Detecting Backdoor Attacks in Federated Learning via Direction Alignment Inspection

Unlike traditional centralized training methods, which require gathering and processing all data at a central location such as a server, Federated Learning (FL) [32], as a decentralized training paradigm, allows a global model to learn from data distributed across various local clients, thereby achieving the goal of privacy-preserving. During training, the server distributes the global model to local clients, and each client trains the received global model using its local dataset, and then submits its local model update to the server for global model refinement. FL has been applied in various fields, including healthcare[35], finance [28], and remote sensing [27], where local data privacy is essential.

Although promising, the distributed nature of FL systems makes them vulnerable to a range of advanced poisoning attacks [15, 26, 45]. This vulnerability primarily stems from the server’s lack of close monitoring of the local data and the training algorithm on clients. Consequently, this drawback allows attackers to compromise the data of local clients or interfere with the training algorithm, enabling them to inject malicious local model updates that distort the performance of the global model. For example, backdoor attacks [4, 48, 14, 54, 46] have gained significant attention due to their stealthiness and practical effectiveness. In detail, backdoor attacks in FL seek to preserve the performance of the global model on clean inputs (i.e., the main task), while inducing the global model to make incorrect predictions on inputs that contain a certain predefined feature (i.e., the backdoor task). As backdoor attacks maintain the main task and the backdoor task simultaneously, the malicious local model updates are statistically similar to benign ones [46, 36] (poison-coupling effect [20]), making anomaly detection more challenging on the server side.

Existing defense methods (i.e., aggregation rule) usually aim to identify malicious model updates and filter them out to achieve better robustness by magnitude-based metrics extracted from local model updates (e.g., Manhattan distance [19, 22] and Euclidean distance [6, 15]). However, magnitude-based metrics are ineffective in distinguishing stealthy backdoor attacks where benign and malicious model updates are usually similar in magnitude. Additionally, when the global model tends to converge, the magnitude of each model update becomes very small, making effective malicious manipulation on magnitude negligible. To this end, some works employ Cosine similarity to check the pair-wise directional information of model updates [11, 42, 36]. However, pair-wise Cosine similarity between two model updates only captures their general directional similarity and overlooks fine-grained information (e.g., signs of parameters), resulting in limited robustness. In addition, in FL settings with non-IID data, the pair-wise Cosine similarity of model updates can be easily perturbed by the naturally diverse benign model updates. Furthermore, there is a deficiency in theoretical analysis within the literature concerning the effects of data heterogeneity on defense methods deployed by the server in FL.

In this work, we propose a novel defense method designed to defend against backdoor attacks in FL, named AlignIns (Direction Alignment Inspection), which examines local model updates for directional alignment at different granularity levels to identify malicious updates. Specifically, after receiving all model updates from clients, AlignIns evaluates each update by (1) inspecting temporal directional alignment with the global model of the latest round with Cosine similarity and (2) assessing more fine-grained sign alignment with the principal sign across all updates with a novel metric sign alignment ratio. Particularly, when calculating the sign alignment ratio, AlignIns focuses on the signs of important parameters in each update to accurately capture alignment information. Using these two directional metrics, AlignIns performs anomaly detection with the robust $\mathrm{MZ\_score}$ which requires minimal hyperparameters to filter updates with unusual directional patterns out. Finally, AlignIns clips the remaining updates to mitigate the impact of updates with abnormally large magnitudes. We also provide a theoretical analysis of AlignIns’ robustness and its propagation error in FL. The main contributions of this work are three folds:

• •

  We present a novel defense method, AlignIns, to defend against backdoor attacks in FL. To the best of our knowledge, AlignIns is the first defense method in FL that analyzes the directional patterns of local model updates at different levels of granularity. AlignIns is fully compatible with existing FL frameworks.

• •

  To the best of our knowledge, we provide the first theoretical robustness analysis for a filtering-based defense method against backdoor attacks under non-IID data in FL. Moreover, we prove that the propagation error of AlignIns is bounded during the training of FL.

• •

  We empirically evaluate the effectiveness of AlignIns through extensive experiments on both IID and non-IID datasets against various state-of-the-art (SOTA) backdoor attacks. Compared to existing SOTA defense methods, AlignIns exhibits superior robustness.

