicious model updates. While shown effective in evaluations, we argue that previous works didn't consider realistic real-world adversaries and data distributions. We define a new notion of strong adaptive adversaries, capable of adapting to multiple objectives simultaneously. Through extensive empirical tests, we show that existing defense methods can be easily circumvented in this adversary model. We also demonstrate, that existing defenses have limited effectiveness when no assumptions are made about underlying data distributions. We introduce Metric-Cascades (MESAS), a novel defense method for more realistic scenarios and adversary models. MESAS employs multiple detection metrics simultaneously to identify poisoned model updates, creating a complex multi-objective optimization problem for adaptive attackers. In our extensive evaluation featuring nine backdoors and three datasets, MESAS consistently detects even strong adaptive attackers. Furthermore, MESAS outperforms existing defenses in distinguishing backdoors from data distribution-related distortions within and across clients. MESAS is the first defense robust against strong adaptive adversaries, effective in real-world data scenarios, with an average overhead of just 24.37 seconds.

翻译：联邦学习（FL）促进了去中心化机器学习模型的训练，保护了数据隐私，降低了通信成本，并通过多样化的数据源提升了模型性能。然而，FL面临投毒攻击等脆弱性，这些攻击通过无目标性能下降和有目标的后门攻击破坏了模型完整性。由于后门攻击具有隐蔽性，防止它们尤为困难。对抗投毒攻击的主流缓解技术依赖于监控某些指标并过滤恶意模型更新。尽管在评估中显示有效，但我们认为以往工作未考虑现实世界中的对抗方和数据分布。我们定义了一种新型的强适应对抗方概念，能够同时适应多个目标。通过大量实证测试，我们证明了现有防御方法在这种对抗模型下容易被规避。我们还展示了，当不对底层数据分布做任何假设时，现有防御效果有限。我们引入了Metric-Cascades（MESAS），一种针对更现实场景和对抗模型的新型防御方法。MESAS同时使用多个检测指标来识别投毒的模型更新，为适应型攻击者制造了一个复杂的多目标优化问题。在我们包含九个后门和三个数据集的广泛评估中，MESAS始终能够检测到即使是强大的适应型攻击者。此外，MESAS在区分后门攻击与客户端内及跨客户端的数据分布相关畸变方面优于现有防御。MESAS是首个对强适应对抗方鲁棒的防御方法，在现实数据场景中有效，平均开销仅为24.37秒。