Detection and defense scheme for backdoor attacks in federated learning

doi:10.11772/j.issn.1001-9081.2024081120

Journal of Computer Applications ›› 2025, Vol. 45 ›› Issue (8): 2399-2408.DOI: 10.11772/j.issn.1001-9081.2024081120

• National Open Distributed and Parallel Computing Conference 2024 (DPCS 2024） • Previous Articles

Detection and defense scheme for backdoor attacks in federated learning

Jintao SU¹^,², Lina GE¹^,²^,³(), Liguang XIAO¹^,², Jing ZOU¹^,², Zhe WANG¹^,²

^1.School of Artificial Intelligence，Guangxi Minzu University，Nanning Guangxi 530006，China
^2.Key Laboratory of Network Communication Engineering，Guangxi Minzu University，Nanning Guangxi 530006，China
^3.Guangxi Key Laboratory of Hybrid Computation and IC Design Analysis （Guangxi Minzu University），Nanning Guangxi 530006，China

Received:2024-08-09 Revised:2024-08-21 Accepted:2024-09-02 Online:2024-09-12 Published:2025-08-10
Contact: Lina GE
About author:SU Jintao， born in 1997， M. S. candidate. His research interests include federated learning， cybersecurity.
XIAO Liguang， born in 1997， M. S. candidate. His research interests include federated learning， cybersecurity.
ZOU Jing， born in 1994， M. S. candidate. His research interests include machine learning， cybersecurity.
WANG Zhe， born in 1991， Ph. D.， associate professor. His research interests include machine learning， cybersecurity.
Supported by:
National Natural Science Foundation of China(61862007);Guangxi Natural Science Foundation General Project(2024GXNSFAA010111)

联邦学习中针对后门攻击的检测与防御方案

苏锦涛¹^,², 葛丽娜¹^,²^,³(), 肖礼广¹^,², 邹经¹^,², 王哲¹^,²

^1.广西民族大学人工智能学院，南宁 530006
^2.广西民族大学网络通信工程重点实验室，南宁 530006
^3.广西混杂计算与集成电路设计分析重点实验室（广西民族大学），南宁 530006

通讯作者: 葛丽娜
作者简介:苏锦涛（1997—），男，广东汕尾人，硕士研究生，CCF会员，主要研究方向：联邦学习、网络安全
肖礼广（1997—），男，江西吉安人，硕士研究生，CCF会员，主要研究方向：联邦学习、网络安全
邹经（1994—），男，江西宜春人，硕士研究生，CCF会员，主要研究方向：机器学习、网络安全
王哲（1991—），男，河南南阳人，副教授，博士，CCF会员，主要研究方向：机器学习、网络安全。
基金资助:
国家自然科学基金资助项目(61862007);广西自然科学基金面上项目(2024GXNSFAA010111)

Abstract

Abstract:

Aiming at the commonly existing malicious backdoor attacks in Federated Learning （FL） systems， and the difficulty of achieving a balance between high accuracy of privacy protection and model training in the existing defense schemes， the backdoor attacks and their defense methods in FL were explored， a safe and efficient integrated scheme called GKFL （Generative Knowledge-based Federated Learning） was proposed to detect backdoor attacks and repair damaged models. In this scheme， there was no need to access original privacy data of the participants， detection data were generated through the central server to detect whether the aggregation model in federal learning was backdoor attacked， and knowledge distillation technology was used to repair the damaged models， thereby ensuring integrity and accuracy of the models. Experimental results on datasets MNIST and Fashion-MNIST show that the overall performance of GKFL is better than that of classic schemes such as FoolsGold， GeoMed， and RFA （Robust Aggregation Algorithm）； GKFL can better protect data privacy than FoolsGold. It can be seen that GKFL scheme has the ability to detect backdoor attacks and repair the damaged models， and is better than the comparison schemes significantly in terms of model poisoning accuracy and the accuracy of model main task.

