pith. sign in

arxiv: 2407.09658 · v2 · submitted 2024-07-12 · 💻 cs.LG · cs.CR

BoBa: Boosting Backdoor Detection through Data Distribution Inference in Federated Learning

Zhengyuan Jiang , Xingyu Lyu , Shanghao Shi , Yang Xiao , Yimin Chen , Y. Thomas Hou , Wenjing Lou , Ning Wanga This is my paper

Pith reviewed 2026-05-23 23:07 UTC · model grok-4.3

classification 💻 cs.LG cs.CR
keywords federated learningbackdoor attacksanomaly detectiondata distribution inferencenon-IID dataclusteringvoting-based detection
0
0 comments X

The pith

BoBa detects backdoors in federated learning by inferring client data distributions then applying overlapping clusters and voting to filter malicious updates.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents BoBa as a way to make anomaly detection work in federated learning even when client data is non-IID. It first infers each client's data distribution, groups clients into clusters on that basis, and then uses an overlapping clustering scheme so that each model's trustworthiness is judged by multiple groups rather than one. A voting step inside those clusters decides whether an update is an outlier from a backdoor or simply from natural data variety. The authors show through experiments that this keeps main-task accuracy high while driving attack success rates below 0.001 across multiple attack types and settings.

Core claim

BoBa reduces the backdoor detection problem to two steps: accurate inference of client data distributions to enable clustering, followed by a voting-based decision across overlapping clusters so that a single cluster does not decide alone. The data distribution inference step supplies the grouping signal that separates natural variance from attack-induced outliers, while the overlapping design and collective voting improve robustness when data distributions differ across clients.

What carries the argument

Data distribution inference that produces client clusters, combined with overlapping cluster membership and intra-cluster voting on model updates.

If this is right

  • Anomaly detection can be applied to federated learning without assuming identical data distributions across clients.
  • Model updates can be accepted or rejected on the basis of collective cluster votes rather than global similarity scores.
  • Backdoor success can be driven below 0.001 while the main task continues to train to high accuracy under varied attack strategies.
  • Detection remains effective when each client participates in several overlapping clusters instead of a single fixed group.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same inference-plus-overlap structure could be tested on other distributed anomaly tasks such as detecting poisoned gradients in decentralized optimization.
  • If distribution inference proves reliable, the method might reduce the need for trusted validation sets that current federated defenses often require.
  • Extending the clustering to handle dynamic client arrival or departure would test whether the voting mechanism stays stable over time.

Load-bearing premise

Client data distributions can be inferred accurately enough that natural differences among benign clients do not look like the outliers produced by backdoor attacks.

What would settle it

Run the method on a federated learning task where all clients hold only clean but highly non-IID data and check whether the attack success rate stays low while the fraction of wrongly rejected updates remains small.

Figures

Figures reproduced from arXiv: 2407.09658 by Ning Wanga, Shanghao Shi, Wenjing Lou, Xingyu Lyu, Yang Xiao, Yimin Chen, Y. Thomas Hou, Zhengyuan Jiang.

Figure 1
Figure 1. Figure 1: Illustration of backdoor update recognition relying on [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Abstract of clients’ data distribution in FL systems. [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: FL system with backdoor attackers. Steps (1)(2)(3) depict the traditional FL framework while the process inside the blue [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: BoBa workflow: data distribution inference, client clustering, feature extraction, and voting-based trust evaluation and aggregation. threshold nth, we employ a removal process to balance the cluster. The removal process involves sorting the clients in the cluster based on their data class numbers in descending order (Lines 5 to 10). We then remove the client with the highest data class number by changing … view at source ↗
Figure 5
Figure 5. Figure 5: The illustration of our clustering method. [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Data distribution inference accuracy with different non [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Performance of representative defense strategies and [PITH_FULL_IMAGE:figures/full_fig_p011_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Performance of BoBa under adaptive attack. Left: the times each malicious client is selected (there are 5 malicious clients in the FL system); Middle: Trust scores of malicious clients; Right: Attack success rate. drops with the non-IID level, which is a common situation even in attack-free scenarios. Here the non-IID level equal to 0 implies an IID data setting. We can see that BoBa also achieves a low AS… view at source ↗
Figure 10
Figure 10. Figure 10: ASR and main task accuracy with various parameter settings. [PITH_FULL_IMAGE:figures/full_fig_p013_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Computation time. due to malicious update injection but model randomness. We can explain the reason for the failure based on the illustrations in [PITH_FULL_IMAGE:figures/full_fig_p013_11.png] view at source ↗
read the original abstract

