Overview of backdoor attacks and defense in federated learning

doi:10.11772/j.issn.1001-9081.2023111653

Journal of Computer Applications ›› 2024, Vol. 44 ›› Issue (11): 3459-3469.DOI: 10.11772/j.issn.1001-9081.2023111653

• Cyber security • Previous Articles Next Articles

Overview of backdoor attacks and defense in federated learning

Xuebin CHEN¹^,²^,³, Changsheng QU¹^,²^,³()

^1.College of Sciences，North China University of Science and Technology，Tangshan Hebei 063210，China
^2.Hebei Provincial Key Laboratory of Data Science and Application （North China University of Science and Technology），Tangshan Hebei 063210，China
^3.Key Laboratory of Tangshan Data Science （North China University of Science and Technology），Tangshan Hebei 063210，China

Received:2023-12-01 Revised:2024-07-02 Accepted:2024-07-03 Online:2024-11-13 Published:2024-11-10
Contact: Changsheng QU
About author:CHEN Xuebin， born in 1970， Ph. D， professor. His research interests include big data security， internet of things security， network security.
Supported by:
National Natural Science Foundation of China(U20A20179)

面向联邦学习的后门攻击与防御综述

陈学斌¹^,²^,³, 屈昌盛¹^,²^,³()

^1.华北理工大学理学院，河北唐山 063210
^2.河北省数据科学与应用重点实验室（华北理工大学），河北唐山 063210
^3.唐山市数据科学重点实验室（华北理工大学），河北唐山 063210

通讯作者: 屈昌盛
作者简介:陈学斌（1970—），男，河北唐山人，教授，博士，CCF杰出会员，主要研究方向：大数据安全、物联网安全、网络安全
基金资助:
国家自然科学基金资助项目(U20A20179)

Abstract

Abstract:

Federated Learning （FL） is a distributed machine learning approach that allows different participants to train a machine model collaboratively using their respective local datasets， addressing issues such as data island and user privacy protection. However， due to the inherent distributed nature of FL， it is more susceptible to backdoor attacks， posing greater challenges in practical applications of FL. Therefore， a deep understanding of backdoor attacks and defense methods in FL environment is crucial for the advancement of this field. Firstly， the definition， process， and classification of federated learning， as well as the definition of backdoor attacks， were introduced. Then， detailed representation and analysis were performed on both backdoor attacks and defense schemes in FL environment. Moreover， comparisons of backdoor attacks and defense methods were conducted. Finally， the development of backdoor attacks and defense methods in the FL environment were prospected.

Key words: Federated Learning (FL), backdoor attack, backdoor defense, privacy protection, machine learning

摘要：

联邦学习（FL）作为一种分布式的机器学习方法，允许不同参与方利用各自的本地数据集合作训练一个机器模型，因此能够解决数据孤岛与用户隐私保护问题。但是，FL本身的分布式特性使它更容易受到后门攻击，这为它的实际应用带来了更大的挑战。因此，深入了解FL环境下的后门攻击与防御方法对该领域的发展至关重要。首先，介绍了FL的定义、流程和分类以及后门攻击的定义；其次，从FL环境下的后门攻击和后门防御方案这两个方面进行了详细介绍与分析，并对后门攻击和后门防御方法进行对比；最后，对FL环境下的后门攻击与防御方法的发展进行了展望。

关键词: 联邦学习, 后门攻击, 后门防御, 隐私保护, 机器学习

CLC Number:

TP309.2

Xuebin CHEN, Changsheng QU. Overview of backdoor attacks and defense in federated learning[J]. Journal of Computer Applications, 2024, 44(11): 3459-3469.

陈学斌, 屈昌盛. 面向联邦学习的后门攻击与防御综述[J]. 《计算机应用》唯一官方网站, 2024, 44(11): 3459-3469.

