The decentralized and privacy-preserving nature of federated learning (FL) makes it vulnerable to backdoor attacks aiming to manipulate the behavior of the resulting model on specific adversary-chosen inputs. However, most existing defenses based on statistical differences take effect only against specific attacks, especially when the malicious gradients are similar to benign ones or the data are highly non-independent and identically distributed (non-IID). In this paper, we revisit the distance-based defense methods and discover that i) Euclidean distance becomes meaningless in high dimensions and ii) malicious gradients with diverse characteristics cannot be identified by a single metric. To this end, we present a simple yet effective defense strategy with multi-metrics and dynamic weighting to identify backdoors adaptively. Furthermore, our novel defense has no reliance on predefined assumptions over attack settings or data distributions and little impact on benign performance. To evaluate the effectiveness of our approach, we conduct comprehensive experiments on different datasets under various attack settings, where our method achieves the best defensive performance. For instance, we achieve the lowest backdoor accuracy of 3.06% under the difficult Edge-case PGD, showing significant superiority over previous defenses. The results also demonstrate that our method can be well-adapted to a wide range of non-IID degrees without sacrificing the benign performance.

翻译：联邦学习（FL）的去中心化和隐私保护特性使其容易受到后门攻击，这类攻击旨在操纵最终模型对特定攻击者选定输入的行为。然而，多数基于统计差异的现有防御方法仅对特定攻击有效，尤其在恶意梯度与良性梯度相似或数据高度非独立同分布（non-IID）时效果受限。本文重新审视了基于距离的防御方法，发现：i) 欧氏距离在高维空间中失去意义；ii) 单一度量无法识别具有多样特征的恶意梯度。为此，我们提出一种简单而有效的防御策略，通过多度量与动态加权自适应识别后门。此外，本创新防御方法无需对攻击设置或数据分布进行预定义假设，且对良性性能影响极小。为评估方法有效性，我们在不同攻击设置下对多个数据集进行了全面实验，所提方法取得了最优防御性能。例如，在困难的边缘情形PGD攻击下，我们实现了低至3.06%的后门准确率，显著优于现有防御方法。实验结果还表明，本方法能良好适应广泛的non-IID程度，且不牺牲良性性能。