Federated learning, while being a promising approach for collaborative model training, is susceptible to backdoor attacks due to its decentralized nature. Backdoor attacks have shown remarkable stealthiness, as they compromise model predictions only when inputs contain specific triggers. As a countermeasure, anomaly detection is widely used to filter out backdoor attacks in FL. However, the non-independent and identically distributed (non-IID) data distribution nature of FL clients presents substantial challenges in backdoor attack detection, as the data variety introduces variance among benign models, making them indistinguishable from malicious ones. In this work, we propose a novel distribution-aware backdoor detection mechanism, BoBa, to address this problem. To differentiate outliers arising from data variety versus backdoor attacks, we propose to break down the problem into two steps: clustering clients utilizing their data distribution, and followed by a voting-based detection. We propose a novel data distribution inference mechanism for accurate data distribution estimation. To improve detection robustness, we introduce an overlapping clustering method, where each client is associated with multiple clusters, ensuring that the trustworthiness of a model update is assessed collectively by multiple clusters rather than a single cluster. Through extensive evaluations, we demonstrate that BoBa can reduce the attack success rate to lower than 0.001 while maintaining high main task accuracy across various attack strategies and experimental settings.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript proposes BoBa, a distribution-aware backdoor detection mechanism for federated learning. It addresses non-IID data challenges by inferring client data distributions to perform clustering, followed by an overlapping clustering method and voting-based detection to distinguish backdoor-induced outliers from natural data variance. The central claim is that this approach reduces attack success rate below 0.001 while preserving high main-task accuracy across various attack strategies and experimental settings.

Significance. If the result holds, the work would be significant for FL security research, as it directly targets the indistinguishability problem between benign non-IID variance and malicious updates that limits existing anomaly detectors. The overlapping-clustering idea provides a concrete mechanism for collective trustworthiness assessment and could generalize to other FL robustness tasks.

major comments (2)
  1. [Abstract] Abstract: the claim that BoBa reduces ASR to lower than 0.001 rests on 'extensive evaluations' whose methods, controls, statistical details, number of runs, and handling of adaptive attacks are not described; this prevents verification of whether the reported performance is supported.
  2. [Method] Method description (data distribution inference): the mechanism is introduced only at the level of 'propose to break down the problem into two steps' with clustering plus overlapping voting; no derivation, bound, or analysis is supplied showing that model-update statistics recover client distributions with sufficient precision to keep false-positive rates below the 0.001 threshold under strong non-IID regimes.
minor comments (1)
  1. [Abstract] Abstract: the phrase 'various attack strategies and experimental settings' is used without enumeration, which would improve clarity for readers.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. The comments correctly identify areas where the manuscript would benefit from greater detail on experimental methodology and formal analysis. We will revise the paper to address both points.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the claim that BoBa reduces ASR to lower than 0.001 rests on 'extensive evaluations' whose methods, controls, statistical details, number of runs, and handling of adaptive attacks are not described; this prevents verification of whether the reported performance is supported.

    Authors: We agree the abstract is high-level and omits these specifics. The experimental section of the manuscript describes the datasets, non-IID partitioning (Dirichlet), attack types, and client counts, but does not explicitly state the number of runs or adaptive-attack protocol in one place. In revision we will (1) expand the abstract with a concise sentence on evaluation scope, (2) add a dedicated paragraph in Section 4 summarizing controls, number of independent runs (five random seeds), and how adaptive attacks were instantiated, and (3) report per-run ASR statistics. These changes will make the 0.001 claim directly verifiable without altering the reported results. revision: yes

  2. Referee: [Method] Method description (data distribution inference): the mechanism is introduced only at the level of 'propose to break down the problem into two steps' with clustering plus overlapping voting; no derivation, bound, or analysis is supplied showing that model-update statistics recover client distributions with sufficient precision to keep false-positive rates below the 0.001 threshold under strong non-IID regimes.

