SPMC: Self-Purifying Federated Backdoor Defense via Margin Contribution

Download PDF

Wenwen He, Wenke Huang, Bin Yang, ShuKan Liu, Mang Ye

Published: 01 May 2025, Last Modified: 18 Jun 2025ICML 2025 posterEveryoneRevisionsBibTeXCC BY 4.0
TL;DR: SPMC: Self-Purifying Federated Backdoor Defense via Margin Contribution
Abstract: Federated Learning (FL) enables collaborative training with privacy preservation but is vulnerable to backdoor attacks, where malicious clients degrade model performance on targeted inputs. These attacks exploit FL decentralized nature, while existing defenses, based on isolated behaviors and fixed rules, can be bypassed by adaptive attackers. To address these limitations, we propose **SPMC**, a marginal collaboration defense mechanism that leverages intrinsic consistency across clients to estimate inter-client marginal contributions. This allows the system to dynamically reduce the influence of clients whose behavior deviates from the collaborative norm, thus maintaining robustness even as the number of attackers changes. In addition to overcoming proxy-dependent purification's weaknesses, we introduce a self-purification process that locally adjusts suspicious gradients. By aligning them with margin-based model updates, we mitigate the effect of local poisoning. Together, these two modules significantly improve the adaptability and resilience of FL systems, both at the client and server levels. Experimental results on a variety of classification benchmarks demonstrate that SPMC achieves strong defense performance against sophisticated backdoor attacks without sacrificing accuracy on benign tasks. The code is posted at: https://github.com/WenddHe0119/SPMC.
Lay Summary: Federated Learning allows devices to collaboratively train AI models without sharing their private data. However, it is vulnerable to backdoor attacks, where malicious participants secretly poison the model to behave incorrectly when triggered. Existing defenses often rely on strict rules, extra clean data or individual action, which limits their adaptability. We propose SPMC, a new defense that measures each client contribution to the margin group. If a client behaves differently from the group, its influence is reduced. This dynamic weighting helps detect and suppress attackers without predefined thresholds. Additionally, we introduce a self-purifying process that adjusts local updates to align with shared knowledge from other clients. This keeps the model learning from clean patterns even when some clients are poisoned. Experiments on standard image datasets show that SPMC defends effectively against sophisticated attacks while keeping accuracy high on regular tasks. Our method improves both the robustness and flexibility of FL systems.
Link To Code: https://github.com/WenddHe0119/SPMC
Primary Area: Deep Learning->Robustness
Keywords: Backdoor Defense, Federated Learning, Game Theory
Submission Number: 9338