FedDefender: Backdoor Attack Defense in Federated Learning

Waris Gill; Ali Anwar; Muhammad Ali Gulzar

doi:10.1145/3617574.3617858

FedDefender: Backdoor Attack Defense in Federated Learning

Waris Gill
, Ali Anwar
, Muhammad Ali Gulzar

Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Scopus citations

Abstract

Federated Learning (FL) is a privacy-preserving distributed machine learning technique that enables individual clients (e.g., user participants, edge devices, or organizations) to train a model on their local data in a secure environment and then share the trained model with an aggregator to build a global model collaboratively. In this work, we propose FedDefender, a defense mechanism against targeted poisoning attacks in FL by leveraging differential testing. FedDefender first applies differential testing on clients' models using a synthetic input. Instead of comparing the output (predicted label), which is unavailable for synthetic input, FedDefender fingerprints the neuron activations of clients' models to identify a potentially malicious client containing a backdoor. We evaluate FedDefender using MNIST and FashionMNIST datasets with 20 and 30 clients, and our results demonstrate that FedDefender effectively mitigates such attacks, reducing the attack success rate (ASR) to 10% without deteriorating the global model performance.

Original language	English (US)
Title of host publication	SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with
Subtitle of host publication	ESEC/FSE 2023
Editors	Marsha Chechik, Sebastian Elbaum, Boyue Caroline Hu, Lina Marsso, Meriel von Stein
Publisher	Association for Computing Machinery, Inc
Pages	6-9
Number of pages	4
ISBN (Electronic)	9798400703799
DOIs	https://doi.org/10.1145/3617574.3617858
State	Published - Dec 4 2023
Event	1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, SE4SafeML 2023. Co-located with: ESEC/FSE 2023 - San Francisco, United States Duration: Dec 4 2023 → …

Publication series

Name	SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023

Conference

Conference	1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, SE4SafeML 2023. Co-located with: ESEC/FSE 2023
Country/Territory	United States
City	San Francisco
Period	12/4/23 → …

Bibliographical note

Publisher Copyright:
© 2023 Owner/Author.

Keywords

backdoor attack
deep learning
differential testing
fault localization
federated learning
poisoning attack
testing

Publisher link

10.1145/3617574.3617858

Find It

Find It at U of M Libraries

Cite this

Gill, W., Anwar, A., & Gulzar, M. A. (2023). FedDefender: Backdoor Attack Defense in Federated Learning. In M. Chechik, S. Elbaum, B. C. Hu, L. Marsso, & M. von Stein (Eds.), SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023 (pp. 6-9). (SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023). Association for Computing Machinery, Inc. https://doi.org/10.1145/3617574.3617858

FedDefender: Backdoor Attack Defense in Federated Learning. / Gill, Waris; Anwar, Ali; Gulzar, Muhammad Ali.
SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023. ed. / Marsha Chechik; Sebastian Elbaum; Boyue Caroline Hu; Lina Marsso; Meriel von Stein. Association for Computing Machinery, Inc, 2023. p. 6-9 (SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Gill, W, Anwar, A & Gulzar, MA 2023, FedDefender: Backdoor Attack Defense in Federated Learning. in M Chechik, S Elbaum, BC Hu, L Marsso & M von Stein (eds), SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023. SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023, Association for Computing Machinery, Inc, pp. 6-9, 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, SE4SafeML 2023. Co-located with: ESEC/FSE 2023, San Francisco, United States, 12/4/23. https://doi.org/10.1145/3617574.3617858

Gill W, Anwar A, Gulzar MA. FedDefender: Backdoor Attack Defense in Federated Learning. In Chechik M, Elbaum S, Hu BC, Marsso L, von Stein M, editors, SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023. Association for Computing Machinery, Inc. 2023. p. 6-9. (SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023). doi: 10.1145/3617574.3617858

Gill, Waris ; Anwar, Ali ; Gulzar, Muhammad Ali. / FedDefender : Backdoor Attack Defense in Federated Learning. SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023. editor / Marsha Chechik ; Sebastian Elbaum ; Boyue Caroline Hu ; Lina Marsso ; Meriel von Stein. Association for Computing Machinery, Inc, 2023. pp. 6-9 (SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023).