    Authors: The manuscript presents the inference step conceptually and supports it with empirical clustering accuracy and end-to-end detection results across non-IID regimes. No derivation or concentration bound on distribution-recovery error is provided. We will add a new subsection (likely 3.2) that (a) formalizes the mapping from update statistics to distribution estimates, (b) supplies a simple error bound under standard assumptions on gradient Lipschitzness and data heterogeneity, and (c) relates the bound to the observed false-positive rate. Additional plots measuring inference error versus Dirichlet alpha will be included to substantiate the claim that precision remains adequate for the target ASR threshold. revision: yes

Circularity Check

0 steps flagged

No circularity in derivation chain

full rationale

The paper proposes BoBa as a new backdoor detection approach that infers client data distributions to enable clustering followed by overlapping voting-based anomaly detection. No equations, fitted parameters, or derivations appear in the provided text that reduce outputs to inputs by construction. Performance claims rest on empirical evaluations rather than any self-definitional, self-citation load-bearing, or ansatz-smuggled steps. The distribution inference step is presented as a novel mechanism whose accuracy is asserted via experiments, not via a closed loop to prior fitted values or author-specific uniqueness theorems.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract only; no free parameters, axioms, or invented entities are described.

pith-pipeline@v0.9.0 · 5791 in / 986 out tokens · 21622 ms · 2026-05-23T23:07:54.591399+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Your Neighbors Know: Leveraging Local Neighborhoods for Backdoor Detection in Decentralized Learning

    cs.LG 2026-05 unverdicted novelty 7.0

    Argus detects backdoors in decentralized learning by local trigger analysis and neighbor similarity checks on consistency, with theoretical convergence guarantees and empirical reductions in attack success up to 90 points.

Reference graph

Works this paper leans on

52 extracted references · 52 canonical work pages · cited by 1 Pith paper · 5 internal anchors

  1. [1]

    Federated Learning: Strategies for Improving Communication Efficiency

    J. Kone ˇcn`y, H. B. McMahan, F. X. Yu, P. Richt ´arik, A. T. Suresh, and D. Bacon, “Federated learning: Strategies for improving communication efficiency,”arXiv preprint arXiv:1610.05492 , 2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  2. [2]

    Communication-efficient learning of deep networks from decentralized data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” in Artificial Intelligence and Statistics (AISTATS 17) , pp. 1273– 1282, 2017

    work page 2017

  3. [3]

    Advances and open problems in federated learning,

    P. Kairouz, H. B. McMahan, B. Avent, A. Bellet, M. Bennis, A. N. Bhagoji, K. Bonawitz, Z. Charles, G. Cormode, R. Cummings, et al. , “Advances and open problems in federated learning,” arXiv preprint arXiv:1912.04977, 2019

    work page arXiv 1912

  4. [4]

    Federated Learning for Mobile Keyboard Prediction

    A. Hard, K. Rao, R. Mathews, S. Ramaswamy, F. Beaufays, S. Augen- stein, H. Eichner, C. Kiddon, and D. Ramage, “Federated learning for mobile keyboard prediction,” arXiv preprint arXiv:1811.03604 , 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  5. [5]

    Adaptive federated learning in resource constrained edge computing systems,

    S. Wang, T. Tuor, T. Salonidis, K. K. Leung, C. Makaya, T. He, and K. Chan, “Adaptive federated learning in resource constrained edge computing systems,” IEEE Journal on Selected Areas in Communica- tions, vol. 37, no. 6, pp. 1205–1221, 2019

    work page 2019

  6. [6]

    Distributed statistical machine learning in adversarial settings: Byzantine gradient descent,

    Y . Chen, L. Su, and J. Xu, “Distributed statistical machine learning in adversarial settings: Byzantine gradient descent,” Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 1, no. 2, pp. 1–25, 2017

    work page 2017

  7. [7]

    Byzantine-resilient secure fed- erated learning,

    J. So, B. G ¨uler, and A. S. Avestimehr, “Byzantine-resilient secure fed- erated learning,” IEEE Journal on Selected Areas in Communications , 2020

    work page 2020

  8. [8]

    The hidden vulnerability of distributed learning in byzantium,

    R. Guerraoui, S. Rouault, et al., “The hidden vulnerability of distributed learning in byzantium,” in International Conference on Machine Learn- ing, pp. 3521–3530, PMLR, 2018

    work page 2018

  9. [9]

    Local model poisoning attacks to byzantine-robust federated learning,

    M. Fang, X. Cao, J. Jia, and N. Gong, “Local model poisoning attacks to byzantine-robust federated learning,” in 29th {USENIX} Security Symposium ({USENIX} Security 20), pp. 1605–1622, 2020

    work page 2020

  10. [10]

