Robust Federated Learning for Ubiquitous Computing through Mitigation of Edge-Case Backdoor Attacks

Abstract

Federated Learning (FL) allows several data owners to train a joint model without sharing their training data. Such a paradigm is useful for better privacy in many ubiquitous computing systems. However, FL is vulnerable to poisoning attacks, where malicious participants attempt to inject a backdoor task in the model at training time, along with the main task that the model was initially trained for. Recent works show that FL is particularly vulnerable to edge-case backdoors introduced by data points with unusual out-of-distribution features. Such attacks are among the most difficult to counter, and today's FL defense mechanisms usually fail to tackle them. In this paper, we present ARMOR, a defense mechanism that leverages adversarial learning to uncover edge-case backdoors. In contrast to most of existing FL defenses, ARMOR does not require real data samples and is compatible with secure aggregation, thus, providing better FL privacy protection. ARMOR relies on GANs (Generative Adversarial Networks) to extract data features from model updates, and uses the generated samples to test the activation of potential edge-case backdoors in the model. Our experimental evaluations with three widely used datasets and neural networks show that ARMOR can tackle edge-case backdoors with 95% resilience against attacks, and without hurting model quality.