Key words: Federated Learning (FL), backdoor attack, data security, privacy protection, artificial intelligence security

摘要：

针对联邦学习（FL）系统中普遍存在的恶意后门攻击行为，以及现有防御方案难以在隐私保护与模型训练的高准确率之间取得平衡的难题，探索FL中的后门攻击及其防御方法，提出一种名为GKFL （Generative Knowledge-based Federated Learning）的安全高效集成方案用于检测后门攻击并修复受损模型。该方案无需访问参与方的原始隐私数据，通过中央服务器生成检测数据检测联邦学习中的聚合模型是否遭受后门入侵，并采用知识蒸馏技术恢复受损模型，从而确保模型的完整性和准确性。在数据集MNIST和Fashion-MNIST上的实验结果表明，GKFL的总体性能均优于经典方案FoolsGold、GeoMed和RFA （Robust Federated Aggregation）；GKFL比FoolsGold更能保护数据的隐私。可见，GKFL方案拥有检测后门攻击及修复受损模型的能力，并在模型中毒准确率和模型主任务准确率上明显优于对比方案。

关键词: 联邦学习, 后门攻击, 数据安全, 隐私保护, 人工智能安全

CLC Number:

TP393

Jintao SU, Lina GE, Liguang XIAO, Jing ZOU, Zhe WANG. Detection and defense scheme for backdoor attacks in federated learning[J]. Journal of Computer Applications, 2025, 45(8): 2399-2408.

苏锦涛, 葛丽娜, 肖礼广, 邹经, 王哲. 联邦学习中针对后门攻击的检测与防御方案[J]. 《计算机应用》唯一官方网站, 2025, 45(8): 2399-2408.

Figures/Tables 10

Fig. 1 Federated learning framework

Fig. 2 Overall flow of proposed scheme

Tab. 1 Description of symbols

符号	含义
$P d a t a (x)$	真实数据分布
$P z (z)$	随机向量分布
$G (z)$	生成器输出
$D (x)$	$x$ 为真实数据而非生成器生成数据的输出

Tab. 1 Description of symbols

符号	含义
$P d a t a (x)$	真实数据分布
$P z (z)$	随机向量分布
$G (z)$	生成器输出
$D (x)$	$x$ 为真实数据而非生成器生成数据的输出

Fig. 3 Poisoning accuracy and main task accuracy on MNIST dataset before and after GKFL defense under single attacker

Fig. 4 Poisoning accuracy and main task accuracy on MNIST dataset before and after GKFL defense under multiple attackers

Fig. 5 Poisoning accuracy and main task accuracy on Fashion-MNIST dataset before and after GKFL defense under single attacker

Fig. 6 Poisoning accuracy and main task accuracy on Fashion-MNIST dataset before and after GKFL defense under multiple attackers

Fig. 7 Comparison of main task accuracy and poisoning accuracy of GKFL， FoolsGold， GeoMed， and RFA under single attacker and multiple attackers on MNIST dataset

Fig. 8 Comparison of main task accuracy and poisoning accuracy of GKFL， FoolsGold， GeoMed， and RFA under single attacker and multiple attackers on Fashion-MNIST dataset

Tab. 2 Ablation experimental results

消融设置	场景1		场景2		场景3		场景4
消融设置	主任务准确率	中毒准确率	主任务准确率	中毒准确率	主任务准确率	中毒准确率	主任务准确率	中毒准确率
A	0.88	0.92	0.85	0.95	0.87	0.90	0.85	0.92
B	0.89	0.54	0.87	0.43	0.87	0.50	0.85	0.61
C	0.90	0.31	0.87	0.38	0.87	0.43	0.86	0.53
D	0.92	0.02	0.91	0.02	0.88	0.03	0.86	0.04

