A Survey on Backdoor Attacks and Defenses in Federated Learning

Abstract

Abstract: Federated learning is a machine learning framework that enables participants in different fields to participate in largescale centralized model training together under the condition of protecting local data privacy. In the context of addressing the pressing issue of data silos, federated learning has rapidly emerged as a research hotspot. However, the heterogeneity of training data among different participants in federated learning also makes it more vulnerable to model robustness attacks from malicious participants, such as backdoor attacks. Backdoor attacks inject backdoors into the global model by submitting malicious model updates. These backdoors can only be triggered by carefully designed inputs and behave normally when input clean data samples, which poses a great threat to the robustness of the model. This paper presents a comprehensive review of the current backdoor attack methods and backdoor defense strategies in federated learning. Firstly, the concept of federated learning, the main types of backdoor attacks and backdoor defenses and their evaluation metrics were introduced. Then, the main backdoor attacks and defenses were analyzed and compared, and their advantages and disadvantages were pointed out. On this basis, we further discusses the challenges of backdoor attacks and backdoor defenses in federated learning, and prospects their research directions in the future.

Key words:

federated learning, backdoor attack, backdoor defense, poisoning attack, robustness

摘要： 联邦学习(federated learning, FL)是一种机器学习框架，能够使不同领域的参与者在保护本地数据隐私的条件下，共同参与大规模集中模型训练，在如今数据孤岛问题亟待解决的背景下迅速成为研究热点.然而，联邦学习中不同参与者之间训练数据具有异构性的特点，也使其更加容易受到来自恶意参与者的模型鲁棒性攻击，例如后门攻击.后门攻击通过提交恶意模型更新向全局模型注入后门，这些后门只能通过精心设计的输入触发，对模型鲁棒性造成极大的威胁.对联邦学习中目前的后门攻击方法及后门攻击的防御策略进行了全面综述.首先介绍了联邦学习的概念、后门攻击与防御的主要类型及其评价指标；然后分别对目前主要的后门攻击与防御方案进行了分析与比较，指出了它们的优势与不足；在此基础上，进一步讨论了联邦学习后门攻击与防御所面临的挑战，并展望了它们未来的研究方向.

关键词:

联邦学习, 后门攻击, 后门防御, 中毒攻击, 鲁棒性

CLC Number:

TP309

汪永好, 陈金麟, 万弘友, . 联邦学习后门攻击与防御研究综述[J]. 信息安全研究, 2025, 11(9): 778-.