Federated Learning. In a typical FL system, a central server controls a set of $n$ clients to train a global model $\theta\in\mathbb{R}^{d}$ collaboratively. The objective of FL is to solve the following optimization problem: $\min_{\theta}(1/n)\sum_{i=1}^{n}\mathcal{L}_{i}(\theta;\mathcal{D}_{i}),$ where $\mathcal{L}_{i}(\cdot)$ denotes the learning objective specific to client $i$ and $\mathcal{D}_{i}$ denotes the local dataset for client $i$. The commonly used method to solve this problem iteratively is FedAvg [33]. In detail, at round $t$ of FedAvg, each client $i\in[n]$ downloads the current global model $\theta^{t}$, updates it by optimizing its local objective, resulting in $\theta_{i}^{t}$, and transmits its model update $\Delta_{i}^{t}=\theta_{i}^{t}-\theta^{t}$ to the server. The server then refines the global model by averaging these updates as follows: $\theta^{t+1}=\theta^{t}+(1/n)\sum_{i=1}^{n}\Delta_{i}^{t}$. This process continues until the global model reaches convergence.

Backdoor attacks in FL. Empirical evidence has shown that FL is vulnerable to backdoor attacks [14, 4, 46, 48, 54, 9, 52, 37, 23] due to its lack of access to local training data [4]. For instance, Projected Gradient Descent (PGD) attack [46] periodically projects the local model onto a small sphere centered around the global model from the previous training round, with a predefined radius. Distributed Backdoor Attack (DBA) [48] decomposes the centralized trigger into several smaller, distributed local triggers. Each poisoned client uses one of these local triggers, but during testing, the adversary injects the full trigger into the test samples. Recently, research has focused on trigger-optimization backdoor attacks [52, 9, 37, 29, 1], which aim to search optimized triggers to enhance the effectiveness and stealthiness.

Defending against backdoor attacks in FL. Generally, based on how defense methods mitigate the impact of malicious updates, existing defense methods can be categorized into filtering-based methods [6, 42, 7, 22, 19, 36, 50, 51] and influence-reduction methods [40, 41, 11, 38, 20].

1) influence-reduction methods aim to integrate all model updates but employ strategies to reduce the impact of malicious updates. For instance, RFA [40] is proposed to use the geometric median of local models as the aggregation result, under the assumption that malicious models significantly deviate from benign models. Foolsgold [11] assumes that the malicious updates are consistent with each other. It assigns aggregation weights to model updates based on the maximum Cosine similarity between the last layers of pairwise model updates. A higher Cosine similarity value indicates a higher probability that the updates are malicious, leading to smaller aggregation weights being assigned. The effectiveness of influence-reduction methods is inherently limited because they cannot eliminate the impact of malicious activity, leading to a significant risk of compromise.

2) Filtering-based methods aim to detect and remove malicious local model updates before aggregation thus attempting to achieve the highest robustness. For example, Multi-Krum [6] selects the multiply reliable local model updates for aggregation by identifying the one with the smallest sum of squared Euclidean distances to all other updates. Multi-Metrics [19] explores the combination of Manhattan distance, Euclidean distance, and Cosine similarity for each update to collaboratively filter out outliers. However, due to the dual objectives of backdoor attacks—that is, maintaining accuracy on the main task while maximizing accuracy on the backdoor task—malicious updates must mimic benign model updates, important weights for the main task typically have large values and can dominate the magnitude of a model update. As a result, magnitude-based detection methods become ineffective against backdoor attacks. Additionally, methods that rely solely on Cosine similarity also show limited effectiveness since they capture general directional alignment and overlook finer-grained information.

Our method, AlignIns, detailed in Algorithm 1, mitigates the impact of malicious updates through a two-step process. First, direction alignment inspection is applied to examine each local model update comprehensively in terms of direction. Second, post-filtering model clipping is used to further enhance the robustness of AlignIns on defending potential magnitude-based attack methods before final aggregation.

Direction alignment inspection. Existing defense methods against backdoor attacks in FL primarily focus on examining the magnitude (e.g., Manhattan distance and Euclidean distance) and the overall direction (e.g., Cosine similarity) of model updates. However, backdoor attacks are designed to maintain the main task accuracy, making the magnitude difference between malicious and benign updates nearly indistinguishable. Additionally, advanced attacks such as PGD [46] and Lie [5] attacks are specifically crafted to bypass magnitude-based defenses. Therefore, AlignIns focuses on direction-based analysis to identify suspect updates, using two processes described below.

