Hammer and Anvil: A Principled Defense Against Backdoors in Federated Learning
This addresses the problem of robust security in federated learning for distributed systems, offering a novel defense against adaptive backdoor attacks, though it appears incremental as it builds on existing defense principles.
The paper tackles backdoor attacks in federated learning by introducing a new adaptive adversary that breaks existing defenses with only 1-2 malicious clients out of 20, and proposes Hammer and Anvil, a principled defense combining orthogonal methods, with Krum+ successfully defending against this adversary and state-of-the-art attacks.
Federated Learning is a distributed learning technique in which multiple clients cooperate to train a machine learning model. Distributed settings facilitate backdoor attacks by malicious clients, who can embed malicious behaviors into the model during their participation in the training process. These malicious behaviors are activated during inference by a specific trigger. No defense against backdoor attacks has stood the test of time, especially against adaptive attackers, a powerful but not fully explored category of attackers. In this work, we first devise a new adaptive adversary that surpasses existing adversaries in capabilities, yielding attacks that only require one or two malicious clients out of 20 to break existing state-of-the-art defenses. Then, we present Hammer and Anvil, a principled defense approach that combines two defenses orthogonal in their underlying principle to produce a combined defense that, given the right set of parameters, must succeed against any attack. We show that our best combined defense, Krum+, is successful against our new adaptive adversary and state-of-the-art attacks.