GAN-inspired Defense Against Backdoor Attack on Federated Learning Systems

Abstract

Federated Learning (FL) provides an opportunity for clients with limited data resources to combine and build better Machine Learning models without compromising their privacy. But aggregating contributions from various clients implies that the errors present in some clients’ resources will also get propagated to all the clients through the combined model. Malicious entities leverage this negative factor to disrupt the normal functioning of the FL system for their gain. A backdoor attack is one such attack where the malicious entities act as clients and implant a small trigger into the global model. Once implanted, the model performs the attacker desired task in the presence of the trigger but acts benignly otherwise. In this paper, we build a GAN-inspired defense mechanism that can detect and defend against the presence of such backdoor triggers. The unavailability of labeled benign and backdoored models has prevented researchers from building detection classifiers. We tackle this problem by utilizing the clients as Generators to construct the required dataset. We place the Discriminator on the server-side, which acts as a backdoored model detecting binary classifier. We experimentally prove the proficiency of our approach with the image-based non-IID datasets, CIFAR10 and CelebA. Our prediction probability-based defense mechanism successfully removes all the influence of backdoors from the global model.