1) Temporal direction alignment checking: Since malicious clients need to maintain both the main task and the backdoor task, the optimization direction of a malicious local model tends to deviate from that of benign models. AlignIns leverages this deviation and performs a Temporal Direction Alignment ($\mathrm{TDA}$) checking, which calculates the Cosine similarity between a local update and the latest global model (algorithm 1 in Algorithm 1) to assess the general alignment level of each local update. Formally, the $\mathrm{TDA}$ value $\omega_{i}$ of a local model update $\Delta_{i}^{t}$ is calculated as

We use local model updates rather than local models because our goal is to measure how closely each client’s updates align with the direction of the global model. Local model updates specifically capture these incremental adjustments. Notably, malicious clients tend to exhibit similar $\mathrm{TDA}$ values, which differ from those of benign clients, creating an opportunity for detection. It is important to note that while the magnitude of model updates typically decreases as the global model converges, the $\mathrm{TDA}$ value does not follow the same trend. Consequently, magnitude-based anomaly detection becomes progressively less effective throughout training due to the decreasing magnitude. In contrast, the variability in $\mathrm{TDA}$ values continues to be useful for identifying malicious behavior.

2) Masked principal sign alignment checking: In backdoor attacks where the manipulations are stealthy, subtle malicious directional information can easily blend into the parameters of models with large magnitude, especially for models with large dimensions, which makes the $\mathrm{TDA}$ less useful under strong backdoor attacks since the $\mathrm{TDA}$ captures the overall directional information. Therefore, in addition to the $\mathrm{TDA}$, we look into the signs of parameters to provide a finer-grained directional assessment of local model updates. The signs of a vector represent its coordinate-wise direction. In the context of backdoor attacks, the distributions of the signs of malicious model updates differ from those of benign updates. This is particularly significant when the model is close to convergence, at which point the magnitude of model updates becomes very small, making large manipulations on magnitudes impractical. Therefore, manipulation of the direction, or the signs of parameters, can emerge as a more significant and effective strategy. Several works also utilize the signs of models for enhancing backdoor robustness. For example, RLR [38] assigns an opposite global learning rate to a coordinate of the averaged model update if the signs on this coordinate do not consistently align with the majority across all updates. SignGuard [49] calculates the proportions of positive, zero, and negative signs for each model update as the input of a clustering algorithm to identify malicious model updates. However, these methods utilize the signs of all parameters in the model update, regardless of their significance. Consequently, the performance of sign-based metrics can be significantly impacted by those many unimportant parameters, especially for large DNN models, leading to an inaccurate representation of the model update’s direction.

To this end, AlignIns utilizes a Masked Principle Sign Alignment ($\mathrm{MPSA}$) checking to inspect the sign alignment degree between the important parameters of each local update and a well-designed principle sign of all local updates. Specifically, to construct the principle sign over local updates, for each coordinate of local updates, we take the majority of the signs across all model updates as the principal sign of this coordinate, which can be mathematically formulated as $p:=\operatorname{sgn}\left(\sum_{i=1}^{n}\operatorname{sgn}(\Delta_{i}^{t})\right),$ where $p\in\mathbb{R}^{d}$ represents the vector of principal signs and $\operatorname{sgn}(\cdot)$ is the function to take the signs of a vector. Note that the principal sign represents sign-voting results for each coordinate, making it stand for the major direction/dynamic for each coordinate. With this principle sign over local updates, we inspect the alignment of the signs of important parameters of each model update with it. More specifically, we use a Top-$k$ indicator defined as follows to identify the $k$ most important parameters that have the largest absolute values in a vector.

The Top-$k$ indicator $\mathrm{Top_{k}}(\cdot)$ takes each local model update as input and outputs a mask vector in which each element is either 1 or 0 with the same size as the input. To quantify the alignment in sign distributions of each local model update and the principle sign, we define the Sign Alignment Ratio ($\mathrm{SAR}$) as follows.

