FLAME: Taming Backdoors in Federated Learning

Thien Duc Nguyen*, Phillip Rieger, Huili Chen, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Shaza Zeitouni, Farinaz Koushanfar, Ahmad Reza Sadeghi, Thomas Schneider

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

5 Citations (Scopus)
7 Downloads (Pure)

Abstract

Federated Learning (FL) is a collaborative machine learning approach allowing participants to jointly train a model without having to share their private, potentially sensitive local datasets with others. Despite its benefits, FL is vulnerable to so-called backdoor attacks, in which an adversary injects manipulated model updates into the federated model aggregation process so that the resulting model will provide targeted false predictions for specific adversary-chosen inputs. Proposed defenses against backdoor attacks based on detecting and filtering out malicious model updates consider only very specific and limited attacker models, whereas defenses based on differential privacy-inspired noise injection significantly deteriorate the benign performance of the aggregated model. To address these deficiencies, we introduce FLAME, a defense framework that estimates the sufficient amount of noise to be injected to ensure the elimination of backdoors. To minimize the required amount of noise, FLAME uses a model clustering and weight clipping approach. This ensures that FLAME can maintain the benign performance of the aggregated model while effectively eliminating adversarial backdoors. Our evaluation of FLAME on several datasets stemming from application areas including image classification, word prediction, and IoT intrusion detection demonstrates that FLAME removes backdoors effectively with a negligible impact on the benign performance of the models.

Original languageEnglish
Title of host publicationProceedings of the 31st USENIX Security Symposium, Security 2022
PublisherUSENIX - THE ADVANCED COMPUTING SYSTEMS ASSOCIATION
Pages1415-1432
Number of pages18
ISBN (Electronic)9781939133311
Publication statusPublished - 2022
MoE publication typeA4 Article in a conference publication
EventUSENIX Security Symposium - Boston, United States
Duration: 10 Aug 202212 Aug 2022
Conference number: 31

Conference

ConferenceUSENIX Security Symposium
Country/TerritoryUnited States
CityBoston
Period10/08/202212/08/2022

Fingerprint

Dive into the research topics of 'FLAME: Taming Backdoors in Federated Learning'. Together they form a unique fingerprint.

Cite this