Figures/Tables 8

References 73

1	姚佳伟，郭荣，杨雅兰，等.多元共治下App用户信息泄露风险及应对［J］.数字通信世界，2022（6）：188-190.
	YAO J W， GUO R， YANG Y L， et al. Risk and countermeasures of App user information disclosure under multiple governance［J］. Digital Communication World， 2022（6）：188-190.
2	冯占英，陈锐，张玉，等.公民个人信息泄露问题现状分析及对策［J］.中华医学图书情报杂志，2022，31（6）：9-19.
	FENG Z Y， CHEN R， ZHANG Y， et al. Status quo of citizens' personal information leakage and research on countermeasures［J］. Chinese Journal of Medical Library and Information Science， 2022， 31（6）：9-19.
3	肖雄，唐卓，肖斌，等. 联邦学习的隐私保护与安全防御研究综述［J］. 计算机学报， 2023， 46（5）：1019-1044.
	XIAO X， TANG Z， XIAO B， et al. A survey on privacy and security issues in federated learning［J］. Chinese Journal of Computers， 2023， 46（5）： 1019-1044.
4	BAGDASARYAN E， VEIT A， HUA Y， et al. How to backdoor federated learning［C］// Proceedings of the 23rd International Conference on Artificial Intelligence and Statistics. New York： JMLR， 2020： 2938-2948.
5	YOO K Y， KWAK N. Backdoor attacks in federated learning by rare embeddings and gradient ensembling［C］// Proceedings of the 2022 Conference on Empirical Methods in Natural Language Processing. Stroudsburg， PA： ACL， 2022： 72-88.
6	NGUYEN T D， RIEGER P， MIETTINEN M， et al. Poisoning attacks on federated learning-based IoT intrusion detection system［C］// Proceedings of the 2020 Workshop on Decentralized IoT Systems and Security. Reston， VA： Internet Society， 2020： 1-7.
7	MENG D， WANG X， WANG J. Backdoor attack against automatic speaker verification models in federated learning［C］// Proceedings of the 2023 IEEE International Conference on Acoustics， Speech and Signal Processing. Piscataway： IEEE， 2023： 1-5.
8	YANG Q， LIU Y， CHEN T， et al. Federated machine learning： concept and applications［J］. ACM Transactions on Intelligent Systems and Technology， 2019， 10（2）： No.12.
9	KONEČNÝ J， McMAHAN H B， RAMAGE D， et al. Federated optimization： distributed machine learning for on-device intelligence［EB/OL］. ［2023-11-20］..
10	GU T， LIU K， DOLAN-GAVITT B， et al. BadNets： evaluating backdooring attacks on deep neural networks［J］. IEEE Access， 2019， 7： 47230-47244.
11	陈学斌，任志强，张宏扬. 联邦学习中的安全威胁与防御措施综述［J］. 计算机应用， 2024， 44（6）： 1663-1672.
	CHEN X B， REN Z Q， ZHANG H Y. Review on security threats and defense measures in federated learning［J］. Journal of Computer Applications， 2024， 44（6）： 1663-1672.
12	XIE C， HUANG K， CHEN P Y， et al. DBA： distributed backdoor attacks against federated learning［EB/OL］. ［2023-11-20］. .
13	顾育豪，白跃彬.联邦学习模型安全与隐私研究进展［J］.软件学报，2023，34（6）：2833-2864.
	GU Y H， BAI Y B. Survey on security and privacy of federated learning models［J］. Journal of Software， 2023， 34（6）：2833-2864.
14	NGUYEN T D， RIEGER P， CHEN H， et al. FLAME： taming backdoors in federated learning［C］// Proceedings of the 31st USENIX Security Symposium. Berkeley： USENIX Association， 2022： 1415-1432.
15	WANG Y， ZHAI D H， HAN D， et al. MITDBA： mitigating dynamic backdoor attacks in federated learning for IoT applications［J］. IEEE Internet of Things Journal， 2024， 11（6）：10115-10132.
16	GONG X， CHEN Y， HUANG H， et al. Coordinated backdoor attacks against federated learning with model-dependent triggers［J］. IEEE Network， 2022， 36（1）： 84-90.
17	YANG D， LUO S， ZHOU J， et al. Efficient and persistent backdoor attack by boundary trigger set constructing against federated learning［J］. Information Sciences， 2023， 651： No.119743.
18	LI H， YE Q， HU H， et al. 3DFeD： adaptive and extensible framework for covert backdoor attack in federated learning［C］// Proceedings of the 2023 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2023： 1893-1907.
19	LYU X， HAN Y， WANG W， et al. Poisoning with Cerberus： stealthy and colluded backdoor attack against federated learning［C］// Proceedings of the 37th AAAI Conference on Artificial Intelligence. Palo Alto， CA： AAAI Press， 2023： 9020-9028.
20	ZHANG H， JIA J， CHEN J， et al. A3FL： adversarially adaptive backdoor attacks to federated learning［C］// Proceedings of the 37th International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2023： 61213-61233.
21	NGUYEN D T， NGUYEN T， TRAN T A， et al. IBA： towards irreversible backdoor attacks in federated learning［C］// Proceedings of the 37th International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2023： 66364-66376.
22	LIU T， HU X， SHU T. Technical report： assisting backdoor federated learning with whole population knowledge alignment［EB/OL］. ［2023-11-18］..
23	WANG H， SREENIVASAN K， RAJPUT S， et al. Attack of the tails： yes， you really can backdoor federated learning［C］// Proceedings of the 34th International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2020： 16070-16084.
24	ZHANG J， CHEN B， CHENG X， et al. PoisonGAN： generative poisoning attacks against federated learning in edge computing systems［J］. IEEE Internet of Things Journal， 2021， 8（5）： 3310-3322.
25	PANIGRAHI S， BOUACIDA N， MOHAPATRA P. Double momentum backdoor attack in federated learning［J］. Journal of Student Research， 2023， 12（1）： No.3644.
26	SUN Z， KAIROUZ P， SURESH A T， et al. Can you really backdoor federated learning？［EB/OL］. ［2023-09-09］. .
27	BHAGOJI A N， CHAKRABORTY S， MITTAL P， et al. Analyzing federated learning through an adversarial lens［C］// Proceedings of the 36th International Conference on Machine Learning. New York： JMLR， 2019： 634-643.
28	BARUCH M， BARUCH G， GOLDBERG Y. A little is enough： circumventing defenses for distributed learning［C］// Proceedings of the 33rd International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2019： 8635-8645.
29	ZHOU X， XU M， WU Y， et al. Deep model poisoning attack on federated learning［J］. Future Internet， 2021， 13（3）： No.73.
30	ZHANG Z， PANDA A， SONG L， et al. Neurotoxin： durable backdoors in federated learning［C］// Proceedings of the 39th International Conference on Machine Learning. New York： JMLR， 2022： 26429-26446.
31	ZHUANG H， YU M， WANG H， et al. Backdoor federated learning by poisoning backdoor-critical layers［EB/OL］. ［2024-06-03］. .
32	WEN Y， GEIPING J， FOWL L， et al. Thinking two moves ahead： anticipating other users improves backdoor attacks in federated learning［EB/OL］. ［2023-10-20］..
33	LI H， WU C， ZHU S， et al. Learning to backdoor federated learning［EB/OL］. ［2023-10-25］..
34	ABAD G， PAGUADA S， ERSOY O， et al. Sniper backdoor： single client targeted backdoor attack in federated learning［C］// Proceedings of the 2023 IEEE Conference on Secure and Trustworthy Machine Learning. Piscataway： IEEE， 2023： 377-391.
35	LIU Y， YI Z， CHEN T. Backdoor attacks and defenses in feature-partitioned collaborative learning［EB/OL］. ［2023-09-20］..
36	ZOU T， LIU Y， KANG Y， et al. Defending batch-level label inference and replacement attacks in vertical federated learning［J］. IEEE Transactions on Big Data， 2022（Early Access）：1-12.
37	BLANCHARD P， MHAMDI E M EL， GUERRAOUI R， et al. Machine learning with adversaries： Byzantine tolerant gradient descent［C］// Proceedings of the 31st International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2017： 118-128.
38	YIN D， CHEN Y， KANNAN R， et al. Byzantine-robust distributed learning： towards optimal statistical rates［C］// Proceedings of the 35th International Conference on Machine Learning. New York： JMLR， 2018： 5650-5659.
