Beacon: Thwarting Backdoor Attacks in Cross-Domain Federated Fine-Tuning via Gradient Behavior Decoupling

Download PDF

Wenkai Huang, Gaolei Li, Rui Xu, Jun Wu, Jianhua Li, Siyuan Liang

08 Sept 2025 (modified: 13 Nov 2025)ICLR 2026 Conference Withdrawn SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: Federated fine-tuning, cross-domain, backdoor defense, gradient decoupling
Abstract: Cross-domain federated fine-tuning (CD-FFT) has emerged as a promising paradigm evolving from traditional federated learning (FL), with better alignment to real-world data distributions and enhanced communication efficiency. However, the inherent domain shift and rapid local adaptation in CD-FFT substantially amplify its susceptibility to backdoor attacks. Existing studies have just revealed the vulnerability of CD-FFT to backdoor threats, but fall short of exploring robust defense solutions. To bridge this gap, we first systematically evaluate the transferability of existing FL backdoor defenses to the CD-FFT setting, revealing their limited effectiveness under this more challenging scenario. Motivated by this, we propose Beacon, an innovative backdoor defense framework that decouples gradient behaviors at a fine granularity to uncovers malicious signals. Specifically, we creates a novel Task-Deviation Orthogonal Disentanglement (TDOD) module, which orthogonally decomposes client updates into consensus and deviation components, enabling joint reasoning over benign contribution and suspicious divergence. Furthermore, a Classification Head Inconsistency Forensics module is designed to capture boundary-shifting artifacts by traversing per-class gradients, thus identifying label-wise anomalies indicative of targeted tampering. Consequently, Beacon enables effective, robust, and domain-adaptive backdoor defense in CD-FFT. Extensive experiments across four cross-domain benchmarks and three backdoor variants demonstrate that Beacon consistently suppresses attack success rates to below 2\%, while preserving main task accuracy, significantly outperforming seven state-of-the-art defenses in this challenging setting.
Supplementary Material: zip
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 3004