Existing approaches defend against backdoor attacks in federated learning (FL) mainly through a) mitigating the impact of infected models, or b) excluding infected models. The former negatively impacts model accuracy, while the latter usually relies on globally clear boundaries between benign and infected model updates. However, model updates are easy to be mixed and scattered throughout in reality due to the diverse distributions of local data. This work focuses on excluding infected models in FL. Unlike previous perspectives from a global view, we propose Snowball, a novel anti-backdoor FL framework through bidirectional elections from an individual perspective inspired by one principle deduced by us and two principles in FL and deep learning. It is characterized by a) bottom-up election, where each candidate model update votes to several peer ones such that a few model updates are elected as selectees for aggregation; and b) top-down election, where selectees progressively enlarge themselves through picking up from the candidates. We compare Snowball with state-of-the-art defenses to backdoor attacks in FL on five real-world datasets, demonstrating its superior resistance to backdoor attacks and slight impact on the accuracy of the global model.

翻译：现有防御联邦学习后门攻击的方法主要通过：a) 降低受感染模型的影响，或b) 排除受感染模型。前者会负向影响模型精度，后者通常依赖良性模型更新与受感染模型更新之间存在全局清晰的边界。然而在实际场景中，由于本地数据的多样化分布，模型更新极易混杂并散布。本研究聚焦于联邦学习中排除受感染模型的方案。与以往基于全局视角的观点不同，我们提出Snowball——一种基于个体视角双向选举的新型抗后门联邦学习框架，该框架受我们推导的一项原则以及联邦学习与深度学习领域两项原则的启发。其核心特征包括：a) 自底向上选举，即每个候选模型更新对若干同行投票，使得少数模型更新被选为聚合对象；b) 自顶向下选举，即被选中者通过从候选集中持续选取来逐步扩大自身规模。我们在五个真实数据集上将Snowball与现有最先进的联邦学习后门防御方法进行对比，实验结果表明该方法具有卓越的后门攻击抵抗能力，同时对全局模型精度影响极小。