数字通信与网络(英文)2024,Vol.10Issue(4) :1154-1167.DOI:10.1016/j.dcan.2023.01.017

XMAM:X-raying models with a matrix to reveal backdoor attacks for federated learning

Jianyi Zhang Fangjiao Zhang Qichao Jin Zhiqiang Wang Xiaodong Lin Xiali Hei
数字通信与网络(英文)2024,Vol.10Issue(4) :1154-1167.DOI:10.1016/j.dcan.2023.01.017
  • NETL
  • NSTL
  • 万方数据

XMAM:X-raying models with a matrix to reveal backdoor attacks for federated learning

Jianyi Zhang 1Fangjiao Zhang 2Qichao Jin 2Zhiqiang Wang 3Xiaodong Lin 4Xiali Hei5
扫码查看

作者信息

  • 1. Beijing Electronic Science and Technology Institute,Beijing,100070,China;University of Louisiana at Lafayette,Louisiana,70503,USA
  • 2. Beijing Electronic Science and Technology Institute,Beijing 100070,China
  • 3. Beijing Electronic Science and Technology Institute,Beijing,100070,China
  • 4. University of Guelph,Ontario,N1G 2W1,Canada
  • 5. University of Louisiana at Lafayette,Louisiana,70503,USA
  • 折叠

Abstract

Federated Learning(FL),a burgeoning technology,has received increasing attention due to its privacy protection capability.However,the base algorithm FedAvg is vulnerable when it suffers from so-called backdoor attacks.Former researchers proposed several robust aggregation methods.Unfortunately,due to the hidden characteristic of backdoor attacks,many of these aggregation methods are unable to defend against backdoor attacks.What's more,the attackers recently have proposed some hiding methods that further improve backdoor attacks'stealthiness,making all the existing robust aggregation methods fail.To tackle the threat of backdoor attacks,we propose a new aggregation method,X-raying Models with A Matrix(XMAM),to reveal the malicious local model updates submitted by the backdoor attackers.Since we observe that the output of the Softmax layer exhibits distinguishable patterns between malicious and benign updates,unlike the existing aggregation algorithms,we focus on the Softmax layer's output in which the backdoor attackers are difficult to hide their malicious behavior.Specifically,like medical X-ray examinations,we investigate the collected local model updates by using a matrix as an input to get their Softmax layer's outputs.Then,we preclude updates whose outputs are abnormal by clustering.Without any training dataset in the server,the extensive evaluations show that our XMAM can effectively distinguish malicious local model updates from benign ones.For instance,when other methods fail to defend against the backdoor attacks at no more than 20%malicious clients,our method can tolerate 45%malicious clients in the black-box mode and about 30%in Projected Gradient Descent(PGD)mode.Besides,under adaptive attacks,the results demonstrate that XMAM can still complete the global model training task even when there are 40%malicious clients.Finally,we analyze our method's screening complexity and compare the real screening time with other methods.The results show that XMAM is about 10-10000 times faster than the existing methods.

Key words

Federated learning/Backdoor attacks/Aggregation methods

引用本文复制引用

出版年

2024
数字通信与网络(英文)

数字通信与网络(英文)

ISSN:
段落导航相关论文