An adaptive robust defending algorithm against backdoor attacks in federated learning

Yongkang Wang; Di Hua Zhai; Yongping He; Yuanqing Xia

doi:10.1016/j.future.2023.01.026

An adaptive robust defending algorithm against backdoor attacks in federated learning

Yongkang Wang, Di Hua Zhai^*, Yongping He, Yuanqing Xia

^*Corresponding author for this work

School of Automation

Beijing Institute of Technology

Research output: Contribution to journal › Article › peer-review

12 Citations (Scopus)

Abstract

To address the backdoor attacks in federated learning due to the inherently distributed and privacy-preserving peculiarities, we propose RDFL including four components: selecting the eligible parameters to compute the cosine distance; executing adaptive clustering; detecting and removing the suspicious malicious local models; performing adaptive clipping and noising operations. We evaluate the performance of RDFL compared with the existing baselines on MNIST, FEMNIST, and CIFAR-10 datasets under non-independent and identically distributed scenario, and we consider various attack scenarios, including the different numbers of malicious attackers, distributed backdoor attack, different poison ratios of local data and model poisoning attack. Experimental results show that RDFL can effectively mitigate the backdoor attacks, and outperforms the compared baselines.

Original language	English
Pages (from-to)	118-131
Number of pages	14
Journal	Future Generation Computer Systems
Volume	143
DOIs	https://doi.org/10.1016/j.future.2023.01.026
Publication status	Published - Jun 2023

Keywords

Adaptive clustering
Backdoor attack
Clipping
Differential privacy
Federated learning
Similarity distance

Access to Document

10.1016/j.future.2023.01.026

Cite this

@article{bd0265835c184a038aab349c39dea6d7,

title = "An adaptive robust defending algorithm against backdoor attacks in federated learning",

abstract = "To address the backdoor attacks in federated learning due to the inherently distributed and privacy-preserving peculiarities, we propose RDFL including four components: selecting the eligible parameters to compute the cosine distance; executing adaptive clustering; detecting and removing the suspicious malicious local models; performing adaptive clipping and noising operations. We evaluate the performance of RDFL compared with the existing baselines on MNIST, FEMNIST, and CIFAR-10 datasets under non-independent and identically distributed scenario, and we consider various attack scenarios, including the different numbers of malicious attackers, distributed backdoor attack, different poison ratios of local data and model poisoning attack. Experimental results show that RDFL can effectively mitigate the backdoor attacks, and outperforms the compared baselines.",

keywords = "Adaptive clustering, Backdoor attack, Clipping, Differential privacy, Federated learning, Similarity distance",

author = "Yongkang Wang and Zhai, {Di Hua} and Yongping He and Yuanqing Xia",

note = "Publisher Copyright: {\textcopyright} 2023 Elsevier B.V.",

year = "2023",

month = jun,

doi = "10.1016/j.future.2023.01.026",

language = "English",

volume = "143",

pages = "118--131",

journal = "Future Generation Computer Systems",

issn = "0167-739X",

publisher = "Elsevier B.V.",

}

TY - JOUR

T1 - An adaptive robust defending algorithm against backdoor attacks in federated learning

AU - Wang, Yongkang

AU - Zhai, Di Hua

AU - He, Yongping

AU - Xia, Yuanqing

PY - 2023/6

Y1 - 2023/6

N2 - To address the backdoor attacks in federated learning due to the inherently distributed and privacy-preserving peculiarities, we propose RDFL including four components: selecting the eligible parameters to compute the cosine distance; executing adaptive clustering; detecting and removing the suspicious malicious local models; performing adaptive clipping and noising operations. We evaluate the performance of RDFL compared with the existing baselines on MNIST, FEMNIST, and CIFAR-10 datasets under non-independent and identically distributed scenario, and we consider various attack scenarios, including the different numbers of malicious attackers, distributed backdoor attack, different poison ratios of local data and model poisoning attack. Experimental results show that RDFL can effectively mitigate the backdoor attacks, and outperforms the compared baselines.

AB - To address the backdoor attacks in federated learning due to the inherently distributed and privacy-preserving peculiarities, we propose RDFL including four components: selecting the eligible parameters to compute the cosine distance; executing adaptive clustering; detecting and removing the suspicious malicious local models; performing adaptive clipping and noising operations. We evaluate the performance of RDFL compared with the existing baselines on MNIST, FEMNIST, and CIFAR-10 datasets under non-independent and identically distributed scenario, and we consider various attack scenarios, including the different numbers of malicious attackers, distributed backdoor attack, different poison ratios of local data and model poisoning attack. Experimental results show that RDFL can effectively mitigate the backdoor attacks, and outperforms the compared baselines.

KW - Adaptive clustering

KW - Backdoor attack

KW - Clipping

KW - Differential privacy

KW - Federated learning

KW - Similarity distance

UR - http://www.scopus.com/inward/record.url?scp=85147550567&partnerID=8YFLogxK

U2 - 10.1016/j.future.2023.01.026

DO - 10.1016/j.future.2023.01.026

M3 - Article

AN - SCOPUS:85147550567

SN - 0167-739X

VL - 143

SP - 118

EP - 131

JO - Future Generation Computer Systems

JF - Future Generation Computer Systems

ER -

An adaptive robust defending algorithm against backdoor attacks in federated learning

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this