    Analyzing feder- ated learning through an adversarial lens,

    A. N. Bhagoji, S. Chakraborty, P. Mittal, and S. Calo, “Analyzing feder- ated learning through an adversarial lens,” in International Conference on Machine Learning , pp. 634–643, PMLR, 2019

    work page 2019

  11. [11]

    Differential privacy has disparate impact on model accuracy,

    E. Bagdasaryan, O. Poursaeed, and V . Shmatikov, “Differential privacy has disparate impact on model accuracy,” in Advances in Neural Information Processing Systems (NeurIPS 19), pp. 15453–15462, 2019

    work page 2019

  12. [12]

    Machine learning with adversaries: Byzantine tolerant gradient descent,

    P. Blanchard, R. Guerraoui, J. Stainer, et al. , “Machine learning with adversaries: Byzantine tolerant gradient descent,” in Advances in Neural Information Processing Systems , pp. 119–129, 2017

    work page 2017

  13. [13]

    Byzantine-robust distributed learning: Towards optimal statistical rates,

    D. Yin, Y . Chen, K. Ramchandran, and P. Bartlett, “Byzantine-robust distributed learning: Towards optimal statistical rates,” arXiv preprint arXiv:1803.01498, 2018

    work page arXiv 2018

  14. [14]

    The Hidden Vulnerability of Distributed Learning in Byzantium

    E. M. E. Mhamdi, R. Guerraoui, and S. Rouault, “The hidden vulnerability of distributed learning in byzantium,” arXiv preprint arXiv:1802.07927, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  15. [15]

    Dba: Distributed backdoor attacks against federated learning,

    C. Xie, K. Huang, P.-Y . Chen, and B. Li, “Dba: Distributed backdoor attacks against federated learning,” in International conference on learning representations, 2019

    work page 2019

  16. [16]

    A highly efficient, confidential, and continuous federated learning backdoor attack strategy,

    J. Cao and l. Zhu, “A highly efficient, confidential, and continuous federated learning backdoor attack strategy,” in 2022 14th International Conference on Machine Learning and Computing (ICMLC) , pp. 18–27, 2022

    work page 2022

  17. [17]

    Attack of the tails: Yes, you really can backdoor federated learning,

    H. Wang, K. Sreenivasan, S. Rajput, H. Vishwakarma, S. Agarwal, J.-y. Sohn, K. Lee, and D. Papailiopoulos, “Attack of the tails: Yes, you really can backdoor federated learning,” Advances in Neural Information Processing Systems, vol. 33, pp. 16070–16084, 2020

    work page 2020

  18. [18]

    Auror: Defending against poisoning attacks in collaborative deep learning systems,

    S. Shen, S. Tople, and P. Saxena, “Auror: Defending against poisoning attacks in collaborative deep learning systems,” in Proceedings of the 32nd Annual Conference on Computer Security Applications , pp. 508– 519, 2016

    work page 2016

  19. [19]

    Mitigating sybils in federated learning poisoning,

    C. Fung, C. J. Yoon, and I. Beschastnikh, “Mitigating sybils in federated learning poisoning,” arXiv preprint arXiv:1808.04866 , 2018

    work page arXiv 2018

  20. [20]

    Learning to detect malicious clients for robust federated learning,

    S. Li, Y . Cheng, W. Wang, Y . Liu, and T. Chen, “Learning to detect malicious clients for robust federated learning,” arXiv preprint arXiv:2002.00211, 2020

    work page arXiv 2002

  21. [21]

    Pdgan: A novel poisoning defense method in federated learning using generative adversarial network,

    Y . Zhao, J. Chen, J. Zhang, D. Wu, J. Teng, and S. Yu, “Pdgan: A novel poisoning defense method in federated learning using generative adversarial network,” in International Conference on Algorithms and Architectures for Parallel Processing, pp. 595–609, Springer, 2019

    work page 2019

  22. [22]

    Deepsight: Mitigating backdoor attacks in federated learning through deep model inspection,

    P. Rieger, T. D. Nguyen, M. Miettinen, and A.-R. Sadeghi, “Deepsight: Mitigating backdoor attacks in federated learning through deep model inspection,” 2022

    work page 2022

  23. [23]

