Optimally Mitigating Backdoor Attacks in Federated Learning

Federated learning (FL) is a distributed, privacy-preserving learning paradigm where a joint model is trained on private data stored on client devices. Data owners (clients) train models locally and then submit them to an aggregation server for incorporation into the joint model. Malicious clients can apply training time attacks, e.g., backdoor attacks, by submitting maliciously trained models. Prior work has shown that Differential Privacy (DP) can provide certified robustness to backdoor attacks; however, there are limited studies regarding DP parameter selection as a function of the model architecture. In this work, we show empirically that larger models (i.e., with more parameters) require stronger DP parameter settings to mitigate backdoor attacks. Furthermore, we present a framework that alters the FL training algorithm to preserve certified accuracy round-by-round and show empirically that it is superior to a model trainer selecting DP parameters ahead of time before training begins and with incomplete information about the attacker. Although tools from DP are used in our proposed framework, it is focused on backdoor attack mitigation and does not provide privacy guarantees.