39	NGUYEN T D， NGUYEN T， NGUYEN P L， et al. Backdoor attacks and defenses in federated learning： survey， challenges and future research directions［J］. Engineering Applications of Artificial Intelligence， 2024， 127（Pt A）： No.107166.
40	RIEGER P， NGUYEN T D， MIETTINEN M， et al. DeepSight： mitigating backdoor attacks in federated learning through deep model inspection［C］// Proceedings of the 2022 Network and Distributed System Security Symposium. Reston， VA： Internet Society， 2020： 1-18.
41	MHAMDI E M EL， GUERRAOUI R， ROUAULT S. The hidden vulnerability of distributed learning in Byzantium［C］// Proceedings of the 35th International Conference on Machine Learning. New York： JMLR， 2018： 3521-3530.
42	MUÑOZ-GONZÁLEZ L， CO K T， LUPU E C. Byzantine-robust federated machine learning through adaptive model averaging［EB/OL］. ［2023-09-09］..
43	CAO D， CHANG S， LIN Z， et al. Understanding distributed poisoning attack in federated learning［C］// Proceedings of the IEEE 25th International Conference on Parallel and Distributed Systems. Piscataway： IEEE， 2019： 233-239.
44	SATTLER F， MÜLLER K R， WIEGAND T， et al. On the Byzantine robustness of clustered federated learning［C］// Proceedings of the 2020 IEEE International Conference on Acoustics， Speech and Signal Processing. Piscataway： IEEE， 2020： 8861-8865.
45	ZHANG Z， CHEN D， ZHOU H， et al. Fed-FA： theoretically modeling client data divergence for federated language backdoor defense［C］// Proceedings of the 37th International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2023： 62006-62031.
46	LIU T， LI M， ZHENG H， et al. Evil vs evil： using adversarial examples to against backdoor attack in federated learning［J］. Multimedia Systems， 2023， 29： 553-568.
47	ZHANG J， ZHANG F， JIN Q， et al. XMAM： x-raying models with a matrix to reveal backdoor attacks for federated learning［J］. Digital Communications and Networks， 2023（Early Access）： 1-17.
48	MA Z， GAO T. Federated learning backdoor attack detection with persistence diagram［J］. Computers and Security， 2024， 136： No.103557.
49	PREUVENEERS D， RIMMER V， TSINGENOPOULOS I， et al. Chained anomaly detection models for federated learning： an intrusion detection case study［J］. Applied Sciences， 2018， 8（12）： No.2663.
50	NGUYEN T D， MARCHAL S， MIETTINEN M， et al. DÏoT： a federated self-learning anomaly detection system for IoT［C］// Proceedings of the IEEE 39th International Conference on Distributed Computing Systems. Piscataway： IEEE， 2019： 756-767.
51	LI S， CHENG Y， WANG W， et al. Learning to detect malicious clients for robust federated learning［EB/OL］. ［2023-10-03］..
52	WANG S， HAYASE J， FANTI G， et al. Towards a defense against federated backdoor attacks under continuous training［J/OL］. Transactions on Machine Learning Research， 2023 ［2023-10-03］. .
53	ZHANG Z， CAO X， JIA J， et al. FLDetector： defending federated learning against model poisoning attacks via detecting malicious clients［C］// Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. New York： ACM， 2022： 2545-2555.
54	LIAN W， ZHANG Y， CHEN X， et al. IPCADP-equalizer： an improved multibalance privacy preservation scheme against backdoor attacks in federated learning［J］. International Journal of Intelligent Systems， 2023， 2023： No.6357750.
55	CHEN Y， SU L， XU J. Distributed statistical machine learning in adversarial settings： Byzantine gradient descent［J］. Proceedings of the ACM on Measurement and Analysis of Computing Systems， 2017， 1（2）： 1-25.
56	BERNSTEIN J， ZHAO J， AZIZZADENESHELI K， et al. signSGD with majority vote is communication efficient and fault tolerant ［EB/OL］. ［2023-10-11］. .
57	OZDAYI M S， KANTARCIOGLU M， GEL Y R. Defending against backdoors in federated learning with robust learning rate［C］// Proceedings of the 35th AAAI Conference on Artificial Intelligence. Palo Alto， CA： AAAI Press， 2021： 9268-9276.
58	FUNG C， YOON C J M， BESCHASTNIKH I. The limitations of federated learning in sybil settings［C］// Proceedings of the 23rd International Symposium on Research in Attacks， Intrusions and Defenses. Berkeley： USENIX Association， 2020： 301-316.
59	RODRÍGUEZ-BARROSO N， MARTÍNEZ-CÁMARA E， VICTORIA LUZÓN M， et al. Backdoor attacks-resilient aggregation based on robust filtering of outliers in federated learning for image classification［J］. Knowledge-Based Systems， 2022， 245： No.108588.
60	WANG N， XIAO Y， CHEN Y， et al. FLARE： defending federated learning against model poisoning attacks via latent space representations［C］// Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security. New York： ACM， 2022： 946-958.
61	JEONG H， SON H， LEE S， et al. FedCC： robust federated learning against model poisoning attacks［EB/OL］. ［2024-07-15］..
62	JIN R， LI X. Backdoor attack and defense in federated generative adversarial network-based medical image synthesis［J］. Medical Image Analysis， 2023， 90： No.102965.
63	LI L， QIN J， LUO J. A blockchain-based federated-learning framework for defense against backdoor attack［J］. Electronics， 2023， 12（11）： No.2500.
64	WANG W， ZHANG C， LIU S， et al. FedMC： federated learning with mode connectivity against distributed backdoor attacks［C］// Proceedings of the 2023 IEEE International Conference on Communications. Piscataway： IEEE， 2023： 4873-4878.
65	XIE C， CHEN M， CHEN P Y， et al. CRFL： certifiably robust federated learning against backdoor attacks［C］// Proceedings of the 38th International Conference on Machine Learning. New York： JMLR， 2021： 11372-11382.
66	SUN J， LI A， DiVALENTIN L， et al. FL-WBC： enhancing robustness against model poisoning attacks in federated learning from a client perspective［C］// Proceedings of the 35th International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2021： 12613-12624.
67	ANDREINA S， MARSON G A， MÖLLERING H， et al. BaFFLe： backdoor detection via feedback-based federated learning［C］// Proceedings of the IEEE 41st International Conference on Distributed Computing Systems. Piscataway： IEEE， 2021： 852-863.
68	HUANG T， HU S， CHOW K H， et al. Lockdown： backdoor defense for federated learning with isolated subspace training［C］// Proceedings of the 37th International Conference on Neural Information Processing Systems. Red Hook， NY： Curran Associates Inc.， 2023： 10876-10896.
69	WU C， YANG X， ZHU S， et al. Mitigating backdoor attacks in federated learning［EB/OL］. ［2023-09-18］..
70	WU C， ZHU S， MITRA P. Federated unlearning with knowledge distillation［EB/OL］. ［2023-10-19］. .
71	ZHU C， ZHANG J， SUN X， et al. ADFL： defending backdoor attacks in federated learning via adversarial distillation［J］. Computers and Security， 2023， 132： No.103366.
72	NGUYEN T D， NGUYEN A D， NGUYEN T H， et al. FedGrad： mitigating backdoor attacks in federated learning through local ultimate gradients inspection［C］// Proceedings of the 2023 International Joint Conference on Neural Networks. Piscataway： IEEE， 2023： 1-10.
73	余晟兴，陈泽凯，陈钟，等. DAGUARD：联邦学习下的分布式后门攻击防御方案［J］. 通信学报， 2023， 44（5）：110-122.
	YU S X， CHEN Z K， CHEN Z， et al. DAGUARD： distributed backdoor attack defense scheme under federated learning［J］. Journal on Communications， 2023， 44（5）：110-122.

