FEDGRAD: Mitigating backdoor attacks in federated learning through local ultimate gradients inspection

Abstract

Federated learning (FL) enables multiple clients to train a model without compromising sensitive data. However, the decentralized nature of FL makes it susceptible to adversarial attacks, particularly backdoor insertion during training. One such attack, the edge-case backdoor attack, which employs the tail of the data distribution, has emerged as a powerful attack strategy. This raises concerns about the limitations of current defenses and their robustness.

Most existing defenses fail to completely eliminate edge-case backdoor attacks or suffer from a trade-off between defending against backdoors and maintaining overall performance on the primary task. To address this challenge, we propose **FedGrad**, a novel defense mechanism that is resistant to backdoor attacks, including the edge-case backdoor attack, and performs effectively under heterogeneous client data and a large number of compromised clients.

FedGrad employs a two-layer filtering mechanism that analyzes the ultimate layer’s gradient to identify suspicious local updates and removes them from the aggregation process. Our experiments show that **FedGrad** significantly outperforms state-of-the-art defense methods in various attack scenarios. Notably, FedGrad can almost 100% correctly identify malicious participants, resulting in a substantial reduction in the backdoor effect (with backdoor accuracy dropping to less than 8%) without compromising the main task's accuracy.