Here, $\rho\in[0,1]$ and a larger $\rho$ indicate a higher degree of alignment between the signs of $x$ and $y$. Combining $\mathrm{Top_{k}}(\cdot)$ and $\mathrm{SAR}$, we have the $\mathrm{MPSA}$ value $\rho_{i}$ for local update $\Delta^{t}_{i}$ formulated as follows:

where $\odot$ is the Hadamard product, $\operatorname{sgn}(\Delta_{i}^{t})-p$ computes a sign difference vector, capturing the difference between the sign of $\Delta_{i}^{t}$ and the principal reference sign $p$. Since $\mathrm{MPSA}$ checking focuses on the important parameters, this difference vector is element-wise multiplied with the Top-$k$ mask derived from $\Delta_{i}^{t}$, effectively setting unimportant coordinates to zero. The $L_{0}$-norm is then applied to count the not-aligned elements and with the masking parameter $k$ to ultimately determine the $\mathrm{SAR}$. $\mathrm{MPSA}$ checking effectively reveals malicious local updates by combining both magnitude and directional information from model updates, allowing for clear differentiation between malicious and benign updates. AlignIns calculates the $\mathrm{MPSA}$ value for each update with the principal sign iteratively (algorithm 1–1) and forward them to the following anomaly detection process.

3) Efficient anomaly detection with $\mathrm{MZ\_score}$: W apply robust filtering to remove updates with abnormal $\mathrm{TDA}$ and $\mathrm{MPSA}$ values. Specifically, we use the robust standardization metric named the Median-based Z-score ($\mathrm{MZ\_score}$) [50, 51], detailed in Definition 3, which is a variant of the traditional Z-score standardization metric.

$\mathrm{MZ\_score}$ calculates the number of standard deviations an element is from the median, which may be either positive or negative. In AlignIns, the $\mathrm{MZ\_score}$s for $\mathrm{TDA}$ and $\mathrm{MPSA}$ values are computed for each local update (algorithm 1–1). Those with high absolute $\mathrm{MZ\_score}$s (i.e., outliers) are excluded using two predetermined filtering radii: $\lambda_{c}$ for $\mathrm{TDA}$ and $\lambda_{s}$ for $\mathrm{MPSA}$ (algorithm 1–1). The use of the $\mathrm{MZ\_score}$ allows for the adaptation to the varying range of $\mathrm{TDA}$ and $\mathrm{MPSA}$ values during training, requiring only minimal hyper-parameters. Additionally, by configuring $\lambda_{c}$ and $\lambda_{s}$, we can manage the trade-off between the robustness and main task accuracy of AlignIns. For example, when robustness is the primary concern in the FL, choosing small $\lambda_{c}$ and $\lambda_{s}$ values is essential to attain the highest robustness.

Post-filtering model clipping. After filtering, the remaining clients, considered benign, are included in the set $\mathcal{S}$ (algorithm 1) and contribute to the model averaging process. However, since our filtering primarily focuses on the direction of model updates (although $\mathrm{MPSA}$ does consider magnitude when using the Top-$k$ indicator), there is a risk that it might overlook updates with large magnitudes, such as those updates generated by Scaling attack [4]. To this end, AlignIns re-scales model updates in $\mathcal{S}$ by using the median of the $L_{2}$-norms of these updates as a clipping threshold and aggregates the clipped model updates as the global model update $\widetilde{\Delta}$ (algorithm 1–1). It is worth noting that performing clipping before filtering does not affect the filtering results. However, clipping after filtering enhances robustness, as the clipping threshold is more likely determined by benign updates. We discuss the computational cost of AlignIns and compare it with other baselines in Appendix Section 12.

In this section, we conduct a theoretical analysis of the robustness of AlignIns, as well as its propagation error in FL. Before presenting our theoretical results, we make the following assumptions. Note that Assumption 1–2 are commonly used in the theoretical analysis of distributed learning systems [18, 49, 34]. Assumption 3 states a standard measure of inter-client heterogeneity in FL [2, 21, 8]. This heterogeneity complicates the problem of FL with backdoor adversaries, as it may cause the server to confuse malicious updates with flawed model updates from benign clients holding outlier data points [2].

Note that these assumptions apply to benign clients only since malicious clients do not need to follow the prescribed local training protocol of FL.

Datasets: In our experiments, we primarily use CIFAR-10 [24] and CIFAR-100 [24] datasets to evaluate the performance of various defense methods. Additionally, we present the superior performance of AlignIns on other benchmark datasets (MNIST [25], FMNIST [47], and Sentiment140 [12]) in Appendix Section 10.6. For all datasets, we simulate a cross-silo FL system with $20$ clients. Additionally, we also present the superior performance of AlignIns on a cross-device FL system with $100$ clients and client sampling. We consider both IID and non-IID settings. For IID settings, we distribute the training data evenly to local clients. For non-IID settings, we follow [17, 20, 19] to use Dirichlet distribution $Dir(\beta)$ to simulate the non-IID settings with a default non-IID degree $\beta=0.5$.