文献	名称	发表年份	攻击假设			数据分布	应用
文献	名称	发表年份	合谋	持续攻击	聚合阶段限制	数据分布	应用
［4］	模型替换攻击	2018	×	×	√	non-i.i.d	IC、NLP
［27］	AnaFL	2019	×	√	√	i.i.d	IC、LR
［6］	FL-IoT	2020	√	√	×	—	IoTD
［12］	DBA	2020	√	×	√	non-i.i.d	IC
［23］	Edge-case	2020	×	√	×	non-i.i.d	IC、NLP
［35］	GRA	2020	×	√	×	—	IC
［24］	PoisonGAN	2021	√	√	×	—	IC
［29］	DMPA	2021	×	×	×	non-i.i.d	IC
［5］	RE+CE	2022	√	√	×	non-i.i.d	NLP
［16］	CBA	2022	√	√	×	non-i.i.d	IC
［22］	WPKA-BA	2022	×	×	×	non-i.i.d	IC
［26］	PGD	2022	√	√	×	non-i.i.d	IC
［30］	Neurotoxin	2022	×	√	×	i.i.d/non-i.i.d	IC、NLP
［32］	Anticipate	2022	×	√	×	i.i.d/non-i.i.d	IC、NLP
［36］	GRA-HE	2022	×	√	×	i.i.d	IC
［33］	RLBFL	2023	√	√	×	i.i.d	IC
［18］	3DFed	2023	√	√	×	non-i.i.d	IC
［31］	BCL	2023	√	√	×	i.i.d/non-i.i.d	IC
［19］	CerP	2023	√	√	×	non-i.i.d	IC、L/CRA
［34］	Sniper	2023	×	×	√	i.i.d/non-i.i.d	IC
［17］	TSSO	2023	√	√	×	non-i.i.d	IC、L/CRA
［20］	A3FL	2023	√	√	×	non-i.i.d	IC
［21］	IBA	2023	×	√	×	non-i.i.d	IC

