HoneyFL: Using Honeypots to Catch Backdoors in Federated Learning

IF 2.2 4区计算机科学 Q3 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

IET Image Processing Pub Date : 2025-09-09 DOI:10.1049/ipr2.70201

Haibin Zheng, Wenjie Shen, Jinyin Chen

{"title":"HoneyFL: Using Honeypots to Catch Backdoors in Federated Learning","authors":"Haibin Zheng, Wenjie Shen, Jinyin Chen","doi":"10.1049/ipr2.70201","DOIUrl":null,"url":null,"abstract":"Federated learning (FL) has been revealed as vulnerable to backdoor attacks since the server cannot directly access the locally collected data of clients, even if they are malicious. Many efforts either try to validate the global model with trusted clients, or try to make it difficult or costly to upload malicious updates. Unfortunately, the existing solutions are still challenged in defending against stealthy backdoor attacks or negative impacts brought to the aggregation. Especially in the non-independent and identically distributed setting. Moreover, these methods overlook the threat of adaptive attacks, that is, attackers fully know the defense implementation. To address these issues, we propose a novel run-time defense against diverse backdoor attacks, dubbed HoneyFL. It differs from previous works in three key aspects: (1) effectiveness - it is capable of defending against stealthy backdoors through leveraging honeypot clients; (2) aggregation - it promises effective aggregation since only a limited number of honeypot clients are used; (3) robustness - it can handle adaptive backdoor attacks based on differential prediction. Compared with five state-of-the-art defense baselines, extensive experiments show that HoneyFL produces a higher backdoor detection success rate above 97% and a lower false positive rate below 3%, where seven attacks generate backdoor examples. Its impact on the aggregation results of the main task is negligible. We also show that the defense success rate of HoneyFL against adaptive attacks is approximately <math>\n <semantics>\n <mo>∼</mo>\n <annotation>$\\sim$</annotation>\n </semantics></math>3.52 of the baselines on average.","PeriodicalId":56303,"journal":{"name":"IET Image Processing","volume":"19 1","pages":""},"PeriodicalIF":2.2000,"publicationDate":"2025-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ietresearch.onlinelibrary.wiley.com/doi/epdf/10.1049/ipr2.70201","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Image Processing","FirstCategoryId":"94","ListUrlMain":"https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ipr2.70201","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Federated learning (FL) has been revealed as vulnerable to backdoor attacks since the server cannot directly access the locally collected data of clients, even if they are malicious. Many efforts either try to validate the global model with trusted clients, or try to make it difficult or costly to upload malicious updates. Unfortunately, the existing solutions are still challenged in defending against stealthy backdoor attacks or negative impacts brought to the aggregation. Especially in the non-independent and identically distributed setting. Moreover, these methods overlook the threat of adaptive attacks, that is, attackers fully know the defense implementation. To address these issues, we propose a novel run-time defense against diverse backdoor attacks, dubbed HoneyFL. It differs from previous works in three key aspects: (1) effectiveness - it is capable of defending against stealthy backdoors through leveraging honeypot clients; (2) aggregation - it promises effective aggregation since only a limited number of honeypot clients are used; (3) robustness - it can handle adaptive backdoor attacks based on differential prediction. Compared with five state-of-the-art defense baselines, extensive experiments show that HoneyFL produces a higher backdoor detection success rate above 97% and a lower false positive rate below 3%, where seven attacks generate backdoor examples. Its impact on the aggregation results of the main task is negligible. We also show that the defense success rate of HoneyFL against adaptive attacks is approximately $\sim$ 3.52 of the baselines on average.

Abstract Image

查看原文本刊更多论文

HoneyFL：使用蜜罐捕获联邦学习中的后门

联邦学习（FL）很容易受到后门攻击，因为服务器不能直接访问本地收集的客户端数据，即使它们是恶意的。许多努力要么试图用受信任的客户端验证全局模型，要么试图使上传恶意更新变得困难或代价高昂。然而，现有的解决方案在防范隐性后门攻击或对聚合带来的负面影响方面仍然存在挑战。特别是在非独立和同分布的情况下。此外，这些方法忽略了自适应攻击的威胁，即攻击者完全了解防御实现。为了解决这些问题，我们提出了一种针对各种后门攻击的新型运行时防御，称为HoneyFL。它与以前的工作在三个关键方面有所不同：(1)有效性-它能够通过利用蜜罐客户端来防御隐形后门；(2)聚合——它承诺有效的聚合，因为只有有限数量的蜜罐客户端被使用；(3)鲁棒性——能够处理基于差分预测的自适应后门攻击。与5个最先进的防御基线相比，大量的实验表明，HoneyFL的后门检测成功率高于97%，假阳性率低于3%，其中7次攻击产生后门示例。它对主任务的聚合结果的影响可以忽略不计。我们还表明，HoneyFL对自适应攻击的防御成功率平均约为基线的3.52。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IET Image Processing 工程技术-工程：电子与电气

CiteScore

5.40

自引率

8.70%

发文量

282

审稿时长

6 months

期刊介绍： The IET Image Processing journal encompasses research areas related to the generation, processing and communication of visual information. The focus of the journal is the coverage of the latest research results in image and video processing, including image generation and display, enhancement and restoration, segmentation, colour and texture analysis, coding and communication, implementations and architectures as well as innovative applications. Principal topics include: Generation and Display - Imaging sensors and acquisition systems, illumination, sampling and scanning, quantization, colour reproduction, image rendering, display and printing systems, evaluation of image quality. Processing and Analysis - Image enhancement, restoration, segmentation, registration, multispectral, colour and texture processing, multiresolution processing and wavelets, morphological operations, stereoscopic and 3-D processing, motion detection and estimation, video and image sequence processing. Implementations and Architectures - Image and video processing hardware and software, design and construction, architectures and software, neural, adaptive, and fuzzy processing. Coding and Transmission - Image and video compression and coding, compression standards, noise modelling, visual information networks, streamed video. Retrieval and Multimedia - Storage of images and video, database design, image retrieval, video annotation and editing, mixed media incorporating visual information, multimedia systems and applications, image and video watermarking, steganography. Applications - Innovative application of image and video processing technologies to any field, including life sciences, earth sciences, astronomy, document processing and security. Current Special Issue Call for Papers: Evolutionary Computation for Image Processing - https://digital-library.theiet.org/files/IET_IPR_CFP_EC.pdf AI-Powered 3D Vision - https://digital-library.theiet.org/files/IET_IPR_CFP_AIPV.pdf Multidisciplinary advancement of Imaging Technologies: From Medical Diagnostics and Genomics to Cognitive Machine Vision, and Artificial Intelligence - https://digital-library.theiet.org/files/IET_IPR_CFP_IST.pdf Deep Learning for 3D Reconstruction - https://digital-library.theiet.org/files/IET_IPR_CFP_DLR.pdf