fedpurify：清除联邦学习系统中的后门攻击

IF 7.6 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Knowledge-Based Systems Pub Date : 2025-09-21 DOI:10.1016/j.knosys.2025.114494

Siquan Huang , Yijiang Li , Chong Chen , Leyu Shi , Wentian Cai , Ying Gao

{"title":"fedpurify：清除联邦学习系统中的后门攻击","authors":"Siquan Huang , Yijiang Li , Chong Chen , Leyu Shi , Wentian Cai , Ying Gao","doi":"10.1016/j.knosys.2025.114494","DOIUrl":null,"url":null,"abstract":"<div><div>Federated learning (FL) enables multiple clients to collaboratively train an efficient deep-learning model without sharing their local data. However, due to its privacy-preserving nature, FL is vulnerable to backdoor attack, which manipulates the model behaviors on the adversary-chosen input. Existing defense methods are ineffective against sophisticated stealthy backdoors, suffering from either a low benign performance or being too specific to certain assumptions and attacks. To handle the aforementioned issues, we present FedCleanse, a novel defense mechanism to address the backdoor attack in federated learning. In this work, we study the pruning-based approach, which has been proven effective but with the need for additional data for validation and suffers from high non-IID scenarios. This paper proposes a post-aggregation approach, namely FedCleanse, to neutralize backdoor effects without needing additional clean data. Our approach identifies suspicious neurons using “neuron conductance” and subsequently suppresses them after the aggregation operation, which imposes minimal impact on benign neurons. Additionally, FedCleanse is complemented by strategic perturbations to prevent backdoor transfer. Through extensive experiments, our method demonstrates superior defense capabilities across various attack types and non-IID settings, surpassing the state-of-the-art by a large margin without compromising the main task’s performance.</div></div>","PeriodicalId":49939,"journal":{"name":"Knowledge-Based Systems","volume":"330 ","pages":"Article 114494"},"PeriodicalIF":7.6000,"publicationDate":"2025-09-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"FedCleanse: Cleanse the backdoor attacks in federated learning system\",\"authors\":\"Siquan Huang , Yijiang Li , Chong Chen , Leyu Shi , Wentian Cai , Ying Gao\",\"doi\":\"10.1016/j.knosys.2025.114494\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Federated learning (FL) enables multiple clients to collaboratively train an efficient deep-learning model without sharing their local data. However, due to its privacy-preserving nature, FL is vulnerable to backdoor attack, which manipulates the model behaviors on the adversary-chosen input. Existing defense methods are ineffective against sophisticated stealthy backdoors, suffering from either a low benign performance or being too specific to certain assumptions and attacks. To handle the aforementioned issues, we present FedCleanse, a novel defense mechanism to address the backdoor attack in federated learning. In this work, we study the pruning-based approach, which has been proven effective but with the need for additional data for validation and suffers from high non-IID scenarios. This paper proposes a post-aggregation approach, namely FedCleanse, to neutralize backdoor effects without needing additional clean data. Our approach identifies suspicious neurons using “neuron conductance” and subsequently suppresses them after the aggregation operation, which imposes minimal impact on benign neurons. Additionally, FedCleanse is complemented by strategic perturbations to prevent backdoor transfer. Through extensive experiments, our method demonstrates superior defense capabilities across various attack types and non-IID settings, surpassing the state-of-the-art by a large margin without compromising the main task’s performance.</div></div>\",\"PeriodicalId\":49939,\"journal\":{\"name\":\"Knowledge-Based Systems\",\"volume\":\"330 \",\"pages\":\"Article 114494\"},\"PeriodicalIF\":7.6000,\"publicationDate\":\"2025-09-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Knowledge-Based Systems\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0950705125015333\",\"RegionNum\":1,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Knowledge-Based Systems","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950705125015333","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

摘要

联邦学习（FL）使多个客户端能够在不共享本地数据的情况下协作训练高效的深度学习模型。然而，由于其隐私保护的性质，FL很容易受到后门攻击，后门攻击会在对手选择的输入上操纵模型行为。现有的防御方法对复杂的隐形后门是无效的，要么是良性性能较低，要么是对某些假设和攻击过于具体。为了解决上述问题，我们提出了fedpurify，一种新的防御机制来解决联邦学习中的后门攻击。在这项工作中，我们研究了基于修剪的方法，该方法已被证明是有效的，但需要额外的数据进行验证，并且受到高度非iid场景的影响。本文提出了一种后聚合方法，即fedcleanup，以消除后门效应，而不需要额外的干净数据。我们的方法使用“神经元电导”识别可疑神经元，随后在聚合操作后抑制它们，这对良性神经元的影响最小。此外，为了防止借壳转让，fedclean还配备了战略扰动。通过广泛的实验，我们的方法在各种攻击类型和非iid设置中展示了卓越的防御能力，在不影响主要任务性能的情况下大大超越了最先进的技术。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

FedCleanse: Cleanse the backdoor attacks in federated learning system

Federated learning (FL) enables multiple clients to collaboratively train an efficient deep-learning model without sharing their local data. However, due to its privacy-preserving nature, FL is vulnerable to backdoor attack, which manipulates the model behaviors on the adversary-chosen input. Existing defense methods are ineffective against sophisticated stealthy backdoors, suffering from either a low benign performance or being too specific to certain assumptions and attacks. To handle the aforementioned issues, we present FedCleanse, a novel defense mechanism to address the backdoor attack in federated learning. In this work, we study the pruning-based approach, which has been proven effective but with the need for additional data for validation and suffers from high non-IID scenarios. This paper proposes a post-aggregation approach, namely FedCleanse, to neutralize backdoor effects without needing additional clean data. Our approach identifies suspicious neurons using “neuron conductance” and subsequently suppresses them after the aggregation operation, which imposes minimal impact on benign neurons. Additionally, FedCleanse is complemented by strategic perturbations to prevent backdoor transfer. Through extensive experiments, our method demonstrates superior defense capabilities across various attack types and non-IID settings, surpassing the state-of-the-art by a large margin without compromising the main task’s performance.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Knowledge-Based Systems 工程技术-计算机：人工智能

CiteScore

14.80

自引率

12.50%

发文量

1245

审稿时长

7.8 months

期刊介绍： Knowledge-Based Systems, an international and interdisciplinary journal in artificial intelligence, publishes original, innovative, and creative research results in the field. It focuses on knowledge-based and other artificial intelligence techniques-based systems. The journal aims to support human prediction and decision-making through data science and computation techniques, provide a balanced coverage of theory and practical study, and encourage the development and implementation of knowledge-based intelligence models, methods, systems, and software tools. Applications in business, government, education, engineering, and healthcare are emphasized.