文献	名称	发表年份	攻击假设			数据分布	应用
文献	名称	发表年份	合谋	持续攻击	聚合阶段限制	数据分布	应用
［4］	模型替换攻击	2018	×	×	√	non-i.i.d	IC、NLP
［27］	AnaFL	2019	×	√	√	i.i.d	IC、LR
［6］	FL-IoT	2020	√	√	×	—	IoTD
［12］	DBA	2020	√	×	√	non-i.i.d	IC
［23］	Edge-case	2020	×	√	×	non-i.i.d	IC、NLP
［35］	GRA	2020	×	√	×	—	IC
［24］	PoisonGAN	2021	√	√	×	—	IC
［29］	DMPA	2021	×	×	×	non-i.i.d	IC
［5］	RE+CE	2022	√	√	×	non-i.i.d	NLP
［16］	CBA	2022	√	√	×	non-i.i.d	IC
［22］	WPKA-BA	2022	×	×	×	non-i.i.d	IC
［26］	PGD	2022	√	√	×	non-i.i.d	IC
［30］	Neurotoxin	2022	×	√	×	i.i.d/non-i.i.d	IC、NLP
［32］	Anticipate	2022	×	√	×	i.i.d/non-i.i.d	IC、NLP
［36］	GRA-HE	2022	×	√	×	i.i.d	IC
［33］	RLBFL	2023	√	√	×	i.i.d	IC
［18］	3DFed	2023	√	√	×	non-i.i.d	IC
［31］	BCL	2023	√	√	×	i.i.d/non-i.i.d	IC
［19］	CerP	2023	√	√	×	non-i.i.d	IC、L/CRA
［34］	Sniper	2023	×	×	√	i.i.d/non-i.i.d	IC
［17］	TSSO	2023	√	√	×	non-i.i.d	IC、L/CRA
［20］	A3FL	2023	√	√	×	non-i.i.d	IC
［21］	IBA	2023	×	√	×	non-i.i.d	IC