References

［1］McMahan H B, Moore E, Ramage D, et al. Communicationefficient learning of deep networks from decentralized data［C］ Proc of the 20th Int Conf on Artificial Intelligence and Statistics. San Diego, CA: JMLR, 2017: 12731282［2］周传鑫, 孙奕, 汪德刚, 等. 联邦学习研究综述［J］. 网络与信息安全学报, 2021, 7(5): 7792［3］王坤庆, 刘婧, 赵语杭, 等. 联邦学习安全威胁综述［J］. 信息安全研究, 2022, 8(3): 223234［4］Nguyen T D, Nguyen T, Nguyen P L, et al. Backdoor attacks and defenses in federated learning: Survey, challenges and future research directions［J］. Engineering Applications of Artificial Intelligence, 2024, 127(A): 107166107170［5］Wang H, Sreenivasan K, Rajput S, et al. Attack of the tails: Yes, you really can backdoor federated learning［C］ Proc of the 34th Int Conf on Neural Information Processing Systems. San Diego, CA: NeurIPS, 2020: 1607016084［6］Yoo K Y, Kwak N. Backdoor attacks in federated learning by rare embeddings and gradient ensembling［C］ Proc of the 2022 Conf on Empirical Methods in Natural Language Processing. Stroudsburg, PA: ACL, 2022: 7288［7］Zhang J, Chen B, Cheng X, et al. PoisonGAN: Generative poisoning attacks against federated learning in edge computing systems［J］. IEEE Internet of Things Journal, 2021, 8(5): 33103322［8］Xie C, Huang K, Chen P Y, et al. DBA: Distributed backdoor attacks against federated learning［C］ Proc of the Int Conf on Learning Representations. Washington DC: ICLR, 2020: 10971112［9］Gong X, Chen Y, Huang H, et al. Coordinated backdoor attacks against federated learning with modeldependent triggers［J］. IEEE Network, 2022, 36(1): 8490［10］Bagdasaryan E, Vei T A, Hua Y, et al. How to backdoor federated learning［C］ Proc of the Int Conf on Artificial Intelligence and Statistics. New York: PMLR, 2020: 29382948［11］Baruch M, Baruch G, Goldberg Y. A little is enough: Circumventing defenses for distributed learning［C］ Proc of the 33rd Int Conf on Neural Information Processing Systems. San Diego, CA: NeurIPS, 2019: 86358645［12］Zhou X, Xu M, Wu Y, et al. Deep model poisoning attack on federated learning［J］. Future Internet, 2021, 13(3): 7373［13］Zhang Z, Panda A, Song L, et al. Neurotoxin: Durable backdoors in federated learning［C］ Proc of the 39th Int Conf on Machine Learning. New York: ICML, 2022: 2642926446［14］Fang P, Chen J. On the vulnerability of backdoor defenses for federated learning［C］ Proc of the 37th AAAI Conf on Artificial Intelligence. Menlo Park, CA: AAAI, 2023: 1180011808［15］Zhang Z, Cao X, Jia J, et al. FLDetector: Defending federated learning against model poisoning attacks via detecting malicious clients［C］ Proc of the 28th ACM SIGKDD Conf on Knowledge Discovery and Data Mining. New York: ACM, 2022: 25452555［16］Nguyen T D, Rieger P, Chen H, et al. FLAME: Taming backdoors in federated learning［C］ Proc of the 31st USENIX Security Symposium. Berkeley, CA: USENIX Association, 2022: 14151432［17］Rieger P, Nguyen T D, Miettinen M, et al. DeepSight: Mitigating backdoor attacks in federated learning through deep model inspection［C］ Proc of the Symp on Network and Distributed System Security. San Diego, CA: NDSS, 2022: 2428［18］Gill W, Anwar A, Gulzar M A. FedDefender: Backdoor attack defense in federated learning［C］ Proc of the 1st Int Workshop on Dependability and Trustworthiness of SafetyCritical Systems with Machine Learned Components. New York: ACM, 2023: 69［19］Kumari K, Rieger P, Fereidooni H, et al. BayBFed: Bayesian backdoor defense for federated learning［C］ Proc of the 2023 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2023: 737754［20］Zhang K, Tao G, Xu Q, et al. FLIP: A provable defense framework for backdoor mitigation in federated learning［C］ Proc of the Int Conf on Learning Representations. Washington: ICLR, 2023［21］Sun J, Li A, DiValentin L, et al. FLWBC: Enhancing robustness against model poisoning attacks in federated learning from a client perspective［C］ Proc of the 35th Conf on Neural Information Processing Systems. San Diego, CA: NeurIPS, 2021: 1261312624［22］Wang N, Xiao Y, Chen Y, et al. FLARE: Defending federated learning against model poisoning attacks via latent space representations［C］ Proc of the 2022 ACM on Asia Conf on Computer and Communications Security. New York: ACM, 2022: 946958［23］Andreina S, Marson G A, Mllering H, et al. BaFFLe: Backdoor detection via feedbackbased federated learning［C］ Proc of the 41st Int Conf on Distributed Computing Systems. Piscataway, NJ: IEEE, 2021: 852863［24］Ozdayi M S, Kantarcioglu M, Gel Y R. Defending against backdoors in federated learning with robust learning rate［C］ Proc of the AAAI Conf on Artificial Intelligence. Menlo Park, CA: AAAI, 2021: 92689276［25］Xie C, Chen M, Chen P Y, et al. CRFL: Certifiably robust federated learning against backdoor attacks［C］ Proc of the 38th Int Conf on Machine Learning. New York: PMLR, 2021: 1137211382［26］Wu C, Yang X, Zhu S, et al. Mitigating backdoor attacks in federated learning［J］. arXiv preprint, arXiv:2011.01767, 2020［27］Hao Y, Chuan M, Meng L, et al. G2uardFL: Safeguarding federated learning against backdoor attacks through attributed client graph clustering［J］. arXiv preprint, arXiv:2306.04984, 2023

[1]	. A Covert Backdoor Attack Method in Fewshot Class Incremental Learning [J]. Journal of Information Security Reserach, 2025, 11(9): 797-.
[2]	. Research of Invisible Backdoor Attack Based on Interpretability [J]. Journal of Information Security Reserach, 2025, 11(1): 21-.
[3]	. A Poisoningresistant Verifiable Secure Federated Learning Scheme #br# in IoT Perception Environments#br# [J]. Journal of Information Security Reserach, 2024, 10(9): 804-.
[4]	. Neural Network Backdoor Detection Method Based on Multilevel Measurement Difference [J]. Journal of Information Security Reserach, 2023, 9(6): 587-.