    Contra: Defending against poisoning at- tacks in federated learning,

    S. Awan, B. Luo, and F. Li, “Contra: Defending against poisoning at- tacks in federated learning,” inComputer Security–ESORICS 2021: 26th European Symposium on Research in Computer Security, Darmstadt, Germany, October 4–8, 2021, Proceedings, Part I 26 , pp. 455–475, Springer, 2021

    work page 2021

  24. [24]

    Federated learning with hierarchical clustering of local updates to improve training on non-iid data,

    C. Briggs, Z. Fan, and P. Andras, “Federated learning with hierarchical clustering of local updates to improve training on non-iid data,” in 2020 International Joint Conference on Neural Networks (IJCNN) , pp. 1–9, IEEE, 2020

    work page 2020

  25. [25]

    Robust fed- erated learning in a heterogeneous environment,

    A. Ghosh, J. Hong, D. Yin, and K. Ramchandran, “Robust fed- erated learning in a heterogeneous environment,” arXiv preprint arXiv:1906.06629, 2019

    work page arXiv 1906

  26. [26]

    Shielding collaborative learning: Mitigating poisoning attacks through client-side detection,

    L. Zhao, S. Hu, Q. Wang, J. Jiang, C. Shen, X. Luo, and P. Hu, “Shielding collaborative learning: Mitigating poisoning attacks through client-side detection,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 5, pp. 2029–2041, 2020

    work page 2029

  27. [27]

    Crowdguard: Federated backdoor detection in federated learning,

    P. Rieger, T. Krauß, M. Miettinen, A. Dmitrienko, and A.-R. Sadeghi, “Crowdguard: Federated backdoor detection in federated learning,” Network and Distributed Systems Security Symposium NDSS , 2024

    work page 2024

  28. [28]

    An extended version of the k-means method for over- lapping clustering,

    G. Cleuziou, “An extended version of the k-means method for over- lapping clustering,” in 2008 19th International Conference on Pattern Recognition, pp. 1–4, IEEE, 2008

    work page 2008

  29. [29]

    Motif clustering and overlapping clustering for social network analysis,

    P. Li, H. Dau, G. Puleo, and O. Milenkovic, “Motif clustering and overlapping clustering for social network analysis,” in IEEE INFOCOM 2017-IEEE Conference on Computer Communications , pp. 1–9, IEEE, 2017

    work page 2017

  30. [30]

    Model-based overlapping clustering,

    A. Banerjee, C. Krumpelman, J. Ghosh, S. Basu, and R. J. Mooney, “Model-based overlapping clustering,” in Proceedings of the eleventh ACM SIGKDD international conference on Knowledge discovery in data mining, pp. 532–537, 2005

    work page 2005

  31. [31]

    How to backdoor federated learning,

    E. Bagdasaryan, A. Veit, Y . Hua, D. Estrin, and V . Shmatikov, “How to backdoor federated learning,” in International Conference on Artificial Intelligence and Statistics , pp. 2938–2948, PMLR, 2020

    work page 2020

  32. [32]

    Can you really backdoor federated learning?

    Z. Sun, P. Kairouz, A. T. Suresh, and H. B. McMahan, “Can you really backdoor federated learning?,” arXiv preprint arXiv:1911.07963, 2019

    work page arXiv 1911

  33. [33]

    Provably secure federated learning against malicious clients,

    X. Cao, J. Jia, and N. Z. Gong, “Provably secure federated learning against malicious clients,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 35, pp. 6885–6893, 2021

    work page 2021

  34. [34]

    Flare: defending federated learning against model poisoning attacks via latent 14 space representations,

    N. Wang, Y . Xiao, Y . Chen, Y . Hu, W. Lou, and Y . T. Hou, “Flare: defending federated learning against model poisoning attacks via latent 14 space representations,” in Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security , pp. 946–958, 2022

    work page 2022

  35. [35]

    Crfl: Certifiably robust fed- erated learning against backdoor attacks,

    C. Xie, M. Chen, P.-Y . Chen, and B. Li, “Crfl: Certifiably robust fed- erated learning against backdoor attacks,” in International Conference on Machine Learning , pp. 11372–11382, PMLR, 2021

    work page 2021

  36. [36]

    {FLAME}: Taming backdoors in federated learning,

    T. D. Nguyen, P. Rieger, R. De Viti, H. Chen, B. B. Brandenburg, H. Yalame, H. M ¨ollering, H. Fereidooni, S. Marchal, M. Miettinen, et al. , “ {FLAME}: Taming backdoors in federated learning,” in 31st USENIX Security Symposium (USENIX Security 22) , pp. 1415–1432, 2022

    work page 2022

  37. [37]

