XMAM:X-raying models with a matrix to reveal backdoor attacks for federated learning  被引量：1

作　　者：Jianyi Zhang Fangjiao Zhang Qichao Jin Zhiqiang Wang Xiaodong Lin Xiali Hei 

机构地区：[1]Beijing Electronic Science and Technology Institute,Beijing,100070,China [2]University of Guelph,Ontario,N1G 2W1,Canada [3]University of Louisiana at Lafayette,Louisiana,70503,USA

出　　处：《Digital Communications and Networks》2024年第4期1154-1167,共14页数字通信与网络（英文版）

基　　金：Supported by the Fundamental Research Funds for the Central Universities(328202204)。

摘　　要：Federated Learning(FL),a burgeoning technology,has received increasing attention due to its privacy protection capability.However,the base algorithm FedAvg is vulnerable when it suffers from so-called backdoor attacks.Former researchers proposed several robust aggregation methods.Unfortunately,due to the hidden characteristic of backdoor attacks,many of these aggregation methods are unable to defend against backdoor attacks.What's more,the attackers recently have proposed some hiding methods that further improve backdoor attacks'stealthiness,making all the existing robust aggregation methods fail.To tackle the threat of backdoor attacks,we propose a new aggregation method,X-raying Models with A Matrix(XMAM),to reveal the malicious local model updates submitted by the backdoor attackers.Since we observe that the output of the Softmax layer exhibits distinguishable patterns between malicious and benign updates,unlike the existing aggregation algorithms,we focus on the Softmax layer's output in which the backdoor attackers are difficult to hide their malicious behavior.Specifically,like medical X-ray examinations,we investigate the collected local model updates by using a matrix as an input to get their Softmax layer's outputs.Then,we preclude updates whose outputs are abnormal by clustering.Without any training dataset in the server,the extensive evaluations show that our XMAM can effectively distinguish malicious local model updates from benign ones.For instance,when other methods fail to defend against the backdoor attacks at no more than 20%malicious clients,our method can tolerate 45%malicious clients in the black-box mode and about 30%in Projected Gradient Descent(PGD)mode.Besides,under adaptive attacks,the results demonstrate that XMAM can still complete the global model training task even when there are 40%malicious clients.Finally,we analyze our method's screening complexity and compare the real screening time with other methods.The results show that XMAM is about 10–10000 times faster than the existing m

关 键 词：Federated learning Backdoor attacks Aggregation methods 

分 类 号：TP181[自动化与计算机技术—控制理论与控制工程] TP309[自动化与计算机技术—控制科学与工程]