Learning Settings: We use SGD as the local solver, with the initial learning rates set as $\alpha=1.0$ and $\eta=0.1$ and the number of local training epochs set as $2$. The number of training rounds is set as $T=100$ for CIFAR-100 and $T=150$ for CIFAR-10. For AlignIns, the default filtering radii are set as $\lambda_{c}=1.0$ and $\lambda_{s}=1.0$. We conduct extensive experiments to study the impact of filtering radii and present results and analysis in Appendix Section 11. The default masking parameter is set as $k=0.3\times d$, where $d$ is the model dimension so that the Top-$30$% of model parameters are used for the $\mathrm{MPSA}$ checking.

Evaluated Attack Methods: We consider $5$ SOTA backdoor attacks, including Badnet [14], DBA [48], Scaling [4], PGD [46], and Neurotoxin [54]. We provide the detailed attack model and settings for attack methods in Appendix Section 8.1–8.2. We present the empirical performance of AlignIns under the strong trigger-optimization attack [9] in Appendix Section 10.3. Moreover, we study the potential adaptive attacks tailored to AlignIns and untargeted attacks [49] in Appendix Section 10.4–10.5, although these are beyond the primary scope of this work. To simulate effective backdoor attacks (achieving a BA over $60\%$ [22]), the malicious client will poison $r=50\%$ of its local data, where $r$ represents the data poisoning ratio. The attack ratio is set to $20$% by default, which means $20$% of the clients in the system are malicious. Experiments of AlignIns on defending backdoor attacks with various attack ratios are given in Appendix Section 10.7.

Evaluated Defense Methods: We present the detailed defense model in Appendix Section 9. We comprehensively compare AlignIns with the non-robust baseline FedAvg and six existing SOTA defense methods, including RLR [38], RFA [40], Multi-Krum (MKrum) [6], Foolsgold [11], Multi-Metric (MM) [19], and Lockdown [20]. Additionally, we compare our approach with an ideally perfect filtering-based robust aggregation, FedAvg*, which is assumed to perfectly identify and remove all malicious updates and average all the benign updates to update the global model.

Evaluation Metrics: We use three metrics to evaluate the performance of defense methods, including main task accuracy (MA), which measures the percentage of clean test samples that are accurately classified to their ground truth labels by the global model; backdoor attack accuracy (BA), which measures the percentage of triggered samples that are misclassified to the target label by the global model; and robustness accuracy (RA), which measures the percentage of triggered samples that are accurately classified to their ground-truth labels by the global model, despite the presence of the trigger. A good defense method should achieve high MA and RA and low BA.

Main results in IID setting. In Table 1, we report the performance of various defense methods under no attack (denoted by “Clean”), Badnet, DBA, and Neurotoxin attacks for IID CIFAR-10 and CIFAR-100. The best results are highlighted in bold font, and the second best results are underlined. Overall, AlignIns demonstrates superior performance compared with other baselines as it achieves the best average BA and RA over three attack methods. Specifically, for CIFAR-10, while RLR offers a satisfactory degree of robustness (an average BA of $2.89\%$), it suffers from a notable decline in RA, with an average reduction of $49.74\%$ in comparison to AlignIns. This drop results from RLR’s strategy of flipping the global learning rate for parameters in the aggregated model update that are inconsistent with the majority’s sign, consequently resulting in the loss of benign local parameters. AlignIns, however, demonstrates outstanding performance with consistently low BA and high RA, ranking first or second among its counterparts. Notably, compared to the second-best results, AlignIns achieves an average improvement of $+0.68\%$ in BA and $+5.36\%$ in RA. Similarly, superior results are observed in CIFAR-100 experiments, where AlignIns significantly outperforms other methods in both BA and RA. These results underscore AlignIns’ effectiveness as a promising defense method for protecting FL from various backdoor attacks, significantly enhancing the trustworthiness of FL systems.

