Knowledge Distillation Based Defense for Audio Trigger Backdoor in Federated Learning

The applications of Automatic Speech Recognition (ASR) on Internet-of-Things (IoT) devices have increased significantly in recent years, and Federated Learning (FL) is often used to improve ASR performance since its decentralized training mechanism ensures users' data privacy. However, FL is vulnerable to various attacks. The most challenging one to detect and defend against is trigger backdoor attack. Adversaries inject the trigger into the training audio data and participate in the FL training, causing the converged global model to mispredict the poisoned data. Unlike previous defense methods filtering suspicious models during model aggregation, we propose the Knowledge Distillation Defense Framework (KDDF) to detect and remove features of the potential triggers during the inference. KDDF utilizes Knowledge Distillation (KD) to train a validation model on each IoT device, which is used to identify suspicious data. Then, KDDF would try to eliminate the injected trigger during the model inference if the data is suspicious. Experimental results show that KDDF can effectively distinguish between benign and suspicious data and recover the classification results of suspicious data.