🤖 AI Summary
In federated learning, adaptive malicious clients can inject backdoor-triggered behaviors into global models via sophisticated backdoor attacks, against which existing defenses exhibit limited efficacy. This paper proposes the Hammer-and-Anvil framework—a synergistic defense combining two orthogonally principled techniques: Krum+-based robust aggregation and gradient-statistics-based anomaly detection. We formally model a stronger class of adaptive adversaries and prove that, under reasonable parameter assumptions, the framework provides theoretical guarantees against arbitrary attacks from this class. Experiments demonstrate that state-of-the-art defenses fail under as few as one or two malicious clients, whereas Hammer-and-Anvil achieves over 95% defense success rate across diverse advanced backdoor attacks—including label-flipping, hidden-trigger, and adaptive perturbation variants—while maintaining high model utility. The framework thus significantly advances both empirical robustness and formal security assurance in federated learning.
📝 Abstract
Federated Learning is a distributed learning technique in which multiple clients cooperate to train a machine learning model. Distributed settings facilitate backdoor attacks by malicious clients, who can embed malicious behaviors into the model during their participation in the training process. These malicious behaviors are activated during inference by a specific trigger. No defense against backdoor attacks has stood the test of time, especially against adaptive attackers, a powerful but not fully explored category of attackers. In this work, we first devise a new adaptive adversary that surpasses existing adversaries in capabilities, yielding attacks that only require one or two malicious clients out of 20 to break existing state-of-the-art defenses. Then, we present Hammer and Anvil, a principled defense approach that combines two defenses orthogonal in their underlying principle to produce a combined defense that, given the right set of parameters, must succeed against any attack. We show that our best combined defense, Krum+, is successful against our new adaptive adversary and state-of-the-art attacks.