Go to HPCC 2023 homepagePBE-Plan: Periodic Backdoor Erasing Plan for Trustworthy Federated Learning
Abstract: Backdoor attacks against Federated Learning (FL) are highly disguised, persistent and mutable because the openness of participants increases the attacker's configurable space. Existing backdoor erasing strategies encounter numerous challenges in FL: 1) Erasing backdoor in a single round does not guarantee the trustworthiness of FL due to the unknown timing of incorporating poisoned samples into the training; 2) Merely suppressing the backdoor response in the pre-softmax layer is insufficient to achieve stable erasing effects in complex FL tasks; 3) Accuracy of the aggregated model deteriorates significantly without clean samples. In this paper, we propose a novel Periodic Backdoor Erasing Plan (PBE-Plan) for trustworthy FL, which enables the server to periodically erase the hidden backdoors in the global model without clean samples while minimizing the detriment of model accuracy. A task pipeline in PBE-Plan involves distilling a clean model from the backdoored global model and then distributing it to participants for local updates. The PBE-Plan uses data-free distillation to transfer knowledge without privacy infringement and prompts the student model's attention to the normal features of inputs while ignoring any potential backdoors by two-stage joint regularization (i.e., backdoor response suppression and attention map alignment). Experiments on CIFAR10 and CIFAR100 demonstrate that our approach can successfully reduce the attack success rate of 3 state-of-the-art backdoor attacks in FL from over 97% to less than 5 % with an accuracy loss of no more than 2 %. Meanwhile, our experiments also demonstrate that good defense results can be achieved without performing backdoor erasing at every round.
0 Replies
Loading