Go to OpenReview Archive homepageCrowdGuard: Federated Backdoor Detection in Federated Learning
Abstract: Federated Learning (FL) is a promising approach
enabling multiple clients to train Deep Neural Networks (DNNs)
collaboratively without sharing their local training data. However,
FL is susceptible to backdoor (or targeted poisoning) attacks.
These attacks are initiated by malicious clients who seek to compromise the learning process by introducing specific behaviors
into the learned model that can be triggered by carefully crafted
inputs. Existing FL safeguards have various limitations: They
are restricted to specific data distributions or reduce the global
model accuracy due to excluding benign models or adding noise,
are vulnerable to adaptive defense-aware adversaries, or require
the server to access local models, allowing data inference attacks.
This paper presents a novel defense mechanism,
CrowdGuard, that effectively mitigates backdoor attacks
in FL and overcomes the deficiencies of existing techniques. It
leverages clients’ feedback on individual models, analyzes the
behavior of neurons in hidden layers, and eliminates poisoned
models through an iterative pruning scheme. CrowdGuard
employs a server-located stacked clustering scheme to enhance
its resilience to rogue client feedback. The evaluation results
demonstrate that CrowdGuard achieves a 100% True-PositiveRate and True-Negative-Rate across various scenarios, including
IID and non-IID data distributions. Additionally, CrowdGuard
withstands adaptive adversaries while preserving the original
performance of protected models. To ensure confidentiality,
CrowdGuard uses a secure and privacy-preserving architecture
leveraging Trusted Execution Environments (TEEs) on both
client and server sides.
Loading