    The algorithmic foundations of differential privacy,

    C. Dwork et al., “The algorithmic foundations of differential privacy,” Foundations and Trends® in Theoretical Computer Science , vol. 9, no. 3–4, pp. 211–407, 2014

    work page 2014

  38. [38]

    Bristle: Decentralized federated learning in byzantine, non-iid environments,

    J. Verbraeken, M. de V os, and J. Pouwelse, “Bristle: Decentralized federated learning in byzantine, non-iid environments,” arXiv preprint arXiv:2110.11006, 2021

    work page arXiv 2021

  39. [39]

    Manipulating the byzantine: Op- timizing model poisoning attacks and defenses for federated learning,

    V . Shejwalkar and A. Houmansadr, “Manipulating the byzantine: Op- timizing model poisoning attacks and defenses for federated learning,” in NDSS, 2021

    work page 2021

  40. [40]

    Non-convex optimization for machine learning,

    P. Jain, P. Kar, et al., “Non-convex optimization for machine learning,” Foundations and Trends® in Machine Learning , vol. 10, no. 3-4, pp. 142–363, 2017

    work page 2017

  41. [41]

    BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain

    T. Gu, B. Dolan-Gavitt, and S. Garg, “Badnets: Identifying vulnera- bilities in the machine learning model supply chain,” arXiv preprint arXiv:1708.06733, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  42. [42]

    Fltrust: Byzantine-robust federated learning via trust bootstrapping,

    X. Cao, M. Fang, J. Liu, and N. Z. Gong, “Fltrust: Byzantine-robust federated learning via trust bootstrapping,” Network and Distributed Systems Security Symposium NDSS , 2021

    work page 2021

  43. [43]

    Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms

    H. Xiao, K. Rasul, and R. V ollgraf, “Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms,” arXiv preprint arXiv:1708.07747, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  44. [44]

    Learning multiple layers of features from tiny images,

    A. Krizhevsky and G. Hinton, “Learning multiple layers of features from tiny images,” tech. rep., Citeseer, 2009

    work page 2009

  45. [45]

    The mnist database of handwritten digit images for machine learning research,

    L. Deng, “The mnist database of handwritten digit images for machine learning research,” IEEE Signal Processing Magazine , vol. 29, no. 6, pp. 141–142, 2012

    work page 2012

  46. [46]

    Very deep convolutional networks for large-scale image recognition,

    K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” inInternational Conference on Learning Representations, 2015

    work page 2015

  47. [47]

    Imagenet classification with deep convolutional neural networks,

    A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” Advances in neural informa- tion processing systems , vol. 25, 2012

    work page 2012

  48. [48]

    Privacy inference-empowered stealthy backdoor attack on federated learning under non-iid scenarios,

    H. Mei, G. Li, J. Wu, and L. Zheng, “Privacy inference-empowered stealthy backdoor attack on federated learning under non-iid scenarios,” arXiv preprint arXiv:2306.08011 , 2023

    work page arXiv 2023

  49. [49]

    Baffle: Backdoor detection via feedback-based federated learning,

    S. Andreina, G. A. Marson, H. M ¨ollering, and G. Karame, “Baffle: Backdoor detection via feedback-based federated learning,” in 2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS), pp. 852–863, IEEE, 2021

    work page 2021

  50. [50]

    Ms-ptp: Protecting network timing from byzantine attacks,

    S. Shi, Y . Xiao, C. Du, M. H. Shahriar, A. Li, N. Zhang, Y . T. Hou, and W. Lou, “Ms-ptp: Protecting network timing from byzantine attacks,” in Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks , pp. 61–71, 2023

    work page 2023

  51. [51]

    Can you really backdoor federated learning?,

    A. T. Suresh, B. McMahan, P. Kairouz, and Z. Sun, “Can you really backdoor federated learning?,” 2019

    work page 2019

  52. [52]

    Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms,

    H. Xiao, K. Rasul, and R. V ollgraf, “Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms,” 2017. APPENDIX Krum [12] selects one of n received updates {δ1, ..., δn} that is similar to the remaining ones. Let di,j = ∥δi − δj∥p represent the lp norm distance between the i-th update and the j-th update. Krum first selects ( n−f ...

    work page 2017