Federated learning (FL) is vulnerable to backdoor attacks, and existing defenses are limited because they neglect models’ over-reliance on triggers. To address this, we propose a novel defense framework based on benign adversarial perturbations. First, we design a perturbation-triggering mechanism that generates benign adversarial examples semantically aligned with the backdoor. Second, we introduce an adaptive scaling mechanism that dynamically modulates perturbation intensity to suppress backdoor dependency while preserving model accuracy. Our method integrates seamlessly into the FL training pipeline without modifying clients’ local update procedures. Extensive experiments demonstrate that it reduces attack success rates by 0.22–5.34%, 0.48–6.34%, and 97.22–97.6% against three representative backdoor attacks, respectively. Moreover, it exhibits strong generalization against unseen backdoor patterns. Overall, our approach significantly enhances the robustness of FL systems against backdoor threats.

Federated Learning (FL) enables collaborative model training while preserving data privacy, but it is highly vulnerable to backdoor attacks. Most existing defense methods in FL have limited effectiveness due to their neglect of the model's over-reliance on backdoor triggers, particularly as the proportion of malicious clients increases. In this paper, we propose FedBAP, a novel defense framework for mitigating backdoor attacks in FL by reducing the model's reliance on backdoor triggers. Specifically, first, we propose a perturbed trigger generation mechanism that creates perturbation triggers precisely matching backdoor triggers in location and size, ensuring strong influence on model outputs. Second, we utilize these perturbation triggers to generate benign adversarial perturbations that disrupt the model's dependence on backdoor triggers while forcing it to learn more robust decision boundaries. Finally, we design an adaptive scaling mechanism to dynamically adjust perturbation intensity, effectively balancing defense strength and model performance. The experimental results demonstrate that FedBAP reduces the attack success rates by 0.22%-5.34%, 0.48%-6.34%, and 97.22%-97.6% under three types of backdoor attacks, respectively. In particular, FedBAP demonstrates outstanding performance against novel backdoor attacks.