@inproceedings{75952893068847b89d27dd4f662e3a50,

title = "FedDefender: Backdoor Attack Defense in Federated Learning",

abstract = "Federated Learning (FL) is a privacy-preserving distributed machine learning technique that enables individual clients (e.g., user participants, edge devices, or organizations) to train a model on their local data in a secure environment and then share the trained model with an aggregator to build a global model collaboratively. In this work, we propose FedDefender, a defense mechanism against targeted poisoning attacks in FL by leveraging differential testing. FedDefender first applies differential testing on clients' models using a synthetic input. Instead of comparing the output (predicted label), which is unavailable for synthetic input, FedDefender fingerprints the neuron activations of clients' models to identify a potentially malicious client containing a backdoor. We evaluate FedDefender using MNIST and FashionMNIST datasets with 20 and 30 clients, and our results demonstrate that FedDefender effectively mitigates such attacks, reducing the attack success rate (ASR) to 10\% without deteriorating the global model performance.",

keywords = "backdoor attack, deep learning, differential testing, fault localization, federated learning, poisoning attack, testing",

author = "Waris Gill and Ali Anwar and Gulzar, \{Muhammad Ali\}",

note = "Publisher Copyright: {\textcopyright} 2023 Owner/Author.; 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, SE4SafeML 2023. Co-located with: ESEC/FSE 2023 ; Conference date: 04-12-2023",

year = "2023",

month = dec,

day = "4",

doi = "10.1145/3617574.3617858",

language = "English (US)",

series = "SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023",

publisher = "Association for Computing Machinery, Inc",

pages = "6--9",

editor = "Marsha Chechik and Sebastian Elbaum and Hu, \{Boyue Caroline\} and Lina Marsso and \{von Stein\}, Meriel",

booktitle = "SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with",

}

TY - GEN

T1 - FedDefender

T2 - 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, SE4SafeML 2023. Co-located with: ESEC/FSE 2023

AU - Gill, Waris

AU - Anwar, Ali

AU - Gulzar, Muhammad Ali

PY - 2023/12/4

Y1 - 2023/12/4

N2 - Federated Learning (FL) is a privacy-preserving distributed machine learning technique that enables individual clients (e.g., user participants, edge devices, or organizations) to train a model on their local data in a secure environment and then share the trained model with an aggregator to build a global model collaboratively. In this work, we propose FedDefender, a defense mechanism against targeted poisoning attacks in FL by leveraging differential testing. FedDefender first applies differential testing on clients' models using a synthetic input. Instead of comparing the output (predicted label), which is unavailable for synthetic input, FedDefender fingerprints the neuron activations of clients' models to identify a potentially malicious client containing a backdoor. We evaluate FedDefender using MNIST and FashionMNIST datasets with 20 and 30 clients, and our results demonstrate that FedDefender effectively mitigates such attacks, reducing the attack success rate (ASR) to 10% without deteriorating the global model performance.

AB - Federated Learning (FL) is a privacy-preserving distributed machine learning technique that enables individual clients (e.g., user participants, edge devices, or organizations) to train a model on their local data in a secure environment and then share the trained model with an aggregator to build a global model collaboratively. In this work, we propose FedDefender, a defense mechanism against targeted poisoning attacks in FL by leveraging differential testing. FedDefender first applies differential testing on clients' models using a synthetic input. Instead of comparing the output (predicted label), which is unavailable for synthetic input, FedDefender fingerprints the neuron activations of clients' models to identify a potentially malicious client containing a backdoor. We evaluate FedDefender using MNIST and FashionMNIST datasets with 20 and 30 clients, and our results demonstrate that FedDefender effectively mitigates such attacks, reducing the attack success rate (ASR) to 10% without deteriorating the global model performance.

KW - backdoor attack

KW - deep learning

KW - differential testing

KW - fault localization

KW - federated learning

KW - poisoning attack

KW - testing

UR - https://www.scopus.com/pages/publications/85180418935

UR - https://www.scopus.com/pages/publications/85180418935#tab=citedBy

U2 - 10.1145/3617574.3617858

DO - 10.1145/3617574.3617858

M3 - Conference contribution

AN - SCOPUS:85180418935

T3 - SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with: ESEC/FSE 2023

SP - 6

EP - 9

BT - SE4SafeML 2023 - Proceedings of the 1st International Workshop on Dependability and Trustworthiness of Safety-Critical Systems with Machine Learned Components, Co-located with

A2 - Chechik, Marsha

A2 - Elbaum, Sebastian

A2 - Hu, Boyue Caroline

A2 - Marsso, Lina

A2 - von Stein, Meriel

PB - Association for Computing Machinery, Inc

Y2 - 4 December 2023

ER -

FedDefender: Backdoor Attack Defense in Federated Learning

Abstract

Publication series

Conference

Bibliographical note

Keywords

Publisher link

Find It

Other files and links

Fingerprint

Cite this