Effectiveness under various Non-IID degrees. We examine the defense performance of AlignIns across various degrees of non-IIDness, a factor that significantly complicates backdoor defense. Figure 1 presents the RA of AlignIns under different non-IID conditions on the CIFAR-10 dataset, compared with Lockdown, RFA, and RLR. The experiments were conducted using the Neurotoxin attack, with both a default attack ratio of $20\%$ and a higher attack ratio of $30\%$. The Dirichlet parameter $\beta$ varies from $0.1$ to $1.0$, where a smaller $\beta$ suggests a more intense non-IIDness. We observe that only AlignIns consistently attains robustness against strong Neurotoxin attacks with a varying $\beta$. Specifically, as $\beta$ increases, the RA of AlignIns, Lockdown, and RLR increases correspondingly. However, AlignIns outperforms them with a consistently higher RA. When the attack ratio rises to $30\%$, RLR, RFA, and Lockdown fail to provide satisfactory robustness. However, our method AlignIns still demonstrates its robustness under various non-IIDness, even in an extremely non-IID case when $\beta=0.1$. AlignIns is designed to examine the alignment of model updates on important parameters only, hence, it mitigates the challenge of identifying malicious model updates in non-IID settings where updates are heterogeneous, thereby achieving superior performance in even extreme non-IID settings compared with existing methods. We also provide more comprehensive results of AlignIns and other baselines on non-IID datasets in Appendix Section 10.1.

Effectiveness of AlignIns in cross-device FL with client sampling. While most of our experiments focus on the cross-silo FL setting, evaluating the cross-device FL scenario is also essential given the large number of clients involved. For this purpose, we simulate a cross-device FL environment with $100$ clients, where the server randomly selects $20$ clients per round for training. We conduct experiments on IID and non-IID CIFAR-10 cases using Foolsgold, Lockdown, RLR, and AlignIns and summarize the MA, BA, and RA results in Table 2. The results show that both Foolsgold and Lockdown completely lose their effectiveness in both cases, achieving an average RA of nearly $0.00\%$. RLR achieves a moderate level of backdoor robustness but at the cost of main task accuracy, with an average MA of only $49.19\%$. In contrast, AlignIns performs robustly in the cross-device FL setting, achieving a significantly lower BA in both IID ($0.92\%$) and non-IID ($1.90\%$) cases compared with other methods. Furthermore, AlignIns achieves an average RA of $79.28\%$. These results highlight AlignIns’s ability to maintain both accuracy and robustness in challenging cross-device FL scenarios, underscoring its adaptability and effectiveness in real-world applications.

Ablation study of AlignIns. As AlignIns consists of two alignment components ($\mathrm{TDA}$ and $\mathrm{MPSA}$) to improve backdoor robustness, we conduct a detailed ablation study to investigate how each component functions. Experimental results on IID and non-IID CIFAR-10 datasets under Badnet attack are summarized in Table 3. (i) Component ablation. We observe that using $\mathrm{MPSA}$ or $\mathrm{TDA}$ alone in IID scenarios only slightly reduces robustness compared to AlignIns, as benign updates follow consistent patterns that enable effective detection by a single metric. In non-IID settings, however, where local updates diverge, neither $\mathrm{MPSA}$ nor $\mathrm{TDA}$ alone provides sufficient robustness. When combined, $\mathrm{MPSA}$ and $\mathrm{TDA}$ improve BA and RA from $94.07\%$ and $5.79\%$ to $47.04\%$ and $45.30\%$, respectively, showing their complementary strengths. AlignIns further enhances robustness by integrating $\mathrm{MPSA}$, $\mathrm{TDA}$, and post-filtering model clipping, which normalizes benign update magnitudes and improves malicious update detection, yielding the highest average RA. (ii) Masking parameter $k$ ablation. We try to involve more non-essential parameters in the $\mathrm{MPSA}$ checking by using the Top-$50$%$/70$% of parameters to calculate $\mathrm{MPSA}$ values. By doing so, the effectiveness of malicious identification is reduced. In contrast, when using the Top-$30$% of parameters, compared to the Top-$50$% case, BA and RA are improved by $+30.89\%$ and $+25.34\%$, respectively. This demonstrates the effectiveness of focusing important parameters when calculating $\mathrm{MPSA}$ in improving the filtering accuracy, especially in non-IID cases. (iii) Variance reduction method further enhances robustness. Our theoretical results reveal the impact of variance reduction techniques on improving the robustness of AlignIns and reducing the propagation error of AlignIns in FL, we additionally test a variant of AlignIns named “AlignIns⁺”, in which local SGD with momentum is used to reduce the local gradient variance with momentum coefficient $0.1$. AlignIns⁺ achieves a slightly better performance than AlignIns, verifying our theoretical results.