References 27

[1]	YANG Q， LIU Y， CHEN T， et al. Federated machine learning： concept and applications［J］. ACM Transactions on Intelligent Systems and Technology， 2019， 10（2）： No.12.
[2]	肖雄，唐卓，肖斌，等. 联邦学习的隐私保护与安全防御研究综述［J］.计算机学报， 2023， 46（5）： 1019-1044.
	XIAO X， TANG Z， XIAO B， et al. A survey on privacy and security issues in federated learning［J］. Chinese Journal of Computers， 2023， 46（5）：1019-1044.
[3]	陈学斌，任志强，张宏扬. 联邦学习中的安全威胁与防御措施综述［J］. 计算机应用， 2024， 44（6）： 1663-1672.
	CHEN X B， REN Z Q， ZHANG H Y. Review on security threats and defense measures in federated learning［J］. Journal of Computer Applications， 2024， 44（6）： 1663-1672.
[4]	顾育豪，白跃彬. 联邦学习模型安全与隐私研究进展［J］. 软件学报， 2023， 34（6）：2833-2864.
	GU Y H， BAI Y B. Survey on security and privacy of federated learning models［J］. Journal of Software， 2023， 34（6）：2833-2864.
[5]	NGUYEN T D， NGUYEN T， LE NGUYEN P， et al. Backdoor attacks and defenses in federated learning： survey， challenges and future research directions［J］. Engineering Applications of Artificial Intelligence， 2024， 127（Pt A）： No.107166.
[6]	MAO J， QIAN Y， HUANG J， et al. Object-free backdoor attack and defense on semantic segmentation［J］. Computers and Security， 2023， 132： No.103365.
[7]	GONG X， CHEN Y， HUANG H， et al. Coordinated backdoor attacks against federated learning with model-dependent triggers［J］. IEEE Network， 2022， 36（1）： 84-90.
[8]	ZOU T， LIU Y， KANG Y， et al. Defending batch-level label inference and replacement attacks in vertical federated learning［J］. IEEE Transactions on Big Data， 2024， 10（6）： 1016-1027.
[9]	ZHOU X， XU M， WU Y， et al. Deep model poisoning attack on federated learning［J］. Future Internet， 2021， 13（3）： No.73.
[10]	LI T， SAHU A K， TALWALKAR A， et al. Federated learning： challenges， methods， and future directions［J］. IEEE Signal Processing Magazine， 2020， 37（3）： 50-60.
[11]	XUE M， HE C， WANG J， et al. One-to-N & N-to-One： two advanced backdoor attacks against deep learning models［J］. IEEE Transactions on Dependable and Secure Computing， 2022， 19（3）： 1562-1578.
[12]	SAXENA D， CAO J. Generative Adversarial Networks （GANs）： challenges， solutions， and future directions［J］. ACM Computing Surveys， 2022， 54（3）： No.63.
[13]	GOU J， YU B， MAYBANK S J， et al. Knowledge distillation： a survey［J］. International Journal of Computer Vision， 2021， 129（6）： 1789-1819.
[14]	LeCUN Y， BENGIO Y， HINTON G. Deep learning［J］. Nature， 2015， 521（7553）： 436-444.
[15]	VERBRAEKEN J， WOLTING M， KATZY J， et al. A survey on distributed machine learning［J］. ACM Computing Surveys， 2021， 53（2）： No.30.
[16]	ALEDHARI M， RAZZAK R， PARIZI R M， et al. Federated learning： a survey on enabling technologies， protocols， and applications［J］. IEEE Access， 2020， 8： 140699-140725.
[17]	LI X L. Preconditioned stochastic gradient descent［J］. IEEE Transactions on Neural Networks and Learning Systems， 2018， 29（5）： 1454-1466.
[18]	XUE M， NI S， WU Y， et al. Imperceptible and multi-channel backdoor attack［J］. Applied Intelligence， 2024， 54（1）： 1099-1116.
[19]	YERLIKAYA F A， BAHTIYA Ş. Data poisoning attacks against machine learning algorithms［J］. Expert Systems with Applications， 2022， 208： No.118101.
[20]	KOH P W， STEINHARDT J， LIANG P， et al. Stronger data poisoning attacks break data sanitization defenses［J］. Machine Learning， 2022， 111（1）： 1-47.
[21]	LU S， LI R， CHEN X， et al. Defense against local model poisoning attacks to byzantine-robust federated learning［J］. Frontiers of Computer Science， 2022， 16（6）： No.166337.
[22]	LI J， LI Z， ZHANG H， et al. Poison attack and poison detection on deep source code processing models［J］. ACM Transactions on Software Engineering and Methodology， 2024， 33（3）： No.62.
[23]	FUNG C， YOON C J M， BESCHASTNIK I. Mitigating sybils in federated learning poisoning［EB/OL］. ［2024-07-11］..
[24]	CHEN Y， SU L， XU J. Distributed statistical machine learning in adversarial settings： Byzantine gradient descent［J］. ACM SIGMETRICS Performance Evaluation Review， 2018， 46（1）： 96-96.
[25]	PILLUTLA K， KAKADE S M， HARCHAOUI Z， et al. Robust aggregation for federated learning［J］. IEEE Transactions on Signal Processing， 2022， 70： 1142-1154.
[26]	BLANCHARD P， MHAMDI E M EL， GUERRAOUI R， et al. Machine learning with adversaries： Byzantine tolerant gradient descent［C］// Proceedings of the 31st International Conference on Neural Information Processing Systems. Red Hook： Curran Associates Inc.， 2017： 118-128.
[27]	MUÑOZ-GONZÁLEZ L， CO K T， LUPU E C， et al. Byzantine-robust federated machine learning through adaptive model averaging［EB/OL］. ［2024-07-11］..