文献	名称	发表年份	防御时期	对抗假设		能力需求				应用
文献	名称	发表年份	防御时期	数据分布	污染比例	访问模型更新	客户端操作	历史存储	额外数据集	应用
［26］	Weak-DP	2019	In	non-i.i.d	3.3%	√	×	×	×	IC
［51］	VAE	2020	Pre	non-i.i.d	≤30%	√	×	×	√	IC、SA
［4］	DP	2020	In	non-i.i.d	≤5%	√	×	×	×	IC、NLP
［58］	FoolsGold	2020	In	i.i.d/non-i.i.d	—	√	×	√	×	IC
［57］	RLR	2021	In	i.i.d/non-i.i.d	10%	√	×	×	×	IC
［65］	CRFL	2021	In	non-i.i.d	≤4%	√	×	×	×	L/CRA、IC
［67］	BaFFLe	2021	In	non-i.i.d	<50%	√	√	√	×	IC
［66］	FL-WBC	2021	In	i.i.d/non-i.i.d	≤50%	×	√	×	×	IC
［69］	Neuron Pruning	2020	Post	non-i.i.d	≤10%	√	√	×	√	IC
［53］	FLDetector	2022	Pre	non-i.i.d	28%	√	×	√	×	IC
［46］	EVE	2022	Pre	non-i.i.d	40%	√	×	×	√	IC
［47］	XMAM	2022	Pre	non-i.i.d	<50%	√	×	×	×	IC
［40］	DeepSight	2022	Pre、In	i.i.d/non-i.i.d	≤45%	√	×	×	×	IC、NLP、IoTD
［14］	FLAME	2022	Pre、In	i.i.d/non-i.i.d	<50%	√	×	×	×	IC、NLP、IoTD
［59］	RFOut-1d	2022	In	non-i.i.d	<1%	√	×	×	×	IC
［60］	FLARE	2022	In	i.i.d/non-i.i.d	≤30%	√	×	×	√	IC
［61］	FedCC	2022	In	i.i.d/non-i.i.d	≤30%	√	×	×	×	IC
［36］	CAE	2022	In	non-i.i.d	—	×	√	×	×	IC
［62］	FedDetect	2022	In	i.i.d	25%	√	×	×	×	IC
［70］	KD-Unlearning	2022	Post	i.i.d	10%	√	×	√	√	IC
［48］	PH	2023	Pre	non-i.i.d	≤20%	√	×	×	√	IC
［72］	FedGrad	2023	Pre	i.i.d/non-i.i.d	25%	√	×	×	×	IC
［52］	SLDFL	2023	Pre	i.i.d/non-i.i.d	≤45%	√	√	×	√	IC
［45］	Fed-FA	2023	Pre	i.i.d/non-i.i.d	10%	√	√	×	√	NLP
［73］	DAGUARD	2023	Pre、In	non-i.i.d	40%	√	√	×	×	IC
［15］	MITDBA	2023	Pre、In	i.i.d/non-i.i.d	≤50%	√	×	×	×	IC
［54］	IPCADP	2023	In	i.i.d/non-i.i.d	≤20%	×	√	×	√	IC
［63］	DBFL	2023	In	i.i.d	10%	√	√	√	×	IC
［64］	FedMC	2023	In	-	≤100%	√	×	×	√	IC
［68］	Lockdown	2023	In、Post	i.i.d/non-i.i.d	≤40%	√	√	×	×	IC
［71］	ADFL	2023	Post	i.i.d/non-i.i.d	≤30%	√	×	×	√	IC