This paper introduces a novel defense method AlignIns to defend against backdoor attacks in FL. AlignIns examines each model update’s direction at different granularity levels, thus effectively identifying stealthy malicious local model updates and filtering them out to avoid them participating in aggregation in FL to enhance robustness. We provide a theoretical analysis of AlignIns’ robustness and its impact on propagation errors in FL. Extensive experiments demonstrate the effectiveness of AlignIns, with results showing that it outperforms SOTA defense methods against various advanced attacks.

In this work, we assume the server to be the defender. i) Defender’s goal. As stated in [7], an ideal defense method against poisoning attacks in FL should consider the following three aspects: Fidelity, Robustness, and Efficiency. To ensure fidelity, the defense method does not significantly degrade the global model’s performance on benign inputs, thus preserving its effectiveness. For robustness, the defense method should successfully mitigate the impact of malicious model updates, limiting the global model’s malicious behavior on triggered inputs. Regarding efficiency, the defense method should be computationally efficient, ensuring that it does not hinder the overall efficiency of the training process. In this work, we assume that the server aims to achieve the highest level of robustness by removing all malicious updates without significant computational complexity and accuracy degradation on benign inputs. ii) Defender’s capability. In FL, the server has no access to the local datasets of clients, but it has the global model and all the local model updates. We assume the server has no prior knowledge of the number of malicious clients. We also assume that each client transmits their local update anonymously, making the actions of individual clients untraceable. Additionally, the server does not know the specifics of backdoor attacks, such as the type of trigger involved. To defend against backdoor attacks, the server will apply a robust aggregation rule $F$ to the local model updates received from clients and generate an aggregated model update at each training round.

Here, we dive into the impact of different configurations of filtering radii, $\lambda_{s}$ and $\lambda_{c}$, on the efficacy of AlignIns. A smaller $\lambda_{s}$ or $\lambda_{c}$ indicates more stringent filtering and results in a smaller benign set for aggregation. We conduct the experiments on non-IID CIFAR-10 and CIFAR-100 datasets under Badnet and PGD attacks. The results, as detailed in Table 10, show the ideal configurations of $\lambda_{s}$ and $\lambda_{c}$ that effectively balance the filtering intensity while maximizing the robustness of the model. Specifically, for CIFAR-10 dataset, the optimal RA is attained when $\lambda_{s}$ and $\lambda_{c}$ are both set to $1.0$ under both Badnet and PGD attacks, suggesting an ideal level of filtering intensity. A reduction in either $\lambda_{s}$ or $\lambda_{c}$ leads to a slight drop in RA, implying that some benign updates may be erroneously discarded due to an overly stringent filtering radius. In contrast, when $\lambda_{s}$ and $\lambda_{c}$ are increased to $2.0$, there’s a significant decline in AlignIns’ RA, due to the excessively permissive filtering threshold. As for CIFAR-100 dataset, AlignIns’ performance remains stable against variations in both radii. Specifically, under the Badnet attack, AlignIns performs best when both radii are at $2.0$, while for the PGD attack, the radii at $1.0$ are most effective. This is mainly because PGD attack limits the large malicious model update changes, conducting a more stealthy attack than Badnet. By doing so, it makes the malicious model updates more similar to benign ones, leading to a smaller filter radius.

We compare the computational cost of AlignIns with other counterparts. AlignIns calculates the $\mathrm{MPSA}$ metric using the Top-$k$ indicator, incurring a complexity of $O(d\log d)$ due to the use of sorting algorithms like merge sort in the parameter space of the local update. As a result, the total computational expense of AlignIns in the worst-case scenario is $O(nd\log d)$. Nonetheless, we argue that the computational burden of AlignIns is comparable with several robust aggregation methods such as Krum and MKrum, both of which have a complexity of $O(dn^{2})$, the Coordinate-wise median with $O(dn)$, and Trmean at $O(dn\log n)$. Each method shows a linear dependency on $d$, which can be considerably large in modern deep neural networks (i.e., $d\gg n$), and thus is the predominant factor in computational complexity. Empirically, AlignIns imposes minimal computational overhead on the server side ($0.13$ seconds per round), compared to $4.02$ seconds for another filtering-based method MM. Other methods like Lockdown introduce additional computational overhead on local clients, which is undesirable in many scenarios.