ANODYNE: Mitigating backdoor attacks in federated learning

Federated learning (FL) allows participants to jointly train a model without leaking their sensitive datasets. The server is designed to have no visibility into how these updates are generated for privacy protection. Despite its benefits, FL is vulnerable to backdoor attacks, in which the compromised participants upload malicious model updates so that the backdoored model will misbehave for the chosen subtask. Existing defenses against backdoor attacks cannot handle state-of-the-art backdoor attacks that insert the backdoor in all rounds. To address these issues, we propose ANODYNE, a defense framework that hierarchically filters and clips the local model updates to mitigate the effect of backdoor attacks. ANODYNE decomposes the high- dimensional gradients into low-dimensional sub-vectors to improve detection performance and avoid the curse of dimensionality. Meanwhile, ANODYNE computes four different sub-vector metrics from a spatial-temporal perspective to enhance the robustness of our method. Our evaluation of ANODYNE on three datasets and three models demonstrates that ANODYNE competes over existing defenses under backdoor attacks.