文献	名称	发表年份	防御时期	对抗假设		能力需求				应用
文献	名称	发表年份	防御时期	数据分布	污染比例	访问模型更新	客户端操作	历史存储	额外数据集	应用
［26］	Weak-DP	2019	In	non-i.i.d	3.3%	√	×	×	×	IC
［51］	VAE	2020	Pre	non-i.i.d	≤30%	√	×	×	√	IC、SA
［4］	DP	2020	In	non-i.i.d	≤5%	√	×	×	×	IC、NLP
［58］	FoolsGold	2020	In	i.i.d/non-i.i.d	—	√	×	√	×	IC
［57］	RLR	2021	In	i.i.d/non-i.i.d	10%	√	×	×	×	IC
［65］	CRFL	2021	In	non-i.i.d	≤4%	√	×	×	×	L/CRA、IC
［67］	BaFFLe	2021	In	non-i.i.d	<50%	√	√	√	×	IC
［66］	FL-WBC	2021	In	i.i.d/non-i.i.d	≤50%	×	√	×	×	IC
［69］	Neuron Pruning	2020	Post	non-i.i.d	≤10%	√	√	×	√	IC
［53］	FLDetector	2022	Pre	non-i.i.d	28%	√	×	√	×	IC
［46］	EVE	2022	Pre	non-i.i.d	40%	√	×	×	√	IC
［47］	XMAM	2022	Pre	non-i.i.d	<50%	√	×	×	×	IC
［40］	DeepSight	2022	Pre、In	i.i.d/non-i.i.d	≤45%	√	×	×	×	IC、NLP、IoTD
［14］	FLAME	2022	Pre、In	i.i.d/non-i.i.d	<50%	√	×	×	×	IC、NLP、IoTD
［59］	RFOut-1d	2022	In	non-i.i.d	<1%	√	×	×	×	IC
［60］	FLARE	2022	In	i.i.d/non-i.i.d	≤30%	√	×	×	√	IC
［61］	FedCC	2022	In	i.i.d/non-i.i.d	≤30%	√	×	×	×	IC
［36］	CAE	2022	In	non-i.i.d	—	×	√	×	×	IC
［62］	FedDetect	2022	In	i.i.d	25%	√	×	×	×	IC
［70］	KD-Unlearning	2022	Post	i.i.d	10%	√	×	√	√	IC
［48］	PH	2023	Pre	non-i.i.d	≤20%	√	×	×	√	IC
［72］	FedGrad	2023	Pre	i.i.d/non-i.i.d	25%	√	×	×	×	IC
［52］	SLDFL	2023	Pre	i.i.d/non-i.i.d	≤45%	√	√	×	√	IC
［45］	Fed-FA	2023	Pre	i.i.d/non-i.i.d	10%	√	√	×	√	NLP
［73］	DAGUARD	2023	Pre、In	non-i.i.d	40%	√	√	×	×	IC
［15］	MITDBA	2023	Pre、In	i.i.d/non-i.i.d	≤50%	√	×	×	×	IC
［54］	IPCADP	2023	In	i.i.d/non-i.i.d	≤20%	×	√	×	√	IC
［63］	DBFL	2023	In	i.i.d	10%	√	√	√	×	IC
［64］	FedMC	2023	In	-	≤100%	√	×	×	√	IC
［68］	Lockdown	2023	In、Post	i.i.d/non-i.i.d	≤40%	√	√	×	×	IC
［71］	ADFL	2023	Post	i.i.d/non-i.i.d	≤30%	√	×	×	√	IC