Detection and defense scheme for backdoor attacks in federated learning

联邦学习中针对后门攻击的检测与防御方案

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 27

Related Articles 15

Recommended Articles

Metrics

[1]	Lina GE, Mingyu WANG, Lei TIAN. Review of research on efficiency of federated learning [J]. Journal of Computer Applications, 2025, 45(8): 2387-2398.
[2]	Gaimei GAO, Miaolian DU, Chunxia LIU, Yuli YANG, Weichao DANG, Guoxia DI. Privacy protection method for consortium blockchain based on SM2 linkable ring signature [J]. Journal of Computer Applications, 2025, 45(5): 1564-1572.
[3]	Yiming ZHANG, Tengfei CAO. Federated learning optimization algorithm based on local drift and diversity computing power [J]. Journal of Computer Applications, 2025, 45(5): 1447-1454.
[4]	Qingli CHEN, Yuanbo GUO, Chen FANG. Clustering federated learning algorithm for heterogeneous data [J]. Journal of Computer Applications, 2025, 45(4): 1086-1094.
[5]	Baoyin WANG, Hongmei XUE, Qilie LIU, Tao GUO. Privacy-preserving random consensus asset cross-chain scheme [J]. Journal of Computer Applications, 2025, 45(2): 497-505.
[6]	Shufen ZHANG, Hongyang ZHANG, Zhiqiang REN, Xuebin CHEN. Survey of fairness in federated learning [J]. Journal of Computer Applications, 2025, 45(1): 1-14.
[7]	Zheyuan SHEN, Keke YANG, Jing LI. Personalized federated learning method based on dual stream neural network [J]. Journal of Computer Applications, 2024, 44(8): 2319-2325.
[8]	Xuebin CHEN, Zhiqiang REN, Hongyang ZHANG. Review on security threats and defense measures in federated learning [J]. Journal of Computer Applications, 2024, 44(6): 1663-1672.
[9]	Peiqian LIU, Shuilian WANG, Zihao SHEN, Hui WANG. Location privacy protection algorithm based on trajectory perturbation and road network matching [J]. Journal of Computer Applications, 2024, 44(5): 1546-1554.
[10]	Meihong CHEN, Lingyun YUAN, Tong XIA. Data classified and graded access control model based on master-slave multi-chain [J]. Journal of Computer Applications, 2024, 44(4): 1148-1157.
[11]	Gaimei GAO, Jin ZHANG, Chunxia LIU, Weichao DANG, Shangwang BAI. Privacy protection scheme for crowdsourced testing tasks based on blockchain and CP-ABE policy hiding [J]. Journal of Computer Applications, 2024, 44(3): 811-818.
[12]	Haifeng MA, Yuxia LI, Qingshui XUE, Jiahai YANG, Yongfu GAO. Attribute-based encryption scheme for blockchain privacy protection [J]. Journal of Computer Applications, 2024, 44(2): 485-489.
[13]	Yiting WANG, Wunan WAN, Shibin ZHANG, Jinquan ZHANG, Zhi QIN. Linkable ring signature scheme based on SM9 algorithm [J]. Journal of Computer Applications, 2024, 44(12): 3709-3716.
[14]	Jing LIANG, Wunan WAN, Shibin ZHANG, Jinquan ZHANG, Zhi QIN. Traceability storage model of charity system oriented to master-slave chain [J]. Journal of Computer Applications, 2024, 44(12): 3751-3758.
[15]	Peng FANG, Fan ZHAO, Baoquan WANG, Yi WANG, Tonghai JIANG. Development， technologies and applications of blockchain 3.0 [J]. Journal of Computer Applications, 2024, 44(12): 3647-3657.