[1]	Zheyuan SHEN, Keke YANG, Jing LI. Personalized federated learning method based on dual stream neural network [J]. Journal of Computer Applications, 2024, 44(8): 2319-2325.
[2]	Zihao YAO, Yuanming LI, Ziqiang MA, Yang LI, Lianggen WEI. Multi-object cache side-channel attack detection model based on machine learning [J]. Journal of Computer Applications, 2024, 44(6): 1862-1871.
[3]	Xuebin CHEN, Zhiqiang REN, Hongyang ZHANG. Review on security threats and defense measures in federated learning [J]. Journal of Computer Applications, 2024, 44(6): 1663-1672.
[4]	Peiqian LIU, Shuilian WANG, Zihao SHEN, Hui WANG. Location privacy protection algorithm based on trajectory perturbation and road network matching [J]. Journal of Computer Applications, 2024, 44(5): 1546-1554.
[5]	Gaimei GAO, Jin ZHANG, Chunxia LIU, Weichao DANG, Shangwang BAI. Privacy protection scheme for crowdsourced testing tasks based on blockchain and CP-ABE policy hiding [J]. Journal of Computer Applications, 2024, 44(3): 811-818.
[6]	Wei SHE, Yang LI, Lihong ZHONG, Defeng KONG, Zhao TIAN. Hyperparameter optimization for neural network based on improved real coding genetic algorithm [J]. Journal of Computer Applications, 2024, 44(3): 671-676.
[7]	Yi ZHENG, Cunyi LIAO, Tianqian ZHANG, Ji WANG, Shouyin LIU. Image denoising-based cell-level RSRP estimation method for urban areas [J]. Journal of Computer Applications, 2024, 44(3): 855-862.
[8]	Haifeng MA, Yuxia LI, Qingshui XUE, Jiahai YANG, Yongfu GAO. Attribute-based encryption scheme for blockchain privacy protection [J]. Journal of Computer Applications, 2024, 44(2): 485-489.
[9]	Rui GAO, Xuebin CHEN, Zucuan ZHANG. Dynamic social network privacy publishing method for partial graph updating [J]. Journal of Computer Applications, 2024, 44(12): 3831-3838.
[10]	Miao JIA, Zhongyuan YAO, Weihua ZHU, Tingting GAO, Xueming SI, Xiang DENG. Progress and prospect of zero-knowledge proof enabling blockchain [J]. Journal of Computer Applications, 2024, 44(12): 3669-3677.
[11]	Yifan WANG, Shaofu LIN, Yunjiang LI. Highway free-flow tolling method based on blockchain and zero-knowledge proof [J]. Journal of Computer Applications, 2024, 44(12): 3741-3750.
[12]	Yiting WANG, Wunan WAN, Shibin ZHANG, Jinquan ZHANG, Zhi QIN. Linkable ring signature scheme based on SM9 algorithm [J]. Journal of Computer Applications, 2024, 44(12): 3709-3716.
[13]	Jing LIANG, Wunan WAN, Shibin ZHANG, Jinquan ZHANG, Zhi QIN. Traceability storage model of charity system oriented to master-slave chain [J]. Journal of Computer Applications, 2024, 44(12): 3751-3758.
[14]	Peng FANG, Fan ZHAO, Baoquan WANG, Yi WANG, Tonghai JIANG. Development， technologies and applications of blockchain 3.0 [J]. Journal of Computer Applications, 2024, 44(12): 3647-3657.
[15]	Jie WU, Xuezhong QIAN, Wei SONG. Personalized federated learning based on similarity clustering and regularization [J]. Journal of Computer Applications, 2024, 44(11): 3345-3353.

Overview of backdoor attacks and defense in federated learning

面向联邦学习的后门攻击与防御综述

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 73

Related Articles